Box file download calls expose API token in query parameters

[dan-cummings1]

This issue has been flagged by our teams utilizing the explorer element to interact with content stored in box. We have noticed that there are situations where a download URL is generated that exposes the API token within the URL query parameters. Internally we have this flagged as a security risk violating best practices.

https://github.com/box/box-ui-elements/blob/7e4fa66401485c5c4ea1a3e2218aa959e7bb5df1/src/api/File.js#L82

It seems this issue can be resolved by simply removing the token from being exposed in the query parameter and shifting this into the authorization header.

https://developer.box.com/reference/get-files-id-content/