Cannot reset password if 2FA is active

If you follow the password recovery link for an account that has 2FA turned on, you get a half-baked auth settings screen instead of a password reset form. The cause is an error in an ajax request to kratos:

{
  "error":
  {
    "id":"session_aal2_required",
    "code":403,
    "status":"Forbidden",
    "reason":"An active session was found but it does not fulfill the requested Authenticator Assurance Level. Please verify yourself with a second factor to resolve this issue.",
    "details":
    {
      "redirect_browser_to":"https://dashboard.stackspin.net/kratos/self-service/login/browser?aal=aal2"
    },
    "message":"Session does not fulfill the requested Authenticator Assurance Level"
  },
  "redirect_browser_to":"https://dashboard.stackspin.net/kratos/self-service/login/browser?aal=aal2"
}

So Kratos is of the opinion that you need a second factor to finish the password recovery.

We're probably okay with that judgment, at least for now, but we evidently need to intercept the error and redirect the user to the given URL, preferably adding a message to explain that this is still part of the password reset. Maybe also advise to contact their admin in case they also lost their 2FA, even though we don't have a GUI way for admins to reset 2FA for users.