## Summary Follow-up to #623 — addresses security findings **not covered** by the maintainer's draft PR #627. The original scope was larger; out-of-scope changes were reverted (see `revert: drop out-of-scope changes from security round 2`) and are **no longer part of this PR** (details under _Reverted / not included_). ## Changes ### Rate limiting - `routes/api.php`: authenticated API group throttled at `300,1` (per user). An SPA with offline sync + multi-widget dashboards fans out many requests per interaction, so a tighter cap throttled legitimate bursts. - `routes/web.php`: unauthenticated open-banking callback throttled at `30,1` (per IP), enough headroom for browser retries and the iOS PWA → Safari hand-off that can fire the callback twice. - `use-decrypt-transactions.ts`: the legacy decrypt migration loops without backoff (~3 requests per 100 encrypted transactions), so a large account could hit the API throttle and abort the whole migration silently. It now honours Laravel's `Retry-After` header on 429 and retries the same request instead of bailing. ### State token persistence on failure - `AuthorizationController::callback`: clears `state_token` on the connection when EnableBanking session creation fails, preventing a stale token from being replayed. ### Trust proxies hardening - `bootstrap/app.php`: replaced `trustProxies(at: '*')` with an env-based `TRUSTED_PROXIES` config. When unset, no proxy is trusted (Laravel default) instead of trusting every IP. - ⚠️ **Deploy requirement:** production runs behind a reverse proxy / TLS terminator (`Dockerfile.production` + nginx serve HTTP on :80). With `TRUSTED_PROXIES` unset, Laravel stops trusting `X-Forwarded-For`/`X-Forwarded-Proto` → client IPs collapse to the proxy IP (contaminating logs and per-IP throttling) and HTTPS detection breaks. `TRUSTED_PROXIES` **must** be set in the production environment before merge, and should be added to `.env.production.example`. ### XSS-safe Blade-to-JS injection - `app.blade.php`: replaced `{{ }}` Blade syntax inside `<script>` with `@json()` to prevent JS injection via variable content. ### TOCTOU defense-in-depth - `Api/TransactionController::bulkUpdate`: added `->where('user_id', $userId)` to the per-row UPDATE as belt-and-suspenders behind the existing `abort(403)` ownership pre-check. ## Reverted / not included The following were in the original description but were reverted and are **not** in the current diff: - `block-demo` middleware on additional route groups (already present upstream on `routes/settings.php`). - `->limit(500)` / `has_more` / `since` validation on `TransactionSyncController`. ## Notes - `vite.config.ts` appears in the diff only because of an older merge-base; it is identical to `main` and nets to no change (will vanish on rebase). - No tests yet for the `state_token` clearing on `createSession` failure or for the throttles — worth adding before merge (the callback throttle is the most exposed surface). --------- Co-authored-by: Víctor Falcón <victoor89@gmail.com> |
||
|---|---|---|
| .agents/skills | ||
| .claude | ||
| .cursor | ||
| .github | ||
| .opencode/skills | ||
| .pi | ||
| app | ||
| bootstrap | ||
| config | ||
| database | ||
| docker | ||
| docs | ||
| experiments | ||
| lang | ||
| public | ||
| resources | ||
| routes | ||
| screenshots | ||
| scripts | ||
| src/lib/crypto | ||
| storage | ||
| templates/coolify | ||
| tests | ||
| .dockerignore | ||
| .editorconfig | ||
| .env.example | ||
| .env.production.example | ||
| .gitattributes | ||
| .gitignore | ||
| .mcp.json | ||
| .php-cs-fixer.dist.php | ||
| .php-version | ||
| .prettierignore | ||
| .prettierrc | ||
| .release-it.json | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| Dockerfile | ||
| Dockerfile.production | ||
| LICENSE.md | ||
| LOCALIZATION.md | ||
| ONBOARDING.md | ||
| README.md | ||
| artisan | ||
| autoresearch-dashboard.md | ||
| autoresearch.jsonl | ||
| autoresearch.md | ||
| autoresearch.sh | ||
| boost.json | ||
| bun.lock | ||
| components.json | ||
| compose.yaml | ||
| composer.json | ||
| composer.lock | ||
| docker-compose.production.yml | ||
| eslint.config.js | ||
| falcode.json | ||
| opencode.json | ||
| package-lock.json | ||
| package.json | ||
| phpstan-baseline.neon | ||
| phpstan.neon | ||
| phpunit.xml | ||
| tsconfig.json | ||
| vite.config.ts | ||
| vitest.config.ts | ||
| vitest.setup.ts | ||
| whispermoney | ||
| worktree.sh | ||
README.md
Deutsch | Español | français | 日本語 | 한국어 | Português | Русский | 中文
Whisper Money
The most secure way to understand your finances.
