In Administration > Email reports, users can download an email report. The "Download" link includes the
token_auth. This is problematic because
token_auth are then leaked in server access logs and browser history.
-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the
token_auth in the POST body.
When you POST, the reload might be problematic. Can probably simply add a controller action for this that executes the API method so no token needed etc.
Reloading should work I think (browser would prompt "do you want to post the data?"),
but sharing the link or opening in a new window wouldn't work (as expected)