More of a theoretically question. Writing a secure login system and I can't find a reason to have an expiration to a reset password URL.
Their thought was if someone was in your email and wanted to change your password to a site. The URL should be expired. To get around this. They could request another password change to the already compromised email address.
I took to the time to make it expire anyways. I think another backup email address or cell number would be the only way around this. I think I owe Kim DotCom money.
Without much elaboration, I see two problematic situations.
So instead of thinking of all the possible points of failure while evaluating older links (and you WILL miss a case or two), just slap a duration to a reset token, thus preventing usage of older links/tokens.