password reset codes should be valid for a far shorter period, perhaps as long as 24 hours but no more.
min:4 => min:6
isn't that a database schema thing already?
Here's it 8 hours, elsewhere I see 7 days.
Can we $john $user?