Currently, resource and outcome version download is started by opening a certain URL in new window.
That is a GET request and as a consequence it is unable to get any custom headers that are used to send the auth token.
This should be handled in a meaningful manner.
One possibility would be to revert to using sessions, this way it should be possible to check that
Another one would be to set up a special cookie that would be used instead (just for the sake of permission check in this context)
The third one would be to send the key as part of the URL or query string (this one does not seem very good as that would be exposed even if SSL is used)
The simplest solution would be to add some long hash to the download url (in addition to resource unique identifier), this would prevent simple automated guessing of the file location
Another one would be to generate a very short-lived token and use that for downloading the file. This one could be exposed as part of the URL as the lifetime could be rather limited (a few minutes at most)
Currently, resource and outcome version download is started by opening a certain URL in new window.
That is a GET request and as a consequence it is unable to get any custom headers that are used to send the auth token.
This should be handled in a meaningful manner.
References #61