T

Ahmed Bouhuolia 78fb158b98 fix(server): verify Plaid webhook signatures (GHSA-g56w-g54f-whq5)

POST /api/banking/plaid/webhooks was @PublicRoute() and processed the
body without verifying Plaid's Plaid-Verification JWT, letting any
unauthenticated client replay or fabricate webhook events for a tenant
by guessing a plaidItemId.

Add PlaidWebhookVerificationService that verifies the Plaid-Verification
ES256 JWS using a JWK fetched from plaidClient.webhookVerificationKeyGet
(cached per kid via lru-cache for 24h), enforces a 5-minute iat replay
window through jose.jwtVerify({ maxTokenAge }), and timing-safe compares
the body's SHA-256 against the request_body_sha256 claim. The webhook
controller now consumes the raw body and the plaid-verification header,
runs verification before setupPlaidTenant, and returns 400 Bad Request
on any failure - so no tenant context is ever set for an unsigned or
tampered request.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-16 12:19:30 +02:00

.claude

feat: Update Node.js version to 18.16.1 in .nvmrc and add CLAUDE.md for project settings

2026-03-01 23:55:35 +02:00

.cursor/commands

feat: init speckit for cursor

2025-10-18 21:38:21 +02:00

.github

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

.husky

fix(repo): replace usage of yarn with pnpm/pnpx

2024-04-21 20:34:35 -04:00

.specify

feat: init speckit for cursor

2025-10-18 21:38:21 +02:00

.vscode

feat: optimize sale estimate form performance.

2020-11-12 20:44:22 +02:00

bin

chore: add .gitkeep directory

2023-02-07 19:28:38 +02:00

docker

fix(scripts): db migration dockerfile

2026-01-31 15:31:17 +02:00

e2e

refactor: split the services to multiple service classes (#202 )

2023-08-10 20:29:39 +02:00

packages

fix(server): verify Plaid webhook signatures (GHSA-g56w-g54f-whq5)

2026-05-16 12:19:30 +02:00

shared

chore(sdk): update OpenAPI spec and generated types

2026-05-12 08:56:28 +00:00

test

wip

2026-01-15 22:04:51 +02:00

.all-contributorsrc

docs: add Daniel15 as a contributor for bug, and code (#865 )

2025-12-02 01:42:54 +02:00

.dockerignore

fix(ci): dockerfile build script

2026-01-28 23:40:32 +02:00

.env.example

fix(server): Dockerfile

2026-01-09 23:38:52 +02:00

.gitattributes

feat: set default value to env vars

2023-06-06 20:37:42 +02:00

.gitignore

feat(sdk): add OpenAPI export script and TypeScript SDK package

2026-03-03 23:26:24 +02:00

.gitpod.yml

chore: configure Gitpod

2023-11-05 02:58:48 +02:00

.nvmrc

feat: Update Node.js version to 18.16.1 in .nvmrc and add CLAUDE.md for project settings

2026-03-01 23:55:35 +02:00

CHANGELOG.md

chore: update CHANGELOG

2024-12-09 12:23:46 +02:00

commitlint.config.js

chore: add husky for commit message lint

2023-02-07 20:24:44 +02:00

CONTRIBUTING.md

Update commands in contributing docs

2025-11-20 21:08:40 -08:00

DISCLAIMER

chore: switch to AGPL to protect networks

2023-04-05 04:38:06 +02:00

docker-compose.prod.yml

fix(ci): dockerfile build script

2026-01-28 23:40:32 +02:00

docker-compose.yml

fix(server): Dockerfile

2026-01-09 23:38:52 +02:00

launch.json

refactor(nestjs): organization build

2025-04-02 12:04:03 +02:00

lerna.json

feat: Lerna shared

2024-10-06 17:20:28 +02:00

LICENSE

chore: switch to AGPL to protect networks

2023-04-05 04:38:06 +02:00

package.json

wip

2026-03-27 16:11:33 +02:00

playwright.config.ts

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

pnpm-lock.yaml

fix(server): verify Plaid webhook signatures (GHSA-g56w-g54f-whq5)

2026-05-16 12:19:30 +02:00

pnpm-workspace.yaml

feat: Lerna shared

2024-10-06 17:20:28 +02:00

README.md

docs: add Daniel15 as a contributor for bug, and code (#865 )

2025-12-02 01:42:54 +02:00

setup.sh

fix(scripts): db migration dockerfile

2026-01-31 15:31:17 +02:00

vercel.json

feat: migrate from CRA to Vite for speed

2025-11-24 14:19:05 +02:00

README.md

Simple, smart online accounting software for small and medium businesses.

Bigcapital Cloud

What's Bigcapital?

Bigcapital is a smart and open-source accounting and inventory software, Bigcapital keeps all business finances in right place and automates accounting processes to give the business powerful and intelligent financial statements and reports to help in making decisions.

Getting Started

We've got serveral options on dev and prod depending on your need to get started quickly with Bigcapital.

Self-hosted

Bigcapital is available open-source under AGPL license. You can host it on your own servers using Docker.

Docker

To get started with self-hosted with Docker and Docker Compose, take a look at the Docker guide.

Development

Local Setup

To get started locally, we have a guide to help you.

Gitpod

Click the Gitpod button below to open this project in development mode.
This will open and configure the workspace in your browser with all the necessary dependencies.

Headless Accounting

You can integrate Bigcapital API with your system to organize your transactions in double-entry system to get the best financial reports.

Resources

Documentation - Learn how to use.
API Reference - API reference docs
Contribution - Welcome to any contributions.
Discord - Ask for help.
Bug Tracker - Notify us new bugs.

Changelog

Please see Releases for more information what has changed recently.

Contact us

Meet our sales team for any commercial inquiries.

Recognition

Contributors

Thanks goes to these wonderful people (emoji key):

_{Ahmed Bouhuolia} 💻	_{Ameir Abdeldayem} 🐛	_ElforJani13 💻	_{Lars Scheibling} 🐛	_{Suhaib Affan} 💻	_{Kalliopi Pliogka} 🐛	_{Robert Koch} 💻
_{Casper Schuijt} 🐛	_ANasouf 💻	_{Ragnar Laud} 🐛	_Asena 🐛	_{Ben Snyder} 💻	_{Vederis Leunardus} 💻	_{Chris Cantrell} 🐛
_Denis 🐛	_{Sachin Mittal} 🐛	_{Camilo Oviedo} 💻	_Mantey 🐛	_{Daniel Lo Nigro} 🐛 💻

This project follows the all-contributors specification. Contributions of any kind welcome!

Languages

TypeScript 97.1%

SCSS 1.9%

Shell 0.4%

HTML 0.3%

JavaScript 0.2%