When users verify their email address successfully, could I just log them in automatically?
I consider the following reasons to do so:
I am asking because sending a link that logs you in automatically makes me feel like I am missing something.
Yes I think you should log them in automatically. It'll be even more annoying if they have to verify their email and then log in again. What's the point of the verification then? If the verification is successful that means you already trust them, so log them in.
Yes you can. It's quite reasonable. As long as, as you say, you only allow it once for the given generated URL.
Slightly off-topic rambling: Though I'm slightly biased about this approach, because I happen to think that email-based login (i.e. generated login token sent to the email) is the one of the "better" ways to prevent phishing in general, because it takes away the need for the user to even know their password for your site (they just need to go to it and request a 'login' token). Anyway, that's another matter.
I think that it might be better if you at least ask them for their password for emai verification. That way, you actually verify that the email address belongs to the user.
If you auto-login, you just verify that the email address exists and that the user this email address belongs to wants access to the account.
Regarding your third point: you hopefully only trust the person(s) with access to that address once you have verified that the address actually belongs to the user (which you could do by asking for the password during verification).