Fix: explicitly load resetTokenExpireTime in password reset (#109)

* explicitly load `resetTokenExpireTime` in password reset

* add sensitive attributes when loading the user in password reset

helpers/users_helper.rb

@@ -38,12 +38,10 @@ def token(len)
       end
 
       def reset_password(email, username, token)
-        user = LinkedData::Models::User.where(email: email, username: username).include(User.goo_attrs_to_load(includes_param)).first
+        user = LinkedData::Models::User.where(email: email, username: username).include(User.goo_attrs_to_load(includes_param) + [:resetToken, :passwordHash, :resetTokenExpireTime]).first
 
         error 404, "User not found" unless user
 
-        user.bring(:resetToken)
-        user.bring(:passwordHash)
         user.show_apikey = true
         token_accepted = token.eql?(user.resetToken)
         if token_accepted