2026-05-04 13:38:19 -05:00
# BillTracker
2026-05-03 20:02:32 -05:00
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
< p align = "center" >
2026-05-15 22:52:28 -05:00
< img src = "docs/images/logo_cut.png" alt = "BillTracker logo" >
2026-05-04 14:17:32 -05:00
< / p >
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
BillTracker is a private, self-hosted bill planning app for households and
personal finance setups. It tracks recurring bills, monthly cash buckets,
payments, due dates, categories, subscriptions, bank-synced transactions,
imports, exports, backups, and debt payoff plans from one local installation.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
It runs as a Node/Express app with a React/Vite frontend and stores data in
SQLite. It is designed for people who want their bill data under their own
control instead of inside a third-party budgeting service.
2026-05-29 20:56:17 -05:00
2026-05-04 13:41:06 -05:00
< p align = "center" >
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
Demo Server: https://t1.scheller.ltd/< br >
Username: guest · Password: guest123
2026-05-04 13:41:06 -05:00
< / p >
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
## Highlights
2026-06-04 03:14:54 -05:00
- Monthly tracker with `1st-14th` and `15th-31st` bill buckets
- Quick pay, skipped bills, monthly notes, amount overrides, and inactive bill history ranges
- Period-aware balance cards, overdue command center, pin-due sorting, and compact desktop mode
- Bills, categories, subscriptions, payment history, and custom billing schedules
- SimpleFIN read-only bank sync with manual sync, auto-sync, transaction matching, and merchant rules
- Historical payment import for merchant-rule matches, including month-crossing attribution fixes
- Advisory non-bill filtering with a large pattern catalog for noisy bank transactions
- Debt snowball and avalanche planning with APR math, projections, and amortization schedules
- Calendar, summary, analytics, payoff simulator, and printable views
- XLSX/CSV import, transaction CSV import, user SQLite export/import, Excel export, and admin backups
- Local username/password auth with optional Authentik/OIDC SSO
- Admin tools for users, backups, auth settings, bank sync, cleanup, status, and migrations
- Email and push bill reminders through SMTP, ntfy, Gotify, Discord, or Telegram
- Dark mode, PWA support, offline-ready shell, and keyboard command palette (`Ctrl+K`)
2026-05-15 22:52:28 -05:00
2026-05-04 14:17:32 -05:00
## Screenshots
2026-06-04 03:14:54 -05:00
Screenshots below were refreshed from the linked demo server.
2026-05-04 14:17:32 -05:00
2026-06-04 03:14:54 -05:00

2026-05-04 14:17:32 -05:00
2026-06-04 03:14:54 -05:00

2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00

2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00

2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00

2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00

2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00

2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
## Who This Is For
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
BillTracker is built for self-hosters who want a practical bill dashboard
without sending personal finance data to a hosted budgeting product.
2026-05-15 22:52:28 -05:00
Good fit:
- Home servers, NAS boxes, small VPS deployments, Portainer, or Docker Compose
- Single-user or multi-user households
- People who split monthly cash around the 1st and 15th
- Users who want import/export and database backup control
- Authentik/OIDC users who want optional SSO
2026-06-04 03:14:54 -05:00
- SimpleFIN users who want read-only bank transaction syncing
- People managing recurring services, debt, transactions, and monthly bills together
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
Not a replacement for:
2026-05-15 22:52:28 -05:00
- Double-entry accounting
- Investment tracking
- Tax software
2026-06-04 03:14:54 -05:00
- Direct bank connectivity without SimpleFIN
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
Bank sync requires a SimpleFIN Bridge account. BillTracker consumes SimpleFIN
data; it does not host SimpleFIN server endpoints or connect directly to banks.
2026-05-29 20:56:17 -05:00
2026-05-15 22:52:28 -05:00
## Quick Start With Docker
2026-06-04 03:14:54 -05:00
The included Compose file runs the published image on host port `3030` and
stores persistent app data under `/data` inside the container.
2026-05-03 20:02:32 -05:00
```bash
2026-05-15 22:52:28 -05:00
docker compose up -d
```
Open:
```text
http://localhost:3030
2026-05-03 20:02:32 -05:00
```
2026-05-15 22:52:28 -05:00
On first start, seed an admin account with:
```yaml
environment:
INIT_ADMIN_USER: admin
INIT_ADMIN_PASS: change-this-password
```
Optional regular user seed:
```yaml
environment:
INIT_REGULAR_USER: regularuser
INIT_REGULAR_PASS: changeme123
```
2026-06-04 03:14:54 -05:00
Passwords must be at least 8 characters. Remove or rotate first-run seed values
after initial setup.
