Why this matters
Ensures data portability while minimizing exposure window.
Provide an authenticated endpoint that assembles a user's data into a structured JSON export and returns a short-lived signed URL (≤24h). Include integration tests in the PR. (GDPR Art. 20)
Ensures data portability while minimizing exposure window.
Side-by-side examples engineers can pattern-match during review.
@GetMapping("/gdpr/export")\npublic String exportCsv(@RequestParam String email){\n return \"we will email you\"; // no auth, no TTL\n}@GetMapping("/gdpr/export")\npublic ResponseEntity<ExportLink> export(){\n User u = auth.currentUser();\n URI url = storage.sign("exports/"+u.id()+".json", Duration.ofHours(24));\n return ResponseEntity.ok(new ExportLink(url));\n}URI url = storage.sign(path, Duration.ofHours(24));return ResponseEntity.ok(csvBody); // inline data, no TTLFrom the same buckets as this rule.