For email verification it's less scary if that was really all you wanted.
If you believe you're verifying that the email went to your user, this isn't enough. Lots of systems parse URLs out of emails and follow them, you probably want to look for a a pre-existing session cookie, or insist the user log in from the verification page and confirm this is what they wanted.
Otherwise you've merely got two unrelated facts:
1. Some user of your system (maybe happy_pancake) says bob@example.com is their email address
2. Mail to bob@example.com is received by a machine or person which reads web pages.
It would be foolish to conclude from these facts that happy_pancake is actually bob@example.com or that bob@example.com wants to use your service.
For example:
Accidentally open to the internet log server(as above).
Attacker sends password reset request.
Attacker checks log to steal token.
Attacker now has stolen account until owner can't log in and does reset, or perhaps semi-permanently if attacker steals all tokens for said account and invalidates them before owner can use them.
If you believe you're verifying that the email went to your user, this isn't enough. Lots of systems parse URLs out of emails and follow them, you probably want to look for a a pre-existing session cookie, or insist the user log in from the verification page and confirm this is what they wanted.
Otherwise you've merely got two unrelated facts:
1. Some user of your system (maybe happy_pancake) says bob@example.com is their email address
2. Mail to bob@example.com is received by a machine or person which reads web pages.
It would be foolish to conclude from these facts that happy_pancake is actually bob@example.com or that bob@example.com wants to use your service.