When a user opens a password reset link e-mailed to them, the landing page looks the same whether or not it is still valid. If the link is no longer valid, when they click the button to be taken to the password reset form, the UserController class displays an error 'You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.' and redirects to the user.pass form.
I think this validation process can be moved up a step and put in the UserPasswordResetForm class'buildForm function, so that they are immediately prompted with the error message to re-generate the password link if it is expired or otherwise no longer valid.
This would also settle this issue for the PRLP plugin.