2026-05-15 22:52:28 -05:00
### Persistent Data
For Docker, keep `/data` mounted. The container defaults to:
```text
DB_PATH=/data/db/bills.db
BACKUP_PATH=/data/backups
```
2026-06-04 03:14:54 -05:00
Back up the mounted `/data` directory like you would any other sensitive
financial data.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
### HTTPS And Cookies
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Run BillTracker behind HTTPS for normal use. If TLS terminates at a reverse
proxy, forward:
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
```text
X-Forwarded-Proto: https
```
Recommended production posture:
```bash
HTTPS=true
COOKIE_SECURE=true
CSRF_SECURE=true
CSRF_SAME_SITE=strict
```
For plain HTTP development only:
```bash
COOKIE_SECURE=false
CSRF_SECURE=false
```
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Leave `CORS_ORIGIN` unset for normal same-origin deployments. Set it only if the
frontend and backend are intentionally served from different origins.
2026-05-29 20:56:17 -05:00
2026-05-15 22:52:28 -05:00
## Node Install
Install dependencies:
2026-05-03 20:02:32 -05:00
```bash
2026-05-15 22:52:28 -05:00
npm install
2026-05-03 20:02:32 -05:00
```
2026-06-04 03:14:54 -05:00
Run the API and Vite UI for development:
2026-05-03 20:02:32 -05:00
```bash
2026-05-15 22:52:28 -05:00
npm run dev
2026-05-03 20:02:32 -05:00
```
2026-05-15 22:52:28 -05:00
Build and start production:
2026-05-03 20:02:32 -05:00
```bash
2026-05-15 22:52:28 -05:00
npm run build
2026-05-03 20:02:32 -05:00
npm start
```
2026-06-04 03:14:54 -05:00
The production server serves `dist/` and listens on `PORT` , defaulting to
`3000` .
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
Useful scripts:
2026-05-03 20:02:32 -05:00
```bash
npm run dev:api
npm run dev:ui
npm run build
2026-05-15 22:52:28 -05:00
npm run check
2026-06-04 03:14:54 -05:00
npm test
2026-05-03 20:02:32 -05:00
npm start
```
2026-05-15 22:52:28 -05:00
`npm run check` runs backend CommonJS syntax checks and a Vite production build.
2026-06-04 03:14:54 -05:00
`npm test` runs the Node test suite in `tests/` .
2026-05-04 13:38:19 -05:00
2026-05-15 22:52:28 -05:00
## Product Map
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
### Tracker
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
The Tracker is the main monthly view. It shows active bills for the selected
month, grouped into `1st-14th` and `15th-31st` buckets.
2026-05-04 13:38:19 -05:00
2026-06-04 03:14:54 -05:00
You can record payments, quick-pay bills, skip a bill for the month, add monthly
notes, override monthly amounts, reorder bills, and move between months. Summary
cards show starting cash or bank-tracked balance, total paid, active-period
balance, overdue amount, previous-month paid, and trend.
2026-05-04 13:38:19 -05:00
2026-06-04 03:14:54 -05:00
Compact tracker mode, available on wide screens, adds side-by-side buckets and
quick subscription/autopay/2FA badges.
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
2026-06-04 03:14:54 -05:00
### Bills And Categories
2026-05-15 22:52:28 -05:00
Bills store the recurring source data:
2026-06-04 03:14:54 -05:00
- Name, expected amount, due day, category, and active state
- Monthly, weekly, biweekly, quarterly, annual, and custom billing schedules
- Autopay status, subscription metadata, two-factor badges, and display preferences
- Monthly state such as skip flags, notes, and actual amount overrides
- Optional debt fields such as balance, APR, minimum payment, and snowball flags
- History ranges for inactive or past-only bills
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Categories support custom colors, icons, descriptions, ordering, restore, and
bill usage previews.
