Dynamic Sequence – Document Download

Crew Management System – end-to-end document download sequence through the secured frontend API path, BFF token validation and request admission, backend document authorization, metadata lookup in Azure DocumentDB, short-lived signed download generation for Azure Storage Account (Blob Storage), direct browser download from storage, and observability / audit capture through Datadog.

User

Initiates document download from the CMS screen

Browser / React SPA

Requests file retrieval through the frontend API path and starts the authorized download

Akamai

Public edge entry applying WAF, DDoS protection, bot filtering, and secure routing

Azure Application Gateway

Protected origin ingress with additional WAF inspection before AKS access

IBM API Connect

API exposure, governance, controlled forwarding, and frontend-facing API boundary

BFF Service

Validates Azure AD access token, admits the request, and routes the document download operation

DOC

Document Management Service

Validates request, enforces RBAC + ABAC, resolves metadata, and issues secure download access

Azure DocumentDB

Stores document metadata, document status, ownership, linkage, and storage path references

Azure Storage Account (Blob Storage)

Stores the actual file object that is downloaded through short-lived signed access

Datadog / Audit

Captures logs, traces, metrics, and audit visibility for the document download flow

Signed Download

Browser uses short-lived secure access to retrieve the file directly from storage

1. User requests file download

User clicks download for a generated or uploaded document

2. Frontend sends download request

React SPA sends document download request with Azure AD access token

3. Edge and origin path

Request passes through Akamai → Azure Application Gateway → IBM API Connect

4. BFF receives request

BFF receives the secured document download request

5. Token validation and request admission

BFF validates token signature, issuer, audience, expiry, and request admissibility

6. Route to document service

BFF forwards file reference and user context to Document Management Service

7. Validate document request

Document service validates requested document reference and download intent

8. Backend authorization

Backend enforces RBAC + ABAC and ownership / scope rules before access is granted

9. Resolve metadata and file reference

Document service queries Azure DocumentDB for document metadata and storage reference

10. Metadata returned

Azure DocumentDB returns metadata, status, ownership, and Blob Storage path reference

11. Generate secure download access

Document service generates a short-lived signed download URL for Azure Storage Account (Blob Storage)

12. Emit observability and audit

Download request, authorization result, trace data, and audit visibility are sent to Datadog / audit path

13. Return signed access to BFF

Document service returns short-lived signed download access to the BFF

14. Return download response to frontend

BFF returns the short-lived signed download URL to the React SPA

15. Browser downloads directly from storage

Browser uses the short-lived signed URL to download the file directly from Azure Storage Account (Blob Storage)

16. Deliver file to user

UI starts the authorized file download for the user

Controlled download path: Downloads are controlled by the backend path. The React SPA requests the file through the secured API route, the BFF validates the token and admits the request, and the document service performs authorization and metadata resolution before any file can be downloaded.

Preferred download model: After authorization, the browser downloads the file directly from Azure Storage Account (Blob Storage) using a short-lived signed URL issued by the backend. This keeps the backend as the control point while reducing backend load for large file downloads.

Separated storage model: Azure DocumentDB stores document metadata and storage references, Azure Storage Account (Blob Storage) stores the actual binary file, and Datadog captures logs, traces, metrics, and audit visibility across the download flow.

        User action
        Frontend / browser
        Edge security
        Ingress / API gateway
        BFF processing
        Document service logic
        Metadata lookup
        Blob file access
        Observability / audit
        Returned response
      

This dynamic sequence reflects the HLD-approved document download flow: React SPA → Akamai → Azure Application Gateway → IBM API Connect → BFF Service → Document Management Service → Azure DocumentDB / Azure Storage Account (Blob Storage), with BFF token validation and request admission, backend RBAC + ABAC enforcement, short-lived signed download access, direct browser download from storage, and Datadog observability / audit capture.