The extra routes aren't needed in this example.
Right now, all the /user/reset requests are going to getReset. You could either send the constrained route to a different method, or neater, perform the validation in the controller to match the token and throw an exception if it doesn't match your constraints (or pass them off to your catch all idea).
Hope that helps.