I think expiration should be pending on a proper way to do recurring
tasks -- I'm personally in favor of a CLI command that can be run from a
cronjob or systemd timer that will do things like auto-expire password
reset requests and send the daily registration reports.
Now that I'm thinking about it, this does need at least a rudimentary
system to make sure that it actually expires. If the expiration is
invalid at the time of reset, then the request can just be invalidated
and deleted. There's no pressing need for automatic removal until it's
implemented.
Thoughts @willhockey20?
