Project Details
audio-streamer
Project Summary
A secure, token-gated audio streaming system built to protect unreleased music. All audio is streamed through a locked backend pipeline—no public URLs, no exposed storage, and no way for users to access or download the original files. Every request is IP-checked, token-signed, and fully validated.
The frontend never receives real file links, only a short-lived stream token used for controlled, chunked playback. Audio plays in real time but cannot be saved or cached, turning the app into a private listening vault.
Access is intentionally minimal: one PIN-locked user can unlock the library and preview tracks from anywhere without ever exposing the source files to the public.
Project Photos
Purpose
This platform was built for music producers who need a safe way to review mixes and unreleased tracks without ever exposing the original audio files. It acts as a private streaming vault: the entire library lives in secure cloud storage, can be played from anywhere, and is never downloadable or directly accessible. A single, trusted user unlocks the app, keeping the catalog completely hidden from the public.
Technologies
Built with a modern, security-focused stack:
Frontend: SvelteKit, custom audio player, reactive stores, secure fetch wrappers.
Backend: Node.js, Express, middleware-driven auth, range-based streaming.
Cloud: Firebase Admin SDK, Firebase Storage, token-secured stream endpoints.
Security: IP verification, PIN-gated access, JWT stream tokens, rate-limited login attempts.
Streaming
Audio is delivered through a controlled chunked HTTP streaming pipeline. The frontend receives only a short-lived, IP-bound stream token, which is passed to an Express endpoint that reads from Firebase Storage using range requests. The browser never sees a public file URL, and only ever buffers what it needs to play — not the full file — which prevents downloads, scraping, or direct access.
Auth
Access is gated behind a PIN-based login combined with IP verification. The backend tracks failed attempts and can temporarily block abusive IPs, while successful logins receive short-lived tokens tied to the requesting client. All auth logic lives on the server, so even if someone inspects the network layer, they still can’t bypass the gate or reach the underlying audio files.
Frontend
The frontend is built with SvelteKit and uses reactive stores, custom UI components, and a protected audio player that only ever talks to secured backend endpoints. It never handles raw storage URLs or loose blobs — every play action goes through the stream token flow. The project details view includes desktop and mobile screenshot swipers to showcase the experience across devices.
Backend
The backend runs on Node.js and Express, using Firebase Admin to read audio from cloud storage and serve it via secure, range-based streaming. Middleware handles IP normalization, token verification, PIN checks, and block logic before any stream is allowed. Every route that touches audio is locked behind this pipeline, ensuring that streaming is possible, but raw file access is not.