I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.
Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.
My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.
Instead of copy and paste you could have a POST form on your site to trigger the actual reset (with a hidden field pre-populated from the params of the email link).
Gmail and others won’t touch it. They assume a GET is free from side effects and that it is safe to load your link because of that.
Yes, please ruin functionality without javascript for the sake of gmail's nosiness.
Comment about a form and PUT/POST is good - it will work by standards in any browser, even when gmail starts executing javascript. Add auto-submit on top javascript if preferred.
This is exactly the pain I've experienced with my own site, https://alchemist.camp
I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.
Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.
My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.