Password reset does not work due to CSRFError

[redshiftzero]

Description

Bug discovered by @lev-csouffrant.

Steps to Reproduce

0. Login to journalist interface
1. Try to reset password

Expected Behavior

2. Password is reset

Actual Behavior

2. You are logged out

Comments

This was introduced in #4425 (only in develop, not in production or any release branches) and is due to a missing CSRF token in the password reset form (a CSRFError exception will be thrown - these are handled in journalist_app/__init__py so no traceback occurs, but the form still won't validate):

diff --git a/securedrop/journalist_templates/edit_account.html b/securedrop/journalist_templates/edit_account.html
index fc54f2ebc..11f55cef3 100644
--- a/securedrop/journalist_templates/edit_account.html
+++ b/securedrop/journalist_templates/edit_account.html
@@ -58,6 +58,7 @@

 <form action="{{ password_reset_url }}" method="post" id="new-password" class="login-form">
    {% if not user or g.user == user %}
+  <input name="csrf_token" type="hidden" value="{{ csrf_token() }}">
   <p><input type="password" name="current_password" placeholder="{{ gettext('Current Password') }}"></p>
   <p><input name="token" id="token" type="text" placeholder="{{ gettext('Two-factor Code') }}"></p>
   {% endif %}

A fix needs a regression unit or functional test