/user/password/

Update the user password. If this user is logged in
(i.e., a password change) the old password must be in the secret.
If this user is not logged in (i.e., a password reset),
the secret should include a token.