When in the reset password flow edge cases, I’ve customised the Redirect To URL in the Change Password template for it to be redirected to a custom error page to deal with the different scenarios.
This has covered the following cases:
When user has already used the link to reset their password successfully - you cannot use it more than once → Redirects to Redirect URL configured
When URL expires due to custom set lifetime → Redirects to Redirect URL configured
Edge case scenario NOT covered:
When user sends multiple reset password emails to the same email - old ones still redirect to this “Authentication Error Access expired” screen because only the last email sent is valid. They are treated in a different way somehow.
How could I make that case behave like the top ones? It needs to be consistent - otherwise user is left hanging in that screen.
Generate a unique token or identifier for each password reset request and associate it with the user’s email address.
Store the token or identifier along with the email address in your database.
When a user clicks on the password reset link, validate the token against the email address. Only allow the user to proceed if the token matches the email address in your storage.
If there are multiple reset password requests associated with the same email address, consider only the latest valid token. Update and maintain only the most recent token.
When an expired or invalid token is encountered, redirect the user to the custom error page instead of displaying the “Authentication Error - Access expired” screen.