What would be the use case for a framework that returns password reset token to random user requesting password reset of another account. Token must only be available to account owner.

A framework like this should not be used.