Secure personal file vault with web UI for managing files in Digital Ocean Spaces
A production-ready Express server with a modern web interface for secure file storage. Features drag-and-drop uploads, folder management, bulk operations, and enterprise-grade security.
Login with username/password, "Remember Me" for 30-day sessions, secure logout.
Create folders, rename them, move folders into other folders.
Drag and drop files up to 5GB with real-time progress tracking (speed, time remaining).
Click to upload via dialog, files appear instantly, delete with confirmation.
Live search filtering, download files directly to your computer.
Individual checkbox selection, shift-click for range selection, clear all.
Drag files directly onto folders, visual feedback with loading spinner.
Select multiple items, choose destination from folder browser, move all at once.
Select multiple files/folders, delete with confirmation showing all items.
Upload the same file multiple times - automatically named file.pdf, file (1).pdf, file (2).pdf.
- Express.js - Web framework
- PostgreSQL - Sessions, auth, upload logs
- Digital Ocean Spaces - S3-compatible object storage
- AWS SDK v2 - S3 client library
- Multer - Multipart form-data handling
- Helmet - Security headers
- bcryptjs - Password hashing
- Upload files up to 500MB directly, up to 5GB via presigned URLs
- Drag-and-drop anywhere in the UI
- Create, rename, move, delete folders
- Download files directly
- Search with live filtering
- Smart duplicate file naming
- Checkbox selection (individual + shift-range + select all)
- Bulk move to any folder
- Bulk delete with confirmation
- Drag files to folders
- Skeleton loaders during fetch
- Smooth animations (bulk actions bar, refresh spinner)
- Material Design icons
- Breadcrumb navigation
- File type icons (audio, video, zip, etc.)
- Responsive layout
- Session-based auth with PostgreSQL store
- 24-hour default sessions, 30-day with "Remember Me"
- Secure, httpOnly, sameSite cookies
- bcrypt password hashing
- Double-submit pattern (header + cookie + session)
- Constant-time comparison
- 1-hour token expiry
- Applied to all POST/PUT/DELETE endpoints
- Progressive rate limiting per IP AND username
- 15-min window: 5 attempts max
- 1-hour window: 10 attempts max
- 24-hour window: 20 attempts max
- Automatic lockout with countdown
- Username/filename format validation
- Path traversal prevention
- XSS escaping
- SQL injection prevention (parameterized queries)
- File size limits
- Helmet.js headers (CSP, Permissions-Policy, etc.)
- CORS restricted to allowed origins
- Trust proxy for Nginx
- Node.js 16+
- PostgreSQL database
- Digital Ocean Spaces account
# Install dependencies
npm install
# Set up database
psql $DATABASE_URL < schema.sql
# Configure environment
cp .env.example .env
# Edit .env with your credentials
# Start server
npm startSee .env.example:
DATABASE_URL- PostgreSQL connection stringDO_SPACES_ACCESS_KEY_ID- Spaces access keyDO_SPACES_SECRET_KEY- Spaces secret keySESSION_SECRET- Random string (min 32 chars)PORT- Server port (default: 3456)ALLOWED_ORIGIN- Production domain for CORS (e.g., https://vault.example.com)
Designed for Digital Ocean droplets with PM2:
cp ecosystem.config.example.js ecosystem.config.js
pm2 start ecosystem.config.js
pm2 save| Method | Endpoint | Auth | CSRF | Description |
|---|---|---|---|---|
| GET | /health |
No | No | Health check |
| POST | /api/login |
No | No | Authenticate |
| POST | /api/logout |
Yes | Yes | End session |
| GET | /api/auth/status |
No | No | Check auth |
| POST | /api/upload |
Yes | Yes | Upload file ≤500MB |
| POST | /api/get-upload-url |
Yes | Yes | Presigned URL for large files |
| GET | /api/files |
Yes | No | List files/folders |
| POST | /api/folder |
Yes | Yes | Create folder |
| DELETE | /api/file/:key |
Yes | Yes | Delete file/folder |
| GET | /api/file/download/:key |
Yes | No | Download file |
| POST | /api/file/move |
Yes | Yes | Move/rename |
4 PostgreSQL tables:
vault_users- Authenticationvault_sessions- Express session storevault_upload_logs- Audit trailvault_login_attempts- Brute force tracking
MIT