Resetting confirmation token never expires??

[ovgray]

Symfony FOSUserBundle versions: v2.0.1

Description of the problem including expected versus actual behavior:

A user who requests a password reset is redirected to a check-email page that says the user has been sent an email containing a link that will expire in two hours.

If that link isn't used in two hours (or two days, or two months), the link redirects to to the resetting request page. But if the user submits the request again, the user is sent the same "expired" link.

Shouldn't a new confirmation token be generated when the existing one is more than retry_ttl old, or at least when it is more than token_ttl old?

It seems that ResettingController::sendEmailAction will use $user->getConfirmationToken() no matter how long ago the token was created.

[willemstuursma]

So, the validity of a token that has been expired can easily be extended by requesting another reset?