Don't allow old password reset tokens
Can't find any evidence that Pleroma checks or cleans up old password reset tokens. This is a problem, because email isn't secure, and if someone's email gets leaked these password reset URLs could be used to access the account months or years after.
The password reset already has a timestamp attached to it. When used, it should just confirm that the token is, say, less than 7 days old (or some configurable value).