File Storage & Security
Storage Architecture
The Japanese ATS utilizes Supabase Storage to manage resume uploads, ensuring that candidate documents are stored in a scalable, cloud-native environment rather than locally on the web server.
The cvs Bucket
All uploaded resumes are stored in a dedicated Supabase Storage bucket named cvs. To prevent filename collisions when multiple candidates upload files with identical names (e.g., resume.pdf), the system implements a unique naming convention during the upload process:
// Example of the unique file path generation
const fileName = `${Date.now()}-${cvFile.name}`;
File Constraints & Validation
To maintain system performance and security, the application enforces the following restrictions on the client side before any data is sent to storage:
| Constraint | Value | Description |
| :--- | :--- | :--- |
| File Type | .pdf | Only PDF documents are accepted to ensure compatibility with the background parser. |
| File Size | 5MB | Files exceeding this limit are rejected to minimize storage costs and latency. |
| Storage Path | cvs/{timestamp}-{filename} | Standardized pathing for easy retrieval and auditing. |
Security Framework
Security is implemented through a multi-layered approach involving Supabase Auth, Row Level Security (RLS), and React-based Protected Routes.
Authentication & Access Control
The system maintains a strict boundary between public applicants and administrative staff:
- Public Access: Candidates can submit data and upload files to the
cvsbucket but cannot view, edit, or delete existing records. - Admin Access: Requires authentication via Supabase Auth. Only logged-in administrators can access the Dashboard or view detailed applicant profiles.
Row Level Security (RLS)
The database schema for the applicants table is designed to support RLS policies. This ensures that even if a malicious actor attempts to bypass the UI, the database itself will reject unauthorized requests.
Recommended RLS Policies:
- Insert: Enable for all users (to allow application submissions).
- Select/Update/Delete: Restricted to authenticated admin users only.
Secure File Retrieval
Resumes are not stored in a public directory. To view or download a resume, the Admin Dashboard generates a secure request to the Supabase storage API.
// Internal logic for secure CV download in AdminDetail.tsx
const { data, error } = await supabase.storage
.from("cvs")
.download(applicant.cv_file_path);
Edge Function Security
The system utilizes Supabase Edge Functions for sensitive tasks such as CV Parsing and Email Notifications.
- Service Role Access: Functions use the
SUPABASE_SERVICE_ROLE_KEYto interact with the database, allowing them to perform administrative tasks (like updating match scores) without exposing high-level credentials to the frontend. - CORS Management: Edge functions include strict Cross-Origin Resource Sharing (CORS) headers to ensure they only respond to requests from the authorized application domain.