Validate reset password links for missing users and expired tokens

## Problem

The reset password flow does not handle two important invalid states safely:

- the user id from the route may not exist anymore
- the reset token has no effective expiration check

Current code:

- `src/Controller/ResetPasswordController.php:102` uses `findOneById()` and then calls methods on the result without checking `null`
- `src/Controller/ResetPasswordController.php:108` still has the TTL validation commented out

## Impact

- an invalid or stale reset link can end in a `500` instead of redirecting safely
- old reset links can remain usable indefinitely if the token still matches

## Expected behavior

- if the user cannot be found, redirect to the reset request flow without errors
- if the token is expired, reject it and redirect to the reset request flow
- add functional coverage for missing-user and expired-token cases


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Validate reset password links for missing users and expired tokens #29

Problem

Impact

Expected behavior

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Validate reset password links for missing users and expired tokens #29

Description

Problem

Impact

Expected behavior

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions