Interesting issue where the password reset flow can allow account take-over if you register an account with a similar email domain with a unicode case collision. More interesting, it impacts Django.