When the user request a reset password link, the user.state is set to request_password_reset.

Which means the user will only be able to reset their password, and not sign-in.
Once the user resets the password the user state is set to active once more.
If the link is used a second time they will be redirected to the index page with a message
that the link in the email is not longer valid.

app/main/dao/users_dao.py

@@ -62,9 +62,13 @@ def update_mobile_number(id, mobile_number):
 def update_password(user, password):
     user.password = hashpw(password)
     user.password_changed_at = datetime.now()
+    user.state = 'active'
     db.session.add(user)
     db.session.commit()
 
 
-def find_all_email_address():
-    return [x.email_address for x in User.query.options(load_only("email_address")).all()]
+def request_password_reset(email):
+    user = get_user_by_email(email)
+    user.state = 'request_password_reset'
+    db.session.add(user)
+    db.session.commit()

app/main/views/forgot_password.py

@@ -10,6 +10,7 @@ def forgot_password():
     form = ForgotPasswordForm()
     if form.validate_on_submit():
         if users_dao.get_user_by_email(form.email_address.data):
+            users_dao.request_password_reset(form.email_address.data)
             send_change_password_email(form.email_address.data)
             return render_template('views/password-reset-sent.html')
         else:

app/main/views/new_password.py

@@ -14,6 +14,9 @@ def new_password(token):
         return redirect(url_for('.forgot_password'))
 
     user = users_dao.get_user_by_email(email_address=email_address.decode('utf-8'))
+    if user and user.state != 'request_password_reset':
+        flash('The link in the email we sent you has already been used.')
+        return redirect(url_for('.index'))
 
     form = NewPasswordForm()