In Administration > Email reports, users can download an email report. The "Download" link includes the token_auth. This is problematic because token_auth are then leaked in server access logs and browser history.

-> We should change it so that the link doesn't include the token_auth, and instead the "download" should be a POST request with the token_auth in the POST body.