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
### Bank Sync And Data Tools
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
SimpleFIN integration provides read-only bank syncing:
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
- User-pasted SimpleFIN Bridge setup from the Data page
- Manual "Sync Now" and background auto-sync
2026-05-29 20:56:17 -05:00
- 90-day backfill support
2026-06-04 03:14:54 -05:00
- Bank account selection for tracker balance projections
- Merchant rules for matching transactions to bills
- Historical import prompts when a new merchant rule finds prior payments
- Late-attribution prompts or auto-fixes for payments that post just after month end
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
The Data page also handles:
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
- XLSX and CSV spreadsheet import with preview
- Transaction CSV import and column mapping
- Transaction review, matching, ignoring, and status filters
- User SQLite export/import
- Excel workbook export
- Import history with detailed stats
- Demo data seeding for local trials
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
### Subscriptions
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Subscriptions are tracked as bill-backed recurring services. The page shows
monthly and yearly impact, paused subscriptions, per-cycle amounts, subscription
categories, and recommendations from recurring bank charges.
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
### Snowball And Payoff
2026-05-15 22:52:28 -05:00
The Snowball page focuses on debt payoff planning:
2026-06-04 03:14:54 -05:00
- Dave Ramsey-style snowball mode and avalanche comparison
- Extra monthly payment settings
- Minimum-only baseline vs. accelerated payoff projections
- APR snapshots, amortization schedules, and payoff dates
- Drag ordering, exclusion flags, readiness checks, and saved plans
The Payoff simulator can model a tracked debt or a custom outside debt without
creating a new bill.
2026-05-15 22:52:28 -05:00
### Calendar, Summary, And Analytics
2026-06-04 03:14:54 -05:00
Calendar shows bill due dates, paid dates, skipped bills, month progress, money
markers, cash flow projections, and links back into Tracker or Snowball.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
Summary handles income, starting amounts, planned expenses, paid status, monthly
planning, reordering, and print-friendly output.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
Analytics provides spending trends, expected vs. actual views, category
breakdowns, pay-on-time heatmaps, forecasts, filters, and print output.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
### Admin And Status
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Admin tools include user management, local/OIDC auth settings, SimpleFIN server
enablement, backups, restore, cleanup, notification settings, status checks, and
database migration operations.
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
The Status page surfaces application, database, runtime, daily worker,
SimpleFIN, notifications, backups, maintenance, tracker, statistics, server
clock, and recent-error health.
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
### Background Workers
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
The daily worker handles:
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
- Autopay marking
- Bill due notifications
- Session cleanup
- Import history pruning
- Backup scheduling
- Bank sync scheduling
2026-05-29 20:56:17 -05:00
2026-06-04 03:14:54 -05:00
Worker status and recent activity are visible from Admin/Status.
2026-05-15 22:52:28 -05:00
## Privacy Model
BillTracker is intended to run privately in your own environment.
- Bill data stays in your SQLite database.
- The app does not use third-party analytics, advertising, or telemetry.
2026-06-04 03:14:54 -05:00
- Bank sync is optional and goes through the user's SimpleFIN Bridge account.
- Login device details shown in Profile are visible to that user in the app UI.
2026-05-15 22:52:28 -05:00
- Optional update checks are for software update availability, not bill-data collection.
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
2026-06-04 03:14:54 -05:00
Admins can manage users, reset passwords, configure authentication, and manage
backups, but normal bill data is scoped to the signed-in user.
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
2026-05-15 22:52:28 -05:00
## Authentication
2026-06-04 03:14:54 -05:00
BillTracker supports local username/password login by default. Admins can create
users, reset passwords, promote or demote users, and activate or deactivate
accounts.
2026-05-15 22:52:28 -05:00
2026-06-04 03:14:54 -05:00
Optional Authentik/OIDC login can be enabled from Admin. OIDC uses authorization
code flow with PKCE, state and nonce validation, and `openid-client` token
validation.
2026-05-15 22:52:28 -05:00
Important behavior:
- Admin role is never granted by default through OIDC.
- OIDC admin access requires a configured admin group.
- Local login cannot be disabled unless OIDC is configured, enabled, and mapped to an admin group.
- The default seeded admin is restricted to admin routes and cannot access personal tracker data.
2026-05-29 20:56:17 -05:00
- OIDC provider name, issuer URL, client ID/secret, redirect URI, scopes, and admin group are configurable via Admin settings with environment variable fallbacks.
2026-05-15 22:52:28 -05:00
See [Authentik-Integration.md ](docs/Authentik-Integration.md ) for setup details.
