High-Performance, Secure File Management System built with Next.js 16, MinIO (S3), Redis, and ZITADEL authentication.
- π S3-Compatible Storage - Multi-bucket architecture with MinIO
- π YAML-based RBAC - Enterprise-grade access control with role-based permissions
- β‘ Redis Caching - Lightning-fast permission checks and file listings
- π ZITADEL Auth - OIDC authentication with Auth.js v5
- π Audit Logging - Complete operation tracking
- π¨ Modern UI - Built with Shadcn UI and Tailwind CSS v4
- ποΈ File Preview - In-browser preview for images and PDFs (no download required)
- π³ Docker Ready - Multi-stage production Dockerfile included
| Category | Technology |
|---|---|
| Framework | Next.js 16.1.6 (App Router + Turbopack) |
| Runtime | Node.js 22+ |
| Auth | Auth.js v5 (next-auth@5.0.0-beta.30) + ZITADEL OIDC |
| Storage | MinIO (S3-compatible) |
| Cache | Redis (ioredis) |
| UI | Shadcn UI, Tailwind CSS v4, Lucide Icons |
| Language | TypeScript 5 |
- Node.js 22+ (use
nvm usewith included.nvmrc) - Docker & Docker Compose
- ZITADEL instance (for authentication)
git clone <repo-url>
cd s3-browser
npm installcp .env.local.example .env.local
# Edit .env.local with your configuration# Start MinIO and Redis
npm run docker:up
# MinIO Console: http://localhost:9001
# Redis Commander: http://localhost:8081# Create S3 buckets
npm run init-buckets
# Sync permissions to Redis
npm run sync-permissionsnpm run dev
# Open http://localhost:3000s3-browser/
βββ src/
β βββ app/ # Next.js App Router
β β βββ api/
β β β βββ auth/ # Auth.js v5 handlers
β β β βββ files/ # File operation endpoints
β β β βββ permissions/ # Permission sync endpoint
β β βββ auth/ # Auth pages (signin, error)
β β βββ (dashboard)/ # Protected routes
β β βββ explorer/ # File explorer
β βββ components/
β β βββ explorer/ # File explorer components
β β β βββ FileExplorer.tsx
β β β βββ FileList.tsx
β β β βββ FileItem.tsx
β β β βββ FilePreview.tsx # Image/PDF preview modal
β β β βββ Breadcrumb.tsx
β β β βββ UploadZone.tsx
β β β βββ PermissionBadge.tsx
β β βββ ui/ # Shadcn UI components
β βββ lib/
β β βββ auth.ts # Auth.js v5 configuration
β β βββ redis.ts # Redis client
β β βββ s3-client.ts # S3/MinIO client
β βββ services/
β β βββ s3Service.ts # S3 operations
β β βββ permissionService.ts # RBAC engine
β β βββ cacheService.ts # Redis caching
β β βββ auditService.ts # Audit logging
β β βββ syncService.ts # YAML sync
β βββ types/ # TypeScript types
β βββ proxy.ts # Auth proxy (Next.js 16 pattern)
βββ scripts/
β βββ init-buckets.ts # Bucket initialization
β βββ sync-permissions.ts # Permission sync CLI
βββ permissions.yaml # Permission configuration
βββ Dockerfile # Multi-stage production build
βββ docker-compose.yml # Development services
βββ .nvmrc # Node.js version (22)
βββ .vscode/ # VS Code debug configs
- OWNER - Full control (read, write, delete)
- EDITOR - Read and write access
- VIEWER - Read-only access
roles:
admin:
priority: 100
permissions:
- path: "*"
level: OWNER
engineering:
priority: 50
permissions:
- path: "shared/engineering/*"
level: EDITOR
users:
john@company.com:
priority: 80
permissions:
- path: "projects/secret/*"
level: OWNER
defaults:
authenticated:
permissions:
- path: "shared/public/*"
level: VIEWEREvery user automatically gets OWNER access to their home directory: home/${username}/*
| Endpoint | Method | Description |
|---|---|---|
/api/files/list |
GET | List files in a path |
/api/files/upload-url |
POST | Get presigned upload URL |
/api/files/download-url |
POST | Get presigned download URL |
/api/files/preview-url |
POST | Get presigned preview URL (images/PDF) |
/api/files/create-folder |
POST | Create a new folder |
/api/files/rename |
POST | Rename file/folder |
/api/files/delete |
DELETE | Delete file/folder |
/api/permissions/sync |
POST | Sync permissions to Redis |
The file explorer supports in-browser preview for:
| File Type | Features |
|---|---|
| Images (jpg, png, gif, webp, svg, bmp) | Zoom in/out, Rotate |
| Embedded iframe viewer |
Click the ποΈ (eye) icon on any previewable file to open the preview modal without downloading.
# Auth.js v5
NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=your-secret-key
AUTH_TRUST_HOST=true
# ZITADEL
ZITADEL_ISSUER=https://your-instance.zitadel.cloud
ZITADEL_CLIENT_ID=your-client-id
ZITADEL_CLIENT_SECRET=your-client-secret
# MinIO
S3_ENDPOINT=http://localhost:9000
S3_REGION=us-east-1
S3_ACCESS_KEY_ID=minioadmin
S3_SECRET_ACCESS_KEY=minioadmin
S3_BUCKET_USER_FILES=user-files
S3_BUCKET_SHARED_FILES=shared-files
S3_BUCKET_TEMP_UPLOADS=temp-uploads
# Redis
REDIS_URL=redis://localhost:6379
# App Config
MAX_FILE_SIZE_MB=100
ALLOWED_FILE_TYPES=.pdf,.jpg,.png,.doc,.docx,.xls,.xlsx,.zip
PRESIGNED_URL_EXPIRY_SECONDS=3600npm run dev # Start development server (Turbopack)
npm run build # Build for production
npm run start # Start production server
npm run lint # Run ESLint
npm run sync-permissions # Sync permissions.yaml to Redis
npm run init-buckets # Create S3 buckets
npm run docker:up # Start Docker services
npm run docker:down # Stop Docker services# Start MinIO + Redis
docker compose up -d
# Access MinIO Console
open http://localhost:9001# Build and run the app
docker compose --profile app up -d
# Or build manually
docker build -t s3-browser .
docker run -p 3000:3000 --env-file .env.local s3-browser- β All S3 operations are server-side only
- β Presigned URLs with expiration
- β Permission checks before every operation
- β Audit logging for all file access
- β Path sanitization and validation
- β File type and size restrictions
- β CSRF protection with Auth.js v5
- β Server Actions for authentication
The project includes VS Code launch configurations for debugging:
- Next.js: Debug Server - Debug the Next.js server
- Next.js: Full Stack - Debug both server and client
Use nvm use to switch to Node.js 22 before running.
This project requires Node.js 22+. Use the included .nvmrc:
nvm useMIT