This is related to Users & Permissions - Authentication - Reset password topic.
The callback URL contains the code which does not seem to expire after a certain period of time or after using it once (meaning submitting the reset password request with the code).
I would like to know how (if possible) to add an expiration to this code? and how to make it invalid after using it.
Best option would be an internal cron if you don’t plan to scale (you’d need to add another field to the user model to track when the code was created and modify the users-permissions plugin to automatically set that).
Or if you plan to scale, create a controller (anywhere, could be as an extension to the users-permissions or just a normal controller) and run some kind of authenticated cron process (you could use our API tokens guide: API Tokens - Strapi Developer Documentation).
TLDR: There is no simple way to add this, it will require some custom logic for now, but I would suggest creating a feature Request on GitHub as I think it would be quite useful to have by default.
Alternatively if you don’t want to go the cron-route since it’s not really easy to implement, you could go the dirty route and just add the field and check it when requests come in (extend the users-permissions plugin) and return an error while also clearing the expire date.