When doing password reset, the user interface doesn’t respond immediately after clicking/tapping on the reset button - The first click, an email with token is sent to the user. When the user tap 3 times, the token are renewed, but no email is sent. When the user eventually get the email and use the link to reset the password, the token is invalid - giving the error message, which is technically correct, but in the UX space not, as the user didn’t receive the latest email without knowing it.
Proposed solution - when the user click on the ‘Reset’ button, the button should immediately be disabled to prevent double or even triple clicks which change the server-side token multiple times with only the first token issued with the user-email. This will enforce to keep the email sent and the token used valid on both user and server sides.