How would you test password reset abuse and token security?

Scenario

A customer portal lets users request a password reset email. Reset links expire after 30 minutes, can only be used once, and should invalidate active sessions after a successful password change.