Forgot password is wrong

Does our "forgot password" work correctly? I tried to restore on health, i get an email, when i click it does nothing.

The link is a url with hash, probably it wants to automatically login?

In network requests, I see plaintext password is sent. This is wrong. We shouldn't even propose any passwords.

We should show a dialog box that allows for a one-time password change, custom for the user.