2026-05-03 20:02:32 -05:00
## Configuration
2026-05-15 22:52:28 -05:00
Most settings are configured in the web UI:
2026-05-04 13:38:19 -05:00
2026-06-04 03:14:54 -05:00
- User settings: Settings and Profile
2026-05-15 22:52:28 -05:00
- Server settings: Admin
- Authentication settings: Admin
2026-06-04 03:14:54 -05:00
- Notification settings: Admin and Profile
2026-05-15 22:52:28 -05:00
- Backup and cleanup settings: Admin
Common environment variables:
2026-05-03 20:02:32 -05:00
```bash
PORT=3000
NODE_ENV=production
2026-05-04 13:38:19 -05:00
DB_PATH=/path/to/bills.db
BACKUP_PATH=/path/to/backups
INIT_ADMIN_USER=admin
INIT_ADMIN_PASS=change-this-password
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
INIT_REGULAR_USER=regularuser
INIT_REGULAR_PASS=changeme123
2026-05-03 20:02:32 -05:00
HTTPS=true
2026-05-04 13:38:19 -05:00
COOKIE_SECURE=true
2026-05-03 20:02:32 -05:00
CORS_ORIGIN=https://bills.example.com
2026-06-04 03:14:54 -05:00
CSRF_HTTP_ONLY=true
docs: update README.md, ERM, FUTURE.md, HISTORY.md
README.md updates:
- Added billing cycles (weekly/biweekly/quarterly/annual), history ranges,
monthly income/starting amounts, migration rollback, audit logging,
auth-mode/OIDC config, CSRF protection details
- Added INIT_REGULAR_USER/PASS and SESSION_CLEANUP_INTERVAL_MS env vars
- Added CSRF env vars (CSRF_HTTP_ONLY, CSRF_SAME_SITE, CSRF_SECURE,
CSRF_COOKIE_NAME)
- Noted export limitation: cycle_type, cycle_day, history_ranges omitted
- Fixed: CSP is now implemented with per-request nonces (was 'deferred')
- Added: default admin restricted from tracker routes, session rotation
on password change, audit logging
- Cleaned up demo server formatting, project structure listing, scripts
- Removed authLogin.js from project structure (file was deleted in v0.23.2)
Engineering_Reference_Manual.md:
- Removed stale authLogin.js duplicate route note (file no longer exists)
- Removed 401/403 error detail from login endpoint (simplified)
- Updated version to 0.23.2
FUTURE.md:
- Marked notification privacy leak (CRITICAL) as FIXED v0.23.2
- Marked duplicate login route (LOW) as FIXED v0.23.2
- Updated current version to v0.23.2
HISTORY.md:
- Added v0.23.2 entry with security fix and route consolidation details
2026-05-10 12:42:45 -05:00
CSRF_SAME_SITE=strict
CSRF_SECURE=true
CSRF_COOKIE_NAME=bt_csrf_token
2026-05-29 20:56:17 -05:00
DATA_IMPORT_ENABLED=true
```
Worker settings:
```bash
WORKER_INTERVAL_MS=86400000
WORKER_AUTOPAY_ENABLED=true
WORKER_NOTIFICATIONS_ENABLED=true
WORKER_SESSION_CLEANUP_ENABLED=true
WORKER_IMPORT_CLEANUP_ENABLED=true
2026-05-03 20:02:32 -05:00
```
2026-06-04 03:14:54 -05:00
OIDC fallback environment variables are used when matching Admin database
settings are blank:
2026-05-03 20:02:32 -05:00
```bash
2026-05-04 13:38:19 -05:00
OIDC_PROVIDER_NAME=authentik
2026-05-15 22:52:28 -05:00
OIDC_ISSUER_URL=https://auth.example.com/application/o/bills/.well-known/openid-configuration
2026-05-04 13:38:19 -05:00
OIDC_CLIENT_ID=< client-id >
OIDC_CLIENT_SECRET=< client-secret >
OIDC_TOKEN_AUTH_METHOD=client_secret_basic
2026-05-03 20:02:32 -05:00
OIDC_REDIRECT_URI=https://bills.example.com/api/auth/oidc/callback
OIDC_SCOPES="openid email profile groups"
OIDC_ADMIN_GROUP=bill-tracker-admins
OIDC_AUTO_PROVISION=true
```
2026-05-04 13:38:19 -05:00
Database-backed Admin settings take precedence over environment fallback values.
2026-06-04 03:14:54 -05:00
Secrets such as OIDC client secrets, SMTP passwords, push tokens, and SimpleFIN
tokens are encrypted at rest. The app generates and stores its encryption key in
the database on first use; no separate encryption-key environment variable is
required.
2026-05-09 13:03:36 -05:00
2026-05-15 22:52:28 -05:00
## Security Notes
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
- Auth is required for user data routes.
- Admin routes require an admin session.
