UserController::resetPass

public UserController::resetPass(Request $request, $uid, $timestamp, $hash)

public function resetPass(Request $request, $uid, $timestamp, $hash) {
  $account = $this->currentUser();
  // When processing the one-time login link, we have to make sure that a user
  // isn't already logged in.
  if ($account->isAuthenticated()) {
    // The current user is already logged in.
    if ($account->id() == $uid) {
      user_logout();
      // We need to begin the redirect process again because logging out will
      // destroy the session.
      return $this->redirect(
      'user.reset', 
      [
        'uid' => $uid,
        'timestamp' => $timestamp,
        'hash' => $hash,
      ]
      );
    }
    // A different user is already logged in on the computer.
    else {
      /** @var \Drupal\user\UserInterface $reset_link_user */
      if ($reset_link_user = $this->userStorage->load($uid)) {
        drupal_set_message($this->t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href=":logout">log out</a> and try using the link again.', 
        array('%other_user' => $account->getUsername(), '%resetting_user' => $reset_link_user->getUsername(), ':logout' => $this->url('user.logout'))), 'warning');
      }
      else {
        // Invalid one-time link specifies an unknown user.
        drupal_set_message($this->t('The one-time login link you clicked is invalid.'), 'error');
      }
      return $this->redirect('<front>');
    }
  }

  $session = $request->getSession();
  $session->set('pass_reset_hash', $hash);
  $session->set('pass_reset_timeout', $timestamp);
  return $this->redirect(
  'user.reset.form', 
  ['uid' => $uid]
  );
}