Stop password reset tokens being used more than once (so to with any domain referrer leakage)

passwords_controller.rb

# new file app/controllers/users/passwords_controller.rb
class Users::PasswordsController < Devise::PasswordsController
  def edit
    super
    raw, enc = Devise.token_generator.generate(User, :reset_password_token)
    original_enc = Devise.token_generator.digest(User, :reset_password_token, params[:reset_password_token])
    EncoreBackend::User.where(reset_password_token: original_enc).update_all(reset_password_token: enc)
    @user.reset_password_token = raw
  end
end 

routes.rb

# changes to config/routes.rb
devise_for :users, class_name: 'User', controllers: { passwords: 'users/passwords' }