my $user = db->user($_{username});
return reply 'No such user' unless $user;
my ($token, $exp) = split ':', $_{token};
+ return reply 'Reset token is expired' if time >= $exp;
return reply 'Bad reset token' unless $user->make_reset_hmac($exp) eq $token;
$user->set_passphrase($_{password});
reply 'Password reset successfully';