I like the look of this technique for sending password reset links:
https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/
(TLDR: don't store token in database. Send password reset link w email address, expiry time, and corresponding hmac)
especially after reading about the Mozilla / Bugzilla reset bug.
It seems like it's vulnerable to replay attacks though.
Q1: Under what circumstances is it vulnerable, assuming good HTTPS?
I think someone monitoring my network traffic (at say a wifi hotspot) would not be able to simply replay the GET request to the link, correct?
Q2: If it's only a replay attack if an attacker has access to my email or physical access to my computer, isn't token-based password reset equally vulnerable, as the attacker could simply request a new link?