We had an issue here because it made it much harder to download a backup from a (third party) provider where we don’t have shell access, and upload it to one of our own servers. Especially when handling a large backup and both servers are in the USA (we’re in Europe) this process was costing us hours instead of minutes.
Somehow the backup link does not work with an api_key so a simple wget will not work 
We made a small script that can be called from the command line. It needs three parameters:
- username
- password
- download link from the email, including the token
So something like
./download.sh myuser mypass https://forum.mysite.com/admin/backups/mysite-2017-05-31-113000-v20170526125321.tar.gz?token=d31de61bc07f7bc9060717bc57828584
Here is the script:
#!/bin/bash
USERNAME=$1
PASSWORD=$2
URL=$3
HOSTNAME=$(echo $URL | awk -F/ '{print $3}')
TOKEN=$(
curl \
--header "X-Requested-With: XMLHttpRequest" \
-A "MSIE" \
-b cookies.txt \
-c cookies.txt \
-v\
https://$HOSTNAME/session/csrf|awk -F: '{print $2}'|cut -c2-89
)
echo "Using Token $TOKEN Username $USERNAME Password $PASSWORd"
curl \
--header "X-Requested-With: XMLHttpRequest" \
--header "X-CSRF-Token: $TOKEN" \
--header "Origin: https://$HOSTNAME" \
-A "MSIE" \
-b cookies.txt \
-c cookies.txt \
-v\
--data "login=$USERNAME&password=$PASSWORD" \
https://$HOSTNAME/session
curl \
-A "MSIE" \
-b cookies.txt \
-c cookies.txt \
-O \
$URL
One more suggestion: would it be an idea to exclude the email with the link from being affected by the disable_email setting?