…h an invalid
reset_password_token, let them know immediately as soon they get there rather than waiting until
*after* they've taken the time to enter their new password twice and submit the form to tell them
about the problem.
Also redirect them to the "Forgot your password?" page so that they can request a new one instead of
leaving them wondering what to do next.