You can clone with
HTTPS or Subversion.
if for whatever reason the user resetting their password never clicked on the email confirmation link to verify their email, we should go ahead and mark it verified if and when they reset their password
I think this idea is sound. The implementation proves slightly tricky due to not knowing which email address was used to reset the password. Will require a little bit of thinking to get this right.