[anton_gogolev]

> This requires non-idempotent get requests as you must invalidate the token on get.

I think you should invalidate a token whenever a user enters a new password and submits a form (hence POST).

[oneeyedpigeon]

That should definitely happen anyway but, as the article points out, that leaves a window of time between the user clicking the link in their email and them completing the form. It might be a very brief window, but it's still exploitable (and it won't always be brief - consider a user clicking the link in their email, leaving their desk for 5 minutes or going to make a cup of tea...)

[Klathmon]

Not to mention the users that will request a reset but then remember, or forget to follow up with the reset (which I myself have been guilty of in the past).