Whisper Money is a privacy-first personal finance application that helps you track, categorize, and understand your spending—all while keeping your financial data encrypted and secure.
🎮 Try the Demo: Experience Whisper Money with our demo account - no registration required!
💬 Join our Community: Whether you're a user looking for help or a developer wanting to contribute, we'd love to have you in our Discord server! Share feedback, ask questions, discuss new features, or just hang out with fellow privacy enthusiasts.
Features
- 🔐 Privacy-first — Your data is never shared with third parties. You own it
- 🏦 Bank account management — Track multiple accounts in one place
- 📊 Transaction categorization — Automatic and manual categorization
- 🤖 Automation rules — Set up rules to auto-categorize transactions
- 📈 Financial insights — Understand your spending patterns
Tech Stack
- Backend: Laravel 12, PHP 8.4
- Frontend: React 19, Inertia.js v2, TypeScript
- Styling: Tailwind CSS v4
- Database: MySQL
- Cache/Queue: Redis
- Testing: Pest v4
Running Locally
Quick Start (Recommended)
The easiest way to get started is using our automated setup script:
bash <(curl -fsSL https://whisper.money/setup.sh)
After installation, just visit https://whisper.money.localhost in your browser.
Manual Setup
If you prefer to set up manually:
- Clone the repository:
git clone https://github.com/whisper-money/whisper-money.git
cd whisper-money
- Run the setup script:
whispermoney install
Available Commands
Important: You must run
whispermoney installbefore using any other command. If you skip the install step, commands likestartwill not work.
Once installed, you can use the whispermoney command for common tasks:
# Start all services
whispermoney start
# Stop all services
whispermoney stop
# Upgrade to latest version
whispermoney upgrade
# Interactive menu
whispermoney
Development Server
For active development with hot reloading:
composer run dev
This will concurrently start:
- PHP development server (via Portless HTTPS proxy)
- Queue worker
- Log viewer (Pail)
- Vite dev server
The application will be available at https://dev.whisper.money.localhost. In git worktrees, the branch name is automatically prepended (e.g. https://fix-ui.dev.whisper.money.localhost).
Running with Docker (Production Image)
For testing the production Docker image locally:
- Copy the production environment file:
cp .env.production.example .env
- Start the services:
docker compose -f docker-compose.production.yml up -d
The application will be available at http://localhost:8080.
To use a different port, set APP_PORT:
APP_PORT=3000 docker compose -f docker-compose.production.yml up -d
Deploying to Coolify
Whisper Money can be easily deployed to Coolify using our Docker Compose template.
Quick Deploy
- In Coolify, create a new resource and select Docker Compose
- Choose Empty Compose File as the source
- Paste the contents from our template: 👉 whisper-money.yaml
- Deploy!
The template includes:
- Whisper Money application container
- MySQL 8.0 database with health checks
- Persistent volumes for data and storage
- Auto-generated database credentials
Required Environment Variables
| Variable | Description |
|---|---|
RESEND_API_KEY |
Email service API key (for password resets, notifications) |
Note:
APP_KEYandAPP_URLare auto-configured. The container generates anAPP_KEYon first startup if not provided.
Optional Environment Variables
| Variable | Default | Description |
|---|---|---|
DRIP_EMAILS_ENABLED |
true |
Enable drip emails (welcome, onboarding, feedback) |
HIDE_AUTH_BUTTONS |
false |
Hide login/register buttons on landing page |
SUBSCRIPTIONS_ENABLED |
false |
Enable Stripe subscriptions |
STRIPE_KEY |
- | Stripe publishable key |
STRIPE_SECRET |
- | Stripe secret key |
STRIPE_WEBHOOK_SECRET |
- | Stripe webhook signing secret |
Star History
License
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.