Insecure Password Reset Link Expiration.
It was observed that the "Forgot Password" functionality generates a password reset link, which
remains valid even after requesting a new reset link. Ideally, the previously issued reset link
should become invalid upon generating a new one. The lack of expiration for older reset links
allows an attacker or unauthorized user with access to an old link to reset the victim's password
at a later time, leading to potential account compromise. Is there a way that when a new password reset link is generated, the previous one is automatically invalidated?
