common 'issue' with Devise Recoverable, password reset loop

[jbeyer05]

In applications where I use Devise, I have seen situations where users run into an issue with the 'Forgot Password' functionality, which is partly user error, but which also could be easily fixed with a simple change to the workflow. And I'm wondering if I've somehow missed something in the documentation that might allow for a configuration setting that would fix the issue.

Fairly frequently, users will generate a password reset link, lack any patience when the email doesn't immediately arrive, and request a second link. Then the first email arrives and they follow that link. The reset token in the first email has been invalidated by the second request. But they open that link, and request a reset link a third time. They now see the second email, and follow the second link, which is now invalid as well. And the loop repeats.

Am I missing a configuration option? It seems like I would need to roll a semi-custom solution to make this work, and Google isn't turning up any results on simple tutorials to do this.

It seems like Recoverable should have an option to NOT modify the reset password token within a timeframe specified via configuration (maybe 10 minutes). It wouldn't seem to have any security drawbacks that I can see.

[jbeyer05]

If I were to create a PR with a new configuration option for Recoverable that took a time period and didn't reset the token within that window, is that something that the maintainers of the project would be interested in incorporating?