This repository implements a simple file uploader backend with session-based authentication, file storage, and folder organization. The frontend is served from the public/ directory. This README summarizes only the backend implementation, design decisions, and how to run it locally.
- Node.js + Express (TypeScript)
- Prisma ORM with PostgreSQL (see
prisma/schema.prisma) - Authentication with
passport-localandexpress-session - File uploads handled by
multerto theuploads/folder - Routes are mounted under
/authand/api
Authentication
- POST
/auth/signup— Create account. Body:{ username, password, email }. Returns 201 on success. - POST
/auth/login— Login with{ username, password }. Uses Passport local strategy and stores session cookie. - POST
/auth/logout— Logs out the current session. - GET
/auth/me— Returns the current logged-in user object or401if not authenticated.
Files
- POST
/api/upload— Upload a single file. Form-data field:file. Requires auth. Saves file on disk and metadata to DB. - GET
/api/files— Returns list of files owned by the authenticated user. - GET
/api/files/:fileId/download— Initiates a file download (serves the saved file). - DELETE
/api/files/:fileId— Deletes a file (DB record and file on disk as implemented in routes). - PATCH
/api/files/:fileId/move— Move a file into a folder. Body:{ folderId }.
Folders
- POST
/api/folders— Create a new folder. Body:{ name }. - GET
/api/folders— Returns folders for user, each with included files.
All /api and /auth/me endpoints require the user to be authenticated (session cookie). Requests must include credentials when called from a browser: fetch(..., { credentials: include }).
See prisma/schema.prisma. Key models:
User— id, username (unique), password (hashed), email (unique), relations tofilesandfolders.File— id, name, size (stored as string), path (disk path),userId, optionalfolderId.Folder— id, name,userId, relation tofiles.
Prisma client is used directly inside route handlers to perform CRUD operations.
- Passport local strategy (
src/config/passport.ts) authenticates users by username and password. Passwords are hashed withbcryptjs. express-sessionis configured insrc/index.ts(development uses a hard-coded secret — change this in production). Sessions are persisted in-memory by default (consider a store like Redis for production).- Passport
serializeUserstores the user id in the session anddeserializeUserloads the user record for each request.
multeris configured insrc/config/multer.tsto store uploaded files on disk (uploads/), with a generated filename (Date.now()-originalname).- File filter restricts uploads to common documents/images (
jpeg|jpg|png|gif|pdf|txt|doc|docx). - File size limit is set to 5MB in the multer config (adjust
limits.fileSizefor your needs).
- Routes enforce authentication with a small middleware
requireAuththat checksreq.userand returns401if missing. - File metadata is stored in the database when an upload succeeds. The
pathfield references the path on disk where multer saved the file. - Folder endpoints include files when returning folder objects (
include: { files: true }). - Error handling: most routes wrap logic in try/catch and return
4xx/5xxwitherrormessages.
Create a .env in the project root with at least:
DATABASE_URL— PostgreSQL connection string used by PrismaSESSION_SECRET— secret forexpress-session(replace the hard-coded secret in production)
Example .env (development):
DATABASE_URL=postgresql://user:pass@localhost:5432/fileuploader
SESSION_SECRET=replace_this_with_a_secure_value
- Install dependencies
npm install- Prepare the database and Prisma client
npx prisma migrate dev --name init
npx prisma generate- Start the dev server
npm run devServer will be available at http://localhost:3000. The public/ folder is served statically (so http://localhost:3000/index.html loads the frontend).
- Use a persistent session store (Redis, Memcached) instead of the default memory store.
- Set
cookie.secure = trueandsameSiteappropriately when serving over HTTPS. - Never keep secrets (
SESSION_SECRET, DB credentials) in source control; use environment variables and a secrets manager. - Validate and sanitize user inputs carefully if you extend features (e.g., folder names, file metadata).
- Consider rate limiting and upload virus scanning for uploaded files.