T

Ahmed Bouhuolia 7efac090a9 fix(server): prevent cross-tenant access via organization-id header

Resolve a CLS middleware in App.module.ts to copy the request
`organization-id` header straight into `cls.organizationId`, which the
TenancyDB factory used to pick the per-tenant database. The JWT path
never set `organizationId` from the authenticated user, and
TenancyGlobalGuard only checked that the header was present — so any
authenticated user could read or write another tenant's database by
sending their own JWT plus the victim's `organization-id`.

Make the JWT-resolved tenant the source of truth and validate the
header at the edge:

- AuthSigninService.verifyPayload now loads the user's tenant and sets
  `cls.organizationId` from `tenant.organizationId`, mirroring the
  API-key path in AuthApiKeyAuthorizeService.
- TenancyGlobalGuard rejects with `Organization mismatch.` when the
  request header disagrees with the CLS value set by the auth guard.
- App.module.ts no longer seeds `cls.organizationId` from the
  attacker-controlled request header.

GHSA-2g96-86rw-qmvg

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-15 20:43:14 +02:00

.claude

feat: Update Node.js version to 18.16.1 in .nvmrc and add CLAUDE.md for project settings

2026-03-01 23:55:35 +02:00

.cursor/commands

feat: init speckit for cursor

2025-10-18 21:38:21 +02:00

.github

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

.husky

fix(repo): replace usage of yarn with pnpm/pnpx

2024-04-21 20:34:35 -04:00

.specify

feat: init speckit for cursor

2025-10-18 21:38:21 +02:00

.vscode

feat: optimize sale estimate form performance.

2020-11-12 20:44:22 +02:00

bin

chore: add .gitkeep directory

2023-02-07 19:28:38 +02:00

docker

fix(scripts): db migration dockerfile

2026-01-31 15:31:17 +02:00

e2e

refactor: split the services to multiple service classes (#202 )

2023-08-10 20:29:39 +02:00

packages

fix(server): prevent cross-tenant access via organization-id header

2026-05-15 20:43:14 +02:00

shared

chore(sdk): update OpenAPI spec and generated types

2026-05-12 08:56:28 +00:00

test

wip

2026-01-15 22:04:51 +02:00

.all-contributorsrc

docs: add Daniel15 as a contributor for bug, and code (#865 )

2025-12-02 01:42:54 +02:00

.dockerignore

fix(ci): dockerfile build script

2026-01-28 23:40:32 +02:00

.env.example

fix(server): Dockerfile

2026-01-09 23:38:52 +02:00

.gitattributes

feat: set default value to env vars

2023-06-06 20:37:42 +02:00

.gitignore

feat(sdk): add OpenAPI export script and TypeScript SDK package

2026-03-03 23:26:24 +02:00

.gitpod.yml

chore: configure Gitpod

2023-11-05 02:58:48 +02:00

.nvmrc

feat: Update Node.js version to 18.16.1 in .nvmrc and add CLAUDE.md for project settings

2026-03-01 23:55:35 +02:00

CHANGELOG.md

chore: update CHANGELOG

2024-12-09 12:23:46 +02:00

commitlint.config.js

chore: add husky for commit message lint

2023-02-07 20:24:44 +02:00

CONTRIBUTING.md

Update commands in contributing docs

2025-11-20 21:08:40 -08:00

DISCLAIMER

chore: switch to AGPL to protect networks

2023-04-05 04:38:06 +02:00

docker-compose.prod.yml

fix(ci): dockerfile build script

2026-01-28 23:40:32 +02:00

docker-compose.yml

fix(server): Dockerfile

2026-01-09 23:38:52 +02:00

launch.json

refactor(nestjs): organization build

2025-04-02 12:04:03 +02:00

lerna.json

feat: Lerna shared

2024-10-06 17:20:28 +02:00

LICENSE

chore: switch to AGPL to protect networks

2023-04-05 04:38:06 +02:00

package.json

wip

2026-03-27 16:11:33 +02:00

playwright.config.ts

Merge pull request #1045 from bigcapitalhq/self-contained-e2e-github-action

2026-03-15 23:49:49 +02:00

pnpm-lock.yaml

fix: update pnpm-lock.json file

2026-03-05 23:37:54 +02:00

pnpm-workspace.yaml

feat: Lerna shared

2024-10-06 17:20:28 +02:00

README.md

docs: add Daniel15 as a contributor for bug, and code (#865 )

2025-12-02 01:42:54 +02:00

setup.sh

fix(scripts): db migration dockerfile

2026-01-31 15:31:17 +02:00

vercel.json

feat: migrate from CRA to Vite for speed

2025-11-24 14:19:05 +02:00

README.md

Simple, smart online accounting software for small and medium businesses.

Bigcapital Cloud

What's Bigcapital?

Bigcapital is a smart and open-source accounting and inventory software, Bigcapital keeps all business finances in right place and automates accounting processes to give the business powerful and intelligent financial statements and reports to help in making decisions.

Getting Started

We've got serveral options on dev and prod depending on your need to get started quickly with Bigcapital.

Self-hosted

Bigcapital is available open-source under AGPL license. You can host it on your own servers using Docker.

Docker

To get started with self-hosted with Docker and Docker Compose, take a look at the Docker guide.

Development

Local Setup

To get started locally, we have a guide to help you.

Gitpod

Click the Gitpod button below to open this project in development mode.
This will open and configure the workspace in your browser with all the necessary dependencies.

Headless Accounting

You can integrate Bigcapital API with your system to organize your transactions in double-entry system to get the best financial reports.

Resources

Documentation - Learn how to use.
API Reference - API reference docs
Contribution - Welcome to any contributions.
Discord - Ask for help.
Bug Tracker - Notify us new bugs.

Changelog

Please see Releases for more information what has changed recently.

Contact us

Meet our sales team for any commercial inquiries.

Recognition

Contributors

Thanks goes to these wonderful people (emoji key):

_{Ahmed Bouhuolia} 💻	_{Ameir Abdeldayem} 🐛	_ElforJani13 💻	_{Lars Scheibling} 🐛	_{Suhaib Affan} 💻	_{Kalliopi Pliogka} 🐛	_{Robert Koch} 💻
_{Casper Schuijt} 🐛	_ANasouf 💻	_{Ragnar Laud} 🐛	_Asena 🐛	_{Ben Snyder} 💻	_{Vederis Leunardus} 💻	_{Chris Cantrell} 🐛
_Denis 🐛	_{Sachin Mittal} 🐛	_{Camilo Oviedo} 💻	_Mantey 🐛	_{Daniel Lo Nigro} 🐛 💻

This project follows the all-contributors specification. Contributions of any kind welcome!

Languages

TypeScript 97.1%

SCSS 1.9%

Shell 0.4%

HTML 0.3%

JavaScript 0.2%