2026-06-04 03:14:54 -05:00
- User-owned bill, category, payment, import, export, transaction, and settings routes derive ownership from the authenticated session.
- CSRF uses a double-submit cookie pattern. The SPA fetches `/api/auth/csrf-token` , stores the token in memory, and sends it as `x-csrf-token` on mutating requests.
- The CSRF cookie defaults to `HttpOnly` ; JavaScript does not need to read it through `document.cookie` .
2026-05-15 22:52:28 -05:00
- Session cookies are HTTP-only and SameSite-protected.
- Password changes rotate the current session and invalidate other sessions.
2026-06-04 03:14:54 -05:00
- Rate limits protect local login, password changes, imports, exports, admin actions, backup actions, and OIDC routes.
2026-05-15 22:52:28 -05:00
- Security headers include CSP nonces and standard hardening headers.
- Audit logging records security-sensitive events such as login, logout, password changes, role changes, CSRF failures, and migration operations.
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
Backups and exports can contain sensitive financial data. The app writes SQLite
backup files with restrictive permissions, but backup/export encryption is not
implemented. Protect downloaded files and mounted volumes yourself.
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
## Upgrading
2026-05-04 13:38:19 -05:00
2026-05-15 22:52:28 -05:00
For a Node install:
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
```bash
git pull
npm install
npm run build
npm start
2026-05-03 20:02:32 -05:00
```
2026-05-15 22:52:28 -05:00
Restart your process manager after building.
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
For Docker:
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
```bash
docker compose pull
docker compose up -d
```
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
If you build locally, rebuild the image and recreate the container.
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
The app initializes the schema and runs additive migrations on startup. The
Docker entrypoint also runs `scripts/migrate-db.js` before starting unless:
2026-05-04 13:38:19 -05:00
2026-05-15 22:52:28 -05:00
```bash
RUN_DB_MIGRATIONS=false
```
2026-05-04 13:38:19 -05:00
## Project Structure
```text
2026-05-29 20:56:17 -05:00
bill-tracker/
2026-06-04 03:14:54 -05:00
|-- client/ # React app, routes, pages, components, hooks, and API client
| |-- components/ # Shared UI, layout, admin, data, tracker, and snowball components
| |-- contexts/ # React contexts
| |-- hooks/ # Custom React hooks
| |-- lib/ # Client utilities
| `-- pages/ # Route pages
|-- db/ # SQLite schema, migrations, and database helpers
|-- docs/ # Technical references and README screenshots
|-- middleware/ # Auth, CSRF, rate limit, security, and error middleware
|-- routes/ # Express API route handlers
|-- scripts/ # Utility, migration, deployment, and smoke-test scripts
|-- services/ # Business logic for bills, sync, auth, imports, status, workers, etc.
|-- workers/ # Background workers
|-- dist/ # Generated production build
|-- Dockerfile
|-- docker-compose.yml
|-- docker-entrypoint.sh
|-- server.js
`-- vite.config.mjs
2026-05-04 13:38:19 -05:00
```
2026-05-15 22:52:28 -05:00
## Documentation
2026-05-03 20:02:32 -05:00
2026-05-15 22:52:28 -05:00
- [HISTORY.md ](HISTORY.md ): release history
2026-06-04 03:14:54 -05:00
- [Authentik-Integration.md ](docs/Authentik-Integration.md ): Authentik/OIDC setup
- [SIMPLEFIN_CONSUMER_GUARDRAILS.md ](docs/SIMPLEFIN_CONSUMER_GUARDRAILS.md ): SimpleFIN consumer boundaries
2026-05-03 20:02:32 -05:00
2026-05-04 13:38:19 -05:00
## Known Limitations
2026-05-03 20:02:32 -05:00
2026-06-04 03:14:54 -05:00
- Admin backups and user exports are not encrypted by the app.
- Bank sync requires SimpleFIN; direct bank connections are not supported.
2026-05-29 20:56:17 -05:00
- OIDC single logout is not implemented; users must log out from each device separately.
2026-05-04 13:38:19 -05:00
- Rate limiting is in-memory, so counters reset on restart and are not shared across multiple app instances.
2026-05-15 22:52:28 -05:00
- Multiple OIDC providers are not currently supported.
- The XLSX parser dependency has known upstream security advisories; import routes are authenticated, file-size limited, and parse spreadsheet cells as data.
2026-05-03 20:02:32 -05:00
## License
2026-06-04 03:14:54 -05:00
`package.json` declares the project license as ISC. No separate `LICENSE` file is
included in this repository.