errors=invalidkey for a WordPress Custom Password recovery page

Question

WordPress v5.4.1, I have the below code to send the password reset mail from custom page.

Followed the https://code.tutsplus.com/tutorials/build-a-custom-wordpress-user-flow-part-3-password-reset--cms-23811.

// Custom message
function replace_retrieve_password_message($message, $key, $user_login, $user_data) {

    global $wpdb;

    $key = $wpdb->get_var("SELECT user_activation_key FROM $wpdb->users WHERE user_login ='" . $user_login . "'");
    if (empty($key)) {
        //generate reset key
        $key = wp_generate_password(20, false);
        $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
    }
    // Create new message
    $msg = __('Hello!') . "\r\n\r\n";
    $msg .= sprintf(__('You asked us to reset your password for your account using the email address %s.'), $user_login) . "\r\n\r\n";
    $msg .= __("If this was a mistake, or you didn't ask for a password reset, just ignore this email and nothing will happen.") . "\r\n\r\n";
    $msg .= __('To reset your password, visit the following address:') . "\r\n\r\n";
    $msg .= site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . "\r\n\r\n";
    $msg .= __('Thanks!') . "\r\n";

    return $msg;
}

add_filter('retrieve_password_message', 'replace_retrieve_password_message', 10, 4);

User is getting the password reset email and while clicking on the link, it gives errors=invalidkey.
I have tried removing the custom $key function to have WordPress default key generation. Then I will have password reset page, but any action is showing errors=invalidkey.

Answer 1

Why are you regenerating the $key? Why not just use the one passed to your callback?

But if you must regenerate it, then you could just use get_password_reset_key():

$key = get_password_reset_key( $user_data );