Email Links don't pass through enterprise email systems

[kylerummens]

Bug report

Describe the bug

One of the organizations that uses our web app has an enterprise email system (part of the Microsoft platform?). As part of the system's security, when an email is to be delivered to a user's inbox the system will open the email, scan through the email, and open all of the links that are contained within the email. If the system deems that the email is safe, it then delivers it into the user's inbox.

The issue with this system is that when a reset-password link (or any auth link) is sent through this system, by the time it reaches the user's inbox the link has been opened and the single-use token is expired.

To Reproduce

The only way to reproduce this behavior would be to send a reset-password link (or any other auth link) to an email address that is controlled by an enterprise system. I'm not certain which systems work like this, except that this certain organization's system does.

Expected behavior

As seen from these discussions

• https://github.com/supabase/supabase/discussions/6004
• https://github.com/supabase/supabase/discussions/7791

a single-use token is important for security purposes. However, a possible alternative that would work for these systems would be to have an access_token that isn't single-use, but rather has an expiration timestamp (10 minutes, one hour, one day, etc.). I'm not a security expert, but this seems like a good solution that would solve the enterprise email issue.