Export Storage Bucket
Component Detail
Description
Supabase Storage bucket configuration for persisting generated export files (PDF, CSV). Files are stored with org-scoped paths and access-controlled so only authorised users can retrieve their organisation's reports.
export-storage-bucket
Summaries
The Export Storage Bucket provides secure, organisation-scoped file storage for all generated reports — PDFs and CSVs that coordinators and executives rely on for compliance, auditing, and stakeholder communication. By enforcing strict access boundaries at the infrastructure level, the organisation eliminates the risk of data leakage between tenants, which directly reduces legal and regulatory exposure. Time-limited signed download URLs ensure reports remain accessible only to authorised personnel within defined windows, supporting data governance policies without adding friction to day-to-day workflows. Automatic file expiry controls storage cost growth, preventing unbounded accumulation of stale export artefacts.
This component is foundational to any reporting and accountability features the product offers, making it a prerequisite for enterprise-tier positioning.
The Export Storage Bucket is a low-complexity infrastructure component with no upstream dependencies, making it an ideal early deliverable that unblocks the broader reporting pipeline. It can be provisioned and tested independently of feature work, meaning the storage layer is ready before PDF or CSV generation logic is complete. The primary delivery risk is bucket policy misconfiguration — particularly around row-level security and org-scoping — which requires thorough integration testing against multiple organisation tenants before any export feature goes live. Retention policy rules need sign-off from legal or product stakeholders before deployment.
Testing scope includes upload, signed URL expiry, deletion, and cross-org access denial. Infrastructure-as-code for bucket policies should be versioned alongside application code to avoid environment drift.
The Export Storage Bucket wraps Supabase Storage with four typed interface methods: uploadFile, getSignedUrl, deleteFile, and listFiles — all scoped to orgId and reportId to enforce multi-tenant isolation at the storage path level (e.g., `{orgId}/{reportId}.pdf`). Row-level security policies on the bucket ensure that backend service accounts can only access paths matching their authenticated org context. Signed URLs are generated with configurable expiry durations, suitable for direct client-side downloads without exposing long-lived credentials. Retention policy enforcement can be implemented via a scheduled Edge Function or a database trigger that calls deleteFile for records exceeding the retention window.
No external dependencies exist, so this component is straightforward to mock in unit tests by stubbing the four interface methods. Integration tests should cover cross-org isolation, expiry edge cases, and MIME type validation during upload.
Responsibilities
- Store generated export files securely
- Enforce organisation-scoped access policies
- Generate time-limited signed download URLs
- Auto-expire old export files per retention policy
Interfaces
uploadFile(orgId, reportId, bytes, mimeType)
getSignedUrl(orgId, reportId, expiresIn)
deleteFile(orgId, reportId)
listFiles(orgId)