Stream-Forge is a smart, fast, and secure media downloader built on top of Node.js and yt-dlp.
It provides a clean backend API and a lightweight frontend UI to download videos and audio from supported platforms with proper validation, error handling, and production-grade file management.
- 🎥 Download videos in multiple resolutions
- 🎧 Extract audio (MP3 / best available)
- 📄 Metadata extraction (title, duration, format, size)
- 🛡️ Input validation & path traversal protection
- ⚡ Streaming-based downloads (no full buffering)
- 🧹 Automatic cleanup of temporary files
- 📦 Simple REST API
- 🖥️ Minimal frontend UI
- Node.js
- Express.js
- yt-dlp (CLI integration)
- Native
fsstreams
- HTML
- CSS
- Vanilla JavaScript
- Child processes (
spawn) - MIME-type validation
- Secure file handling
- Node.js ≥ 18
- Python ≥ 3.8
- yt-dlp installed globally
pip install -U yt-dlp
Verify installation:
yt-dlp --version
2️⃣ Clone the Repository
git clone https://github.com/your-username/stream-forge.git
cd stream-forge
3️⃣ Install Dependencies
npm install
4️⃣ Run the Server
npm start
Server will start at:
http://localhost:3000
🔌 API Endpoints
▶️ Download Video
POST /api/download/video
{"url":"https://example.com/video"}
🎧 Download Audio
POST /api/download/audio
{"url":"https://example.com/video"}
📄 Fetch Metadata
POST /api/download/info
{"url":"https://example.com/video"}
🔐 Security Considerations
Path traversal protection (../, absolute paths)
Strict URL validation
No arbitrary command execution
Output directory isolation
Controlled child process execution
❌ Not Acceptable
Passing user input directly to shell
Writing files outside controlled directories
Blocking the event loop with synchronous I/O
⚡ Performance Notes
Uses streams, not buffers
yt-dlp runs in a child process
Backpressure handled by OS pipes
Safe for concurrent downloads (within system limits)
For high traffic:
Add rate limiting
Add a download queue
Move to a worker-based execution model
📈 Future Improvements
Redis-based job queue
WebSocket-based progress tracking
User authentication
Cloud storage (S3-compatible)
Docker & production deployment support
Rate limiting and abuse prevention
🧪 Development Notes
Keep controllers thin
Validate input before spawning processes
Always handle stderr and exit codes
Never trust external URLs blindly
📝 License
MIT License
Use responsibly.
👨💻 Author
Abhishek Ganeshe
Backend Engineer | System Design | Application Security
Stream-Forge is built with a production-first mindset — correctness, safety, and scalability over shortcuts.