StreamVault

StreamVault is a Flask and MySQL backend for managing a streaming platform's catalog, productions, and viewer feedback. It authenticates customers and employees with bcrypt-hashed passwords and role-based access control, gives employees full CRUD over series, episodes, production houses, and contracts, and gives customers a feedback and profile flow. A self-service password-reset path issues expiring single-use tokens, and an analytics dashboard surfaces viewer and ratings trends through six advanced SQL queries with query-level caching.

A streaming-platform backend needs to authenticate two different user roles safely, stay correct under concurrent writes, close off SQL injection everywhere, not just in the obvious form fields, and turn raw catalog data into queryable business insight rather than plain CRUD.

Built for a streaming platform's two user roles: viewers browsing and reviewing series, and staff managing the catalog, productions, and contracts.

Flask routes for customer and employee workflows sit behind a shared authentication layer that hashes passwords with bcrypt and enforces access through a role_required decorator. Every query, including pagination's LIMIT/OFFSET, runs through a parameterized data-access layer in db.py, so user input is never concatenated into SQL. A transaction() context manager wraps writes with deadlock detection (MySQL error codes 1213/1205) and automatic retry, keeping each transaction short and touching tables in a consistent order to limit contention. The analytics dashboard runs six SQL queries, multi-table joins, a correlated subquery, a CTE-based tier classification, a UNION-based regional comparison, and top-N/bottom-N rankings, with results cached in memory and rendered through Chart.js.

Built as a 3-person NYU coursework team, I implemented the backend end-to-end: the Flask application factory and configuration, the authentication and RBAC system, the parameterized data-access layer, the deadlock-retry transaction wrapper, the customer and employee route handlers, the forgot-password flow, and the analytics dashboard's six SQL queries.

• Implemented bcrypt password hashing (cost factor 12) with a timing-safe comparison for login.
• Built role-based access control with a role_required decorator gating employee-only routes.
• Closed the one SQL-injection gap in the data-access layer by replacing string-interpolated LIMIT/OFFSET pagination with parameterized queries.
• Wrote a deadlock-retry transaction wrapper that detects MySQL error codes 1213 and 1205 and retries up to 3 times.
• Designed the forgot-password flow: a secrets.token_urlsafe(32) reset token, single-use enforcement, a 60-minute expiry, and an enumeration-resistant generic response.
• Built the analytics dashboard's six SQL business queries: joins, a correlated subquery, a CTE, a UNION set comparison, and top-N/bottom-N rankings, with in-memory query caching.

Validated through the documented demo-account flows for both roles (an employee admin account and four customer accounts) and the README's recorded UI walkthrough, with the parameterized-query and bcrypt-hashing approach verified directly in the data-access and security modules.

Implemented full authentication and role-based access control for customer and employee workflows, a parameterized data-access layer with no string-interpolated SQL, a deadlock-retry transaction wrapper, and an analytics dashboard backed by six advanced SQL queries spanning joins, a correlated subquery, a CTE, a UNION set operator, and top-N/bottom-N rankings.

The deadlock-retry transaction wrapper keeps writes short, accesses tables in a consistent order, and automatically retries on MySQL deadlock or lock-wait-timeout errors before surfacing a failure.

Validated through local MySQL execution, demo-account workflows, and the documented project walkthrough.