This platform was built for music producers who need a secure way to
review unreleased music and mixes without publicly exposing the
original audio files. It acts as a private audio library where
tracks are stored in Firebase Storage and can be accessed from
anywhere by an authorized user.
The frontend receives time-limited signed Firebase Storage URLs rather
than permanent public file links. These signed URLs temporarily authorize
access to each track and expire after a configured period, helping prevent
the storage files from remaining openly accessible.
Access is intentionally minimal. A single PIN-authenticated user can
unlock the library, browse tracks, compare mixes, organize projects,
and stream music while keeping the catalog hidden from the general public.
Audio Streaming: Upload and securely stream your tracks from anywhere.
A/B Audio Testing: Compare your track against another reference track in real time.
Track Filtering: Filter tracks using custom tags, artist tags, moods, and track types.
Track Pagination: Load tracks in paginated batches, with or without active filters.
Future Destinations: Mark intended release destinations such as SoundCloud or YouTube.
Track Ratings: Rate each track from 0 to 5 stars.
Track Notes: Create and save custom notes for every track.
Frontend: SvelteKit, TypeScript, custom audio player, reactive stores, responsive UI, and secure API integration.
Backend: Node.js, Express, TypeScript, REST APIs, middleware-driven authentication, and file upload handling.
Cloud: Firebase Firestore, Firebase Storage, Firebase Admin SDK, and time-limited signed URLs for secure audio access.
Security: PIN-based authentication, IP verification, JWT authentication, signed Firebase Storage URLs, rate limiting, and secure HTTP-only cookies.
Audio files are streamed directly from Firebase Storage using time-limited signed URLs generated by the backend. The frontend never stores permanent file links—instead, it requests a temporary URL each time playback begins. Once the URL expires, it can no longer be used, allowing audio to be streamed securely while keeping the underlying storage objects private and inaccessible to unauthorized users.
Access is protected by a PIN-based authentication system combined with IP validation. The backend monitors failed login attempts, temporarily blocks abusive clients, and issues JWT access tokens alongside secure HTTP-only refresh cookies after successful authentication. All authentication logic is handled on the server, ensuring that only authorized users can access protected resources or request signed URLs for audio playback.
This is a live deployment of the application, so the PIN is not publicly available. Since the project is open source, you can download the source code from GitHub , configure your own environment variables (including your PIN), and deploy your own instance. Every deployment uses its own PIN, so there isn't a shared PIN that grants access to this demo.
Architecture: SvelteKit and TypeScript with reusable components, shared layouts, app-wide UI patterns, and responsive mobile and desktop behavior.
State Management: Reactive Svelte stores for audio playback, selected tracks, loading states, filters, pagination, autoplay, navigation, and shared application data.
Audio Player: Custom playback controls, seeking, buffering states, track navigation, autoplay behavior, waveform support, and secure streamed audio playback.
A/B Testing: Reusable track, player, range, and toggle components for synchronized playback and instant switching between two tracks.
Reusable Components: Shared buttons, modals, forms, navigation, track lists, artwork, filters, audio controls, and screenshot swipers used throughout the app.
API Integration: Separate fetch helpers for public and authenticated requests, including token attachment, token refresh handling, normalized errors, and forced logout flows.
Responsive Design: Adaptive navigation, mobile audio controls, swipeable content, responsive layouts, and device-specific interface behavior.
Architecture: Node.js, Express, and TypeScript with organized controllers, middleware, helpers, validators, and REST API routes.
Authentication: PIN-based login, IP verification, access and refresh tokens, secure HTTP-only cookies, and automatic access token renewal.
Middleware: Centralized request protection for token validation, IP normalization, session checks, error handling, and authorization before protected routes run.
Audio Streaming: Secure range-based streaming with short-lived tokens, partial-content responses, and no direct exposure of the original storage URLs.
Track Management: API endpoints for uploads, edits, deletion, ratings, notes, tags, future destinations, pagination, and filtered track retrieval.
File Handling: Memory-based uploads, image conversion and optimization, file validation, Firebase Storage uploads, and controlled media access.
Data Layer: Firebase Admin SDK and Firestore queries for track data, authentication records, filtering, sorting, and paginated responses.
Error Handling: Custom application errors, normalized API responses, session-expiration handling, force-logout flows, and centralized Express error middleware.
Rate Limiting: Request throttling and failed-login tracking to prevent brute-force PIN attempts, temporarily block abusive IP addresses, and protect authentication and API endpoints from excessive traffic.
All Rights Reserved | Copyright © 2026 PATTSWAY