XWIKI-21571: Change default value of the reset password token lifetime (#3012)

Change the mechanism of the reset password token to not reset it at each
verification code check, but only when the password is actually reset,
and when its lifetime expired.
Also provide a mandatory document initializer for the
ResetPasswordRequest xclass.

Change a bit more the logic: if the token lifetime configuration is set
to 0 (which was the default) then we automatically remove the reset
password request xobject at first wrong attempt (bad verification code):
it will prevent any bruteforce attack. Then if there's a token lifetime
configuration set, we don't remove the xobject when a bad attempt is
performed: user might have used the wrong mail for example. But we do
remove the xobject when it's expired. And if it's expired, or if the
code was wrong, in both cases we immediately return an error.

Move ResetPasswordIT and ForgotUserNameIT from
administration-test-docker to a new module
security-authentication-test-docker since it's related to
security-authentication module now.

---------

Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>
(cherry picked from commit b410dad4)