This sounds like it would break a bunch of email address verification systems, password recovery links and the like. I wonder if indeed it does break them, but since it only affects smaller websites nobody seems to care.

> "This sounds like it would break a bunch of email address verification systems, password recovery links and the like."

This is exactly the pain I've experienced with my own site, https://alchemist.camp

I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.

Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.

My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.

Instead of copy and paste you could have a POST form on your site to trigger the actual reset (with a hidden field pre-populated from the params of the email link). Gmail and others won’t touch it. They assume a GET is free from side effects and that it is safe to load your link because of that.

Why not make them 2 use tokens?

Not quite as secure, but way better than never expires?

Or after initial token use, set to expire after n seconds rather than immediately

That's exactly the approach I'm leaning towards using.

Or you could trigger an ajax call on the page that actually checks the token validity then redirect the user to a new password or a sorryexpired form.

Gmail may fetch the page but wont run the js on it.

Edit: this works for situations when spam filters fetch the links as soon as the mail arrives.

Yes, please ruin functionality without javascript for the sake of gmail's nosiness.

Comment about a form and PUT/POST is good - it will work by standards in any browser, even when gmail starts executing javascript. Add auto-submit on top javascript if preferred.

This isn't the case in my experience.

We have a tool that sends me an email with a single use link when it's used.

I just now confirmed that I receive the email containing the single-use link, that I can click on it and view the page, and that the single-use link is no longer available after I've viewed the link.

Is this perhaps conditional behavior of some sort?

Perhaps it’s 2-use?

It's not. It's a tool we developed, and I've confirmed that the resource at the link is fully destroyed after the first access.

Wow, can you theorize why they would build it that way?