Description
In my personal opinion, currently Laravel password reset workflow has some issues that might be annoying for users:
1. Double submissions invalidates tokens emailed earlier.
A user requests password resets twice. Then he/she opens the first email and clicks on its link. But unfortunately, the link is invalid and user sees an "invalid token error" after he submits the form. I think there is no security need to invalidate the first token. For exampble, Github doesn't do that; it invalidates all the tokens after the password is successfully reset.
2. User have to re-enter his/her email.
I also think there is no need for that either.
3. User have to enter his new password twice.
Again no need for that really.
4. Tokens are validated too late.
The tokens are only validated after the user filled 3 inputs, (2 of them passwords) then submits the form. A user who did the double submission is now frustrated and confused. Why not validate just when the user hits the reset password page, before filling in the form. Again Github does this as an example.
5. Invalid token error is redirected to a wrong form.
After invalid-token occurs, user should see a different form to re-enter his email and request for a new token again. Seeing an error (This password reset token is invalid) above a form that really doesn't work is not helpful.
Moreover, I think showing user's email alongside a timer to the user after he requests for token is helpful. During the timer count down, user must not be able to request for token again, unless he thinks he entered a wrong email.