Skip to main content

File Storage

All files are stored in private Supabase Storage buckets. Zero public URLs.

Security Model

Government applicants upload sensitive documents: IDs, tax returns, medical records. These must never be publicly accessible.

Storage Structure

Files are stored with unpredictable paths: 
form-uploads/
  {formId}/
    {uuid}/
      {sanitized-filename}
The UUID prevents path enumeration attacks.

Upload Flow

// 1. Request signed upload URL
const { data } = await supabaseAdmin.storage
  .from("form-uploads")
  .createSignedUploadUrl(path);

// 2. Client uploads directly to signed URL
await fetch(data.signedUrl, {
  method: "PUT",
  body: file,
});

Download Flow (Admin Only)

// Generate short-lived download URL
const { data } = await supabaseAdmin.storage
  .from("form-uploads")
  .createSignedUrl(path, 60); // 60 second expiry

return data.signedUrl;

Google Drive Integration

For forms with Google Drive configured, files go to Drive instead: 
if (form.google_drive_folder_id) {
  // Upload to Drive via service account
  const fileId = await uploadToDrive(file, folderId);
  return { provider: "drive", fileId };
} else {
  // Upload to Supabase
  await uploadToSupabase(file, path);
  return { provider: "supabase", path };
}

Google Drive

Drive integration setup

Encryption

PII protection