ThetaDrive is a cross-platform easily configurable, ready to deploy, FTP server application that works on both Windows and Linux. It has advanced features such as: two step authentication via SMTP, connection encryption via SSL/TLS, SSL certificate generation, and the ability to customise multiple attributes related to security and databases.

To download the application, go to the Release section and download the application binary executables. For instructions about how the application must be configured and its behaviour please visit the Wiki section of this repository.

The application can encrypt the client/server connection using the TLS/SSL protocols by using self-signed certificates or trusted publisher certificates.

When the user is creating an account, the server will verify if the account already exists, and if it does not exist, it will generate a registration code and store it in the database. The registration code is associated with the account, and as long as the registration code exists, the account is marked as invalid. Afterwards, the server will send the registration code to the user's email address and prompt the user for the registration code. If the registration code is valid, the server will delete the registration code from the database and send a log in session key to the user, and thus making the account valid as well as logging in the user. The registration code has an expiration date of 1 hour. If the user does not validate the registration code, both the account and the registration code will be deleted from the database.

When the user is logging in, the server will verify the user credentials and, if the credentials are valid, it will generate a log in session key, as well as a log in code, both the log in session key and the log in code will be stored in the database. The log in code is associated with the log in session key and as long as the log in code associated with the log in session key exist, the log in session key is invalid. Afterwards, the server will send the log in code to the user's email address and prompt the user for the log in code. If the log in code is valid, the server will delete the log in code from the database and thus making the log in session key valid. The log in code has an expiration date of 2 minutes. If the user does not validate the log in code, both the log in session key and the log in code will be deleted from the database.

For every operation requested by the user, such as uploading or downloading a file, the server will request for the client its log in session key. If the log in session key is expired or the log in session key is invalid, the server will log out the user. If the log in session key is valid, the server will only process request and information for the account associated with the log in session key, thus preventing malicious attacks.

All sensitive information to be stored in the database is both hashed and salted. The hashing algorithm used is SHA512.

Each user has its own directory associated with its account. Every time a user is performing an operation related to the file system, the server will process the path given by the user and verify if it has as its root the directory associated with the account. If the path to be processed does not have as its root, the folder associated with the account, the operation is cancelled, thus preventing malicious attacks on the server's directory level, as well as preventing every user's information being compromised.

The application is using parametrised parameter injection within SQL commands, which in turn is escaping any special character from the SQL string, thus making any SQL injection attack impossible.