Access Secure Download Links for Stored Report Files

All file downloads from the report history screen must be served through signed, time-limited URLs generated by the server rather than direct public storage URLs. The signed URL should expire after a short window (e.g., 15 minutes) and be scoped to the requesting coordinator's session. The file storage client must validate the coordinator's organization membership before generating the signed URL. This ensures that even if a URL is intercepted or shared, it cannot be used by unauthorized parties after expiry.

HIGH story-bufdir-report-history-audit-log-organization-admin-006 5 pts

Story Points

High

Priority

Bufdir Report History & Audit Log

Feature

User Story

As a Organization Administrator

I want to download report files from the history screen using secure, time-limited links that do not expose raw storage paths

So that sensitive grant reporting data is protected from unauthorized access even if a link is accidentally shared

Acceptance Criteria

Given the coordinator requests a file download, when the system generates the download link, then the link is a signed URL with a 15-minute expiry and is not a direct public storage path
Given a signed URL has expired, when someone attempts to use it, then the server returns an authorization error and the file is not served
Given a coordinator from organization A has a signed URL for their report, when a coordinator from organization B attempts to use that URL, then access is denied by the RLS-enforced storage policy
Given the coordinator downloads a file successfully, when the download completes, then no raw storage bucket paths or credentials are exposed to the client application
Given the coordinator's session expires mid-download, when they attempt to re-download, then they are prompted to re-authenticate before a new signed URL is issued

Business Value

Bufdir reports contain aggregated sensitive data about vulnerable populations. Norwegian data protection regulations (GDPR and Datatilsynet guidelines) require that access to personal data processing records is controlled and auditable. Signed time-limited URLs are the industry-standard mechanism for providing secure temporary file access without exposing infrastructure details.

Components

Report File Storage Client data
Report History RLS Policy Configuration infrastructure
Export File Storage Adapter infrastructure
Signed URL Service service
Secure Storage Adapter infrastructure
Admin Row-Level Security Guard service

Bufdir Report History & Audit Log

Related Feature

Organization Administrator

User Role