7f3fbdc57d
Merge pull request #1095 from bigcapitalhq/fix/plaid-webhook-signature-verification
...
fix(server): verify Plaid webhook signatures (GHSA-g56w-g54f-whq5)
2026-05-17 23:04:30 +02:00
64e1221640
wip
2026-05-17 20:46:34 +02:00
78fb158b98
fix(server): verify Plaid webhook signatures (GHSA-g56w-g54f-whq5)
...
POST /api/banking/plaid/webhooks was @PublicRoute() and processed the
body without verifying Plaid's Plaid-Verification JWT, letting any
unauthenticated client replay or fabricate webhook events for a tenant
by guessing a plaidItemId.
Add PlaidWebhookVerificationService that verifies the Plaid-Verification
ES256 JWS using a JWK fetched from plaidClient.webhookVerificationKeyGet
(cached per kid via lru-cache for 24h), enforces a 5-minute iat replay
window through jose.jwtVerify({ maxTokenAge }), and timing-safe compares
the body's SHA-256 against the request_body_sha256 claim. The webhook
controller now consumes the raw body and the plaid-verification header,
runs verification before setupPlaidTenant, and returns 400 Bad Request
on any failure - so no tenant context is ever set for an unsigned or
tampered request.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-05-16 12:19:30 +02:00
a0978b79b3
fix: update pnpm-lock.json file
2026-03-05 23:37:54 +02:00
4d1aa0aa5b
fix: update pnpm-lock.yaml
2026-03-05 23:29:03 +02:00
92843c7240
fix: update the pnpm-lock.yaml
2026-03-03 23:44:47 +02:00
e3c55c5d6f
feat(sdk): add OpenAPI export script and TypeScript SDK package
...
- Add export-openapi.ts script for server OpenAPI spec export
- Add shared/sdk-ts package with generated API clients (accounts, bills, customers, vendors, etc.)
- Update Customers and Vendors controllers
- Update ReportsEventsTracker
- Update .gitignore, package.json, and pnpm-lock
Made-with: Cursor
2026-03-03 23:26:24 +02:00
6193358cc3
feat(server): add bull ui board
2026-01-29 20:37:04 +02:00
57cc513873
fix(webapp): blueprintjs datetime version
2026-01-28 18:14:44 +02:00
31f5cbf335
fix: accounts suggest field
2025-12-21 16:11:01 +02:00
2e21437056
fix: update pnpm-lock.yaml
2025-12-11 00:23:50 +02:00
340b78d968
fix: passing number format to reports
2025-12-11 00:19:55 +02:00
32d74b0413
feat: onboarding pages darkmode ( #867 )
2025-12-03 16:04:46 +02:00
ff04c4b762
wip
2025-11-24 18:58:50 +02:00
caf232d928
feat: migrate from CRA to Vite for speed
2025-11-24 14:19:05 +02:00
41143d8bbd
feat: api endpoints throttle ( #837 )
...
* feat: api endpoints throttle
2025-10-30 22:06:05 +02:00
3bd0e89146
feat: migration commands ( #828 )
...
* feat: migration commands
* Update packages/server/src/modules/CLI/commands/TenantsMigrateRollback.command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update packages/server/src/modules/CLI/commands/TenantsMigrateLatest.command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update packages/server/src/modules/CLI/commands/TenantsList.command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update packages/server/src/modules/CLI/commands/SystemMigrateRollback.command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* Update packages/server/src/modules/CLI/commands/TenantsMigrateLatest.command.ts
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-10-22 21:58:02 +02:00
0477133cda
feat: darkmode skeleton and universal search
2025-10-21 00:14:31 +02:00
803e3980d3
chore: update pnpm-lock.yaml to include new @nestjs/websockets and @nestjs/platform-socket.io versions, and remove CORS configuration from main.ts
2025-10-18 13:31:14 +02:00
84cb7693c8
feat: api keys
2025-07-01 23:05:58 +02:00
88ef60ef28
fix: delete inventory adjustment gl entries
2025-06-15 17:51:44 +02:00
b9755ff01c
refactor(nestjs): import module
2025-04-12 13:39:17 +02:00
55fcc908ef
feat(nestjs): migrate to NestJS
2025-04-07 11:51:24 +02:00
842a862b87
refactor(nestjs): attachments module
2025-04-06 21:13:46 +02:00
682be715ae
refactor: auth module to nestjs
2025-03-30 05:20:50 +02:00
85946d3161
refactor: authentication module to nestjs
2025-03-29 22:29:12 +02:00
173610d0fa
refactor: payment services to nestjs
2025-03-28 23:54:40 +02:00
6461a2318f
refactor: implement tenant database management and seeding utilities
2025-03-27 23:13:17 +02:00
ef22b9ddaf
refactor: subscriptions to nestjs
2025-03-24 23:38:43 +02:00
08de50e2b1
refactor: inventory cost process
2025-03-14 03:51:45 +02:00
67ae7ad037
refactor: inventory cost to nestjs
2025-03-11 22:12:08 +02:00
5c0bb52b59
refactor: tenant proxy providers
2025-02-15 23:52:12 +02:00
9eee0b384d
refactor: nestjs
2025-02-07 20:28:35 +02:00
c4692d1716
refactor: balance sheet to nestjs
2025-01-30 01:57:29 +02:00
dfc5674088
refactor: financial reports to nestjs
2025-01-18 22:32:45 +02:00
6dd854178d
refactor: financial reports to nestjs
2025-01-16 12:58:45 +02:00
e7e7a95aa1
refactor: dynamic list to nestjs
2025-01-14 22:57:54 +02:00
4ab20ac76a
refactor: mail services to nestjs
2025-01-13 16:07:05 +02:00
270b421a6c
refactor: dynamic list to nestjs
2025-01-12 18:22:48 +02:00
6f870ea1e1
refactor: save settings service
2025-01-08 17:17:01 +02:00
52362a43ab
refactor: events tracker to nestjs
2025-01-08 11:59:55 +02:00
1869ba216f
refactor: banking services to Nestjs
2025-01-05 16:26:23 +02:00
515a984714
refactor: migrate to Nestjs
2024-12-30 15:54:53 +02:00
9f9b75cd31
Merge branch 'develop' into migrate-server-nestjs
2024-12-29 11:14:15 +02:00
a6932d76f3
refactor: wip to nestjs
2024-12-25 00:43:55 +02:00
d5dacaa988
feat: add discount and adjustment fields to email templates.
2024-12-03 13:20:19 +02:00
c6db54175f
feat: add ssr email templates rendering
2024-11-19 17:14:13 +02:00
19080a67ab
feat: wip migrate server to nestjs
2024-11-12 23:08:51 +02:00
b2d0f2ed3c
Merge branch 'develop' into add-pdf-templates-package
2024-11-05 17:19:50 +02:00
2646ad5bc4
fix: typing invoice send mail fields
2024-11-04 14:18:47 +02:00
Ahmed Bouhuolia