I'm trying to implement a "Reset Password" form in my application using Supabase's authentication service. As of now, the route to the reset password form is protected such that only authorized users can access it. However, I want users to only be able to access it with a ticket/token of some sort. I other words, I don't want an authenticated user to simply type in the URL and be able to access the form.

The two pictures I have attached demonstrate how I am currently implementing this feature. The first picture is the route handler that will attempt to sign in the user with the one-time password (token_hash). If this sign in is successful, the user will be redirect to the reset password page. The implementation of which is shown in the second picture.

I was thinking about setting up a dynamic route where the slug is the one-time password token. Is this a valid way to go about implementing this functionality? Is there a potential downside to exposing the one-time password token?