Update the set_password view to use update_session_auth_hash

Changing user's password logs themselves out. To avoid that,
we were logging the user back in right after changing the password.

I recently discovered update_session_auth_hash, which seems to
be the proper way to do this.

Docs: https://docs.djangoproject.com/en/3.1/topics/auth/default/#session-invalidation-on-password-change

hc/accounts/views.py

@@ -8,7 +8,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import login as auth_login
 from django.contrib.auth import logout as auth_logout
-from django.contrib.auth import authenticate
+from django.contrib.auth import authenticate, update_session_auth_hash
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
 from django.core import signing
@@ -480,10 +480,9 @@ def set_password(request, token):
             request.profile.token = ""
             request.profile.save()
 
-            # Setting a password logs the user out, so here we
+            # update the session with the new password hash so that
-            # log them back in.
+            # the user doesn't  get logged out
-            u = authenticate(username=request.user.email, password=password)
+            update_session_auth_hash(request, request.user)
-            auth_login(request, u)
 
             messages.success(request, "Your password has been set!")
             return redirect("hc-profile")