As far as other platforms not invalidating tokens when passwords change, that doesn't make it right - in fact, the right (i.e. secure) way to do this is to ask on password reset if the current tokens, links, etc. be invalidated. Just because other people jump off a cliff doesn't mean it's a good idea. The basic rule of security is to err on the side of too much authentication, not too little!