While the example explains the approach, this is susceptible to a brute force attack where you just try different tokens until they work.<p>To further improve the security, the author shold include the `userId` in the magic URL and make sure it matches with the `token`. Some sort of rate limiting could work as well.