Password reset link not expiring
After a user has used a password reset token, that token should be burned and should not be used for that account again. The problem is that sometimes developers forget to invalidate these tokens. This would allow several attack avenues such as the attacked being able to generate an infinite amount of tokens because the…