Skip to main content

Documentation Index

Fetch the complete documentation index at: https://grantmaster.dev/llms.txt

Use this file to discover all available pages before exploring further.

Storage and Asset Management

GrantMaster manages sensitive NGO documents, logos, and AI-generated exports. This document outlines our storage architecture and security patterns.

🏗️ Storage Hierarchy Visual

🔒 Security & Access Control

We use Firebase Storage Security Rules combined with IAM for service-level access.

1. Bucket Partitioning

  • Public Read: Only the public/ folder allows unauthenticated read access (for system logos and static assets).
  • Per-Tenant Isolation: The tenants/{tenantId}/ path is strictly guarded. A user’s tenantId token claim must match the path segment to gain access.

2. Signed URLs (The “Handshake”)

For sensitive document viewing:
  1. Frontend requests a download.
  2. Backend (Cloud Function) validates the user’s permissions for that specific resource.
  3. Backend generates a GCP Signed URL with a 15-minute expiration.
  4. Frontend redirects the user to the temporary URL.

📁 File Naming Conventions

  • Standard: {timestamp}_{original_name}
  • Safety: All filenames are sanitized to remove special characters and spaces before upload to prevent URL encoding issues.

🧹 Cleanup & Lifecycle

  • Temporary Exports: Files in tenants/{id}/exports/ have a 7-day TTL (Time-to-Live) policy managed by GCP Lifecycle Rules.
  • Orphaned Files: A monthly cron job cross-references Storage objects against Firestore documents to delete any files whose metadata has been removed.

🚀 Optimization

  • Image Resizing: We use the firebase-extensions/storage-resize-images extension to automatically generate thumbnails for organization logos (200x200).
  • WebP Transformation: All UI-bound images are served as WebP where supported to minimize bandwidth.