... the token never seems to expire (either after a certain amount of time or after being used once). I just clicked on the link that was generated over a week ago and was able to arbitrarily reset my password again.
It would be desirable from a security standpoint to expire these tokens.
From @andrew-nguyen
It would be desirable from a security standpoint to expire these tokens.