Configure Supabase Storage Buckets for Secure File Handling
The Global Administrator configures Supabase Storage buckets for the various file types the platform handles: expense receipts, activity document attachments, digital certificates, power-of-attorney documents, and NDA agreements. Each bucket type requires different access policies — receipts are accessible only to the submitting peer mentor and their coordinator, certificates may be read-only for verification, and POA documents require strict access controls due to their sensitivity. Storage policies must align with RLS principles.
User Story
Acceptance Criteria
- Given a peer mentor uploads an expense receipt, when another peer mentor from the same organization attempts to access the file URL, then access is denied with a 403 response
- Given a coordinator accesses their organization's receipt storage bucket, when listing files, then only receipts from peer mentors in their organization are visible
- Given the admin configures a bucket for encrypted assignment documents, when the bucket policy is reviewed, then direct public access is disabled and access requires a valid JWT
- Given file size limits are configured per bucket type, when a user attempts to upload an oversized file, then a clear error message is returned before the upload completes
- Given the admin reviews storage usage, when viewing Supabase Storage metrics, then usage per bucket and per organization is visible for capacity planning
Business Value
Secure file storage is required for GDPR compliance. The platform handles sensitive document types including health-related epikrise references (Blindeforbundet), NDA agreements for drivers, and power-of-attorney documents. Misconfigured storage policies could allow cross-user or cross-organization file access, constituting a personal data breach under GDPR Article 4(12). Correct bucket policies provide the storage-layer equivalent of database RLS.
Components
- Supabase Platform infrastructure
- Database Schema data