Dynamic Sequence – Document Upload

Crew Management System – end-to-end document upload sequence through the secured frontend API path, BFF token validation and request admission, backend validation and RBAC + ABAC authorization, short-lived signed upload generation for Azure Storage Account (Blob Storage), direct browser upload to storage, commit and metadata finalization in Azure DocumentDB, enterprise file monitoring through CASB, optional future-state OPSWAT scanning, document activation only after required validation steps, and observability / audit capture through Datadog.

User

Initiates document upload from the CMS screen and selects the file to upload

Browser / React SPA

Collects file and metadata, calls upload APIs, uploads directly to storage, and submits commit confirmation

Akamai

Public edge entry applying WAF, DDoS protection, bot filtering, and secure routing

Azure Application Gateway

Protected origin ingress with additional WAF inspection before AKS access

IBM API Connect

API exposure, governance, controlled forwarding, and frontend-facing API boundary

BFF Service

Validates Azure AD access token, admits the request, and routes upload-init and upload-commit operations

DOC

Document Management Service

Validates request, enforces RBAC + ABAC, prepares secure upload access, verifies upload, and finalizes metadata

Azure DocumentDB

Stores document metadata, upload status, ownership, linkage, and storage path references

Azure Storage Account (Blob Storage)

Stores the uploaded binary file through short-lived signed upload access

CASB

CASB Monitoring

Monitors uploaded files and may block or quarantine malicious content before activation

OPS

OPSWAT (Future State)

Planned future-state deep file scanning service for additional document validation

Datadog / Audit

Captures logs, traces, metrics, and audit visibility for the upload and validation flow

Returned Result

Success, pending validation, blocked, quarantined, or error response shown back to the user

1. User selects file and metadata

User selects the file and enters related metadata from the CMS screen

2. Frontend sends upload-init request

React SPA sends upload-init request with Azure AD access token and upload metadata

3. Edge and origin API path

Request passes through Akamai → Azure Application Gateway → IBM API Connect

4. BFF receives upload-init request

BFF receives the secured upload-init request

5. Token validation and request admission

BFF validates token signature, issuer, audience, expiry, and request admissibility

6. Route upload-init to document service

BFF forwards upload context and metadata to Document Management Service

7. Validate upload request

Document service validates request structure, file intent, file rules, and target entity context

8. Backend authorization

Backend enforces RBAC + ABAC and ownership / scope rules before upload access is granted

9. Create pending metadata and storage reference

Document service prepares upload session, storage path reference, and pending document state

10. Persist pending metadata

Document service writes pending metadata, upload reference, and validation status to Azure DocumentDB

11. Metadata acknowledgement

Azure DocumentDB returns metadata persistence result and linked document reference

12. Generate signed upload access

Document service generates short-lived signed upload URL for Azure Storage Account (Blob Storage)

13. Return upload instruction to BFF

Document service returns signed upload access and upload reference to the BFF

14. Return upload-init response to frontend

BFF returns upload URL, upload reference, and pending status to the React SPA

15. Browser uploads directly to storage

Browser uploads the file directly to Azure Storage Account (Blob Storage) using short-lived signed upload access

16. Storage confirms upload

Blob Storage returns upload success / object confirmation to the browser flow

17. Frontend sends upload-commit request

React SPA sends upload-commit request with document reference after the file upload completes

18. BFF routes upload-commit request

BFF forwards upload-commit request to Document Management Service

19. Verify uploaded object

Document service verifies the uploaded file exists and matches the expected upload reference

20. Enterprise monitoring and scan control

CASB monitors the uploaded file and may allow, block, or quarantine it

21. Optional future-state deep scan

OPSWAT future-state scanning may perform deeper malware / validation checks

22. Finalize metadata and document status

Document service finalizes metadata and sets status such as active, pending validation, blocked, or quarantined

23. Persist final status

Document service updates Azure DocumentDB with final upload state and document activation result

24. Emit observability and audit

Upload event, authorization result, scan outcome, completion status, and trace data are sent to Datadog / audit path

25. Return final response to frontend

BFF returns final upload response with document ID, status, and validation outcome to the frontend

26. Render upload result

UI shows success, pending validation, blocked, quarantined, or error result to the user

Controlled upload path: The frontend does not upload through unrestricted direct access. The React SPA first calls the secured API path, the BFF validates the token and admits the request, and the document service performs validation and authorization before upload access is issued.

Preferred upload model: After authorization, the browser uploads the file directly to Azure Storage Account (Blob Storage) using short-lived signed access issued by the backend. This keeps the backend as the control point while reducing backend load for file transfer.

Validation before activation: Azure DocumentDB stores metadata and upload status, Blob Storage stores the actual file, CASB monitors uploaded files and may block or quarantine malicious content, OPSWAT is shown as a future-state scanning service, and document activation occurs only after required validation steps are completed.

        User action
        Frontend / browser
        Edge security
        Ingress / API gateway
        BFF processing
        Document service logic
        Metadata persistence
        Blob file storage
        CASB monitoring
        Future-state scan
        Observability / audit
        Returned result
      

This dynamic sequence reflects the HLD-approved document upload flow: React SPA → Akamai → Azure Application Gateway → IBM API Connect → BFF Service → Document Management Service → Azure DocumentDB / Azure Storage Account (Blob Storage), with BFF token validation and request admission, backend RBAC + ABAC enforcement, short-lived signed upload access, direct browser upload to storage, CASB monitoring, optional future-state OPSWAT scanning, metadata finalization, document activation only after required validation steps, and Datadog observability / audit capture.