Gravity Forms Password Recovery init hook

gf_rp_ih.php

<?php

add_action( 'init', 'wp_doin_verify_user_key', 999 );

/**
 * Check if the user has hit the proper rest password page. The check is identical to that 
 * from wp-login.php, hence extra $_GET['method'] parameter was included to exclude redirects
 * from wp-login.php file on standard password reset method.
 * 
 * @hook wp_head
 */
function wp_doin_verify_user_key() {

	global $gf_reset_user;

	// analyze wp-login.php for a better understanding of these values
	list( $rp_path ) = explode( '?', wp_unslash( $_SERVER['REQUEST_URI'] ) );
	$rp_cookie = 'wp-resetpass-' . COOKIEHASH;

	// lets redirect the user on pass change, so that nobody could spoof his key
	if ( isset( $_GET['key'] ) and isset( $_GET['method'] ) ) {
		if ( $_GET['method'] == 'gf' ) {
			$value = sprintf( '%s:%s', wp_unslash( $_GET['login'] ), wp_unslash( $_GET['key'] ) );
			setcookie( $rp_cookie, $value, 0, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
			wp_safe_redirect( remove_query_arg( array( 'key', 'login', 'method' ) ) );
			exit;
		}
	}

	// lets compare the validation cookie with the hash key stored with the database data
	// if they match user data will be returned
	if ( isset( $_COOKIE[$rp_cookie] ) && 0 < strpos( $_COOKIE[$rp_cookie], ':' ) ) {
		list( $rp_login, $rp_key ) = explode( ':', wp_unslash( $_COOKIE[$rp_cookie] ), 2 );
		$user = check_password_reset_key( $rp_key, $rp_login );
		if ( isset( $_POST['pass1'] ) && !hash_equals( $rp_key, $_POST['rp_key'] ) ) {
			$user = false;
		}
	} else {
		$user = false;
	}

	// if any error occured make sure to remove the validation cookie
	if ( !$user || is_wp_error( $user ) ) {
		setcookie( $rp_cookie, ' ', time() - YEAR_IN_SECONDS, $rp_path, COOKIE_DOMAIN, is_ssl(), true );
	}

	// make sure our user is available for later reference
	$gf_reset_user = $user;
}