Generate a new reset_password_token only when it isn't valid anymore or nil

[fernandomm]

When you call set_reset_password_token, it will always generate a new reset_password_token.

This can cause some issues:

1. An user may click twice at the submit button and will receive two emails. One of emails will have an invalid token ( the older one ). This can be "fixed" by disabling the submit button after click with Javascript.
2. There might be a delay in the email delivery and user will request another reset password email. Again one of the emails will have an old and invalid reset password token. I don't see a viable option to fix this with the current code.

Because of this we get a lot of support requests in our application regarding users that can't reset their password.

Would you be willing to accept a PR that changes set_reset_password_token method to only change reset_password_token value if it's not valid anymore?

If yes, should this be the default and only behavior or something that can be changed using a Devise option?

[rietta]

I disagree because that may change the threat posture in unexpected ways. Generating a new token on request is the correct behavior. Possibly debouncing the request/submit button would be the better solution to the double tap.

[cross-p6]

I agree, all the token-based flows in fact should regenerate on a subsequent request. I think confirmation currently doesn't do that. Maybe a PR is needed

[tegon]

Hello @fernandomm, thanks for your report.
I agree with @rietta - generating a new token on request is the correct behavior.
I know it's not ideal, but if you need this behavior you can override it in your application's code.

Thank you!