Declaration Supabase Storage Adapter
Component Detail
Description
Abstracts Supabase Storage operations for encrypted declaration files. Handles upload, download, and signed URL generation for declaration blobs, enforcing bucket-level access policies scoped to the organization.
declaration-storage-adapter
Summaries
The Declaration Storage Adapter ensures that sensitive confidentiality declaration documents are stored and accessed securely, with access strictly limited to the organization that owns them. By enforcing organization-scoped storage buckets and generating time-limited access URLs, the platform reduces the risk of unauthorized document exposure — a critical concern when handling legally binding agreements. This protects the business from data breach liability, supports GDPR and data minimization requirements, and gives enterprise clients the assurance that their drivers' signed documents cannot be accessed by other organizations on the platform. It directly supports the platform's trustworthiness as a compliance tool.
This is a medium-complexity backend component with a hard dependency on the Declaration Encryption Service, meaning it cannot be tested end-to-end until encryption is also delivered. Plan for integration testing as a combined workstream with the encryption service. Supabase Storage bucket policy configuration requires DevOps involvement to set up org-scoped access rules in the target environment, which should be scheduled early to avoid blocking QA. Signed URL expiry handling and deletion flows need explicit test cases, particularly around edge cases like non-existent declarations.
Deployment to staging requires Supabase Storage credentials and bucket provisioning, adding environment setup lead time.
Declaration Storage Adapter wraps Supabase Storage SDK operations behind a clean interface, abstracting bucket naming conventions, path construction (typically `{orgId}/{declarationId}`), and policy enforcement from callers. It depends on `declaration-encryption-service` — blobs passed to `uploadDeclaration` are expected to already be encrypted before upload, and `downloadDeclaration` returns raw encrypted bytes for the caller to decrypt. `generateSignedUrl` uses Supabase's `createSignedUrl` API with a caller-supplied `expiresIn` TTL; ensure this value is enforced by policy and not overridable by client input. `declarationExists` enables pre-flight checks before download attempts.
Bucket-level RLS policies in Supabase must be configured to scope reads/writes to matching `orgId` path prefixes, enforced at the storage layer independent of application logic.
Responsibilities
- Upload encrypted declaration blobs to Supabase Storage
- Generate time-limited signed URLs for authorized reading
- Delete storage objects when declarations are revoked
- Enforce org-scoped bucket access policies
Interfaces
uploadDeclaration(orgId, declarationId, encryptedBlob)
downloadDeclaration(orgId, declarationId)
generateSignedUrl(orgId, declarationId, expiresIn)
deleteDeclaration(orgId, declarationId)
declarationExists(orgId, declarationId)