52 KiB

Raw Blame History

Engineering Reference Manual — Bill Tracker

Status: Current code reference Last Updated: 2026-05-10 Version: 0.23.1 Primary stack: Node.js + Express, React + Vite, SQLite via better-sqlite3

This manual reflects the current application code in server.js, routes/, services/, middleware/, db/, client/, package.json, Dockerfile, and docker-compose.yml. It is written as a current-state reference, not a changelog.

1. System Overview

Bill Tracker is a self-hosted bill management application. It supports:

Local username/password authentication, optional single-user mode, and optional Authentik/OIDC login.
User-scoped bills, categories, payments, monthly bill overrides, monthly income, and starting cash buckets.
Admin user management, backup/restore, cleanup, auth-mode/OIDC configuration, status checks, and migration rollback.
Spreadsheet and user-SQLite import workflows.
CSV, Excel, and user-SQLite export workflows.
SMTP-based bill due notifications.
React SPA frontend with protected user/admin routes and CSRF-protected JSON APIs.

Runtime flow:

server.js initializes SQLite through db/database.js, runs schema/migrations, seeds defaults/admin user, cleans expired sessions, then starts Express.
Express applies security headers, JSON body parsing, cookies, CSRF token provisioning, route-level CSRF/auth/rate-limit middleware, static dist/ serving, and JSON error formatting.
Route files under routes/ validate input, enforce ownership through req.user.id, and use service modules for business logic.
React under client/ calls /api/* through client/api.js with credentials: include and CSRF headers on mutating methods.

2. Project Layout

server.js — Express entry point and route mounting.
routes/ — HTTP API handlers.
services/ — auth, OIDC, backup, cleanup, notification, import, status, audit business logic.
middleware/ — auth guards, CSRF, rate limits, security headers, error formatting.
db/schema.sql — base SQLite schema.
db/database.js — DB connection, migrations, defaults, settings, rollback support.
workers/dailyWorker.js — scheduled notification/cleanup worker entry.
client/ — React SPA.
dist/ — generated Vite build output served by Express.
Dockerfile, docker-compose.yml, docker-entrypoint.sh — container deployment.

3. Backend Entry Point and Middleware

`server.js`

Server defaults:

Port: PORT || 3000.
Static frontend: dist/.
Optional CORS: enabled when CORS_ORIGIN is set; credentials allowed.
Session cleanup: runs on startup and every SESSION_CLEANUP_INTERVAL_MS || 86400000 ms.
Admin seed: INIT_ADMIN_USER || admin; INIT_ADMIN_PASS or generated/default behavior in db/database.js.
Environment variables INIT_ADMIN_USER and INIT_ADMIN_PASS (or INIT_REGULAR_USER + INIT_REGULAR_PASS) skip the first-login flow entirely by pre-seeding users with first_login=0 flags via setup/firstRun.js.
Optional regular-user seed: INIT_REGULAR_USER + INIT_REGULAR_PASS; password must be at least 8 chars.

Global middleware order:

securityHeaders
optional cors
express.json()
cookieParser()
csrfTokenProvider
mounted API routers with route-level rate-limit/auth/CSRF middleware
static legacy/, redirect /login.html to /login, static dist/
SPA fallback GET * serving dist/index.html after ensuring a CSRF token cookie
errorFormatter
final JSON error handler for malformed JSON/body size/runtime errors

Authentication middleware

middleware/requireAuth.js exports:

requireAuth: attaches req.user from bt_session; in single-user mode attaches the configured active regular user without a session.
requireUser: permits user and admin roles but blocks the default admin account from tracker access.
requireAdmin: requires req.user.role === 'admin'.

CSRF middleware

middleware/csrf.js:

Cookie name: CSRF_COOKIE_NAME || bt_csrf_token.
Header name: x-csrf-token.
Defaults: CSRF_HTTP_ONLY !== false, CSRF_SAME_SITE || strict, CSRF_SECURE !== false.
csrfTokenProvider sets a token cookie on responses.
csrfMiddleware validates mutating requests unless req.csrfSkip is set. Token may come from header, query, or body and must match cookie.
Failures return 403 and audit csrf.failure.

Rate limits

Defined in middleware/rateLimiter.js:

Login: 10 / 15 min.
Password changes: 5 / 15 min.
Import: 20 / 15 min.
Export: 30 / 15 min.
Admin actions: 30 / 15 min.
OIDC: 20 / 15 min.
Backup operations: 5 / 60 min.
Demo-data clear: 3 / 15 min.

Rate-limit responses are JSON: { "error": "..." }.

Security headers

middleware/securityHeaders.js sets CSP with a per-request nonce plus common hardening headers. Static SPA scripts/styles must comply with the generated CSP.

Error formatting

middleware/errorFormatter.js standardizes route responses into JSON with error, code, and optional field. Common statuses: 400 validation, 401 auth, 403 forbidden, 404 not found, 409 conflict, 429 rate limit, 500 server error.

4. Services

`services/authService.js`

Cookie: bt_session.
Session lifetime: 7 days.
Password hashing: bcrypt, cost 12.
Functions:
- login(username, password) — verifies active local user, rejects OIDC-only accounts, cleans expired sessions for that user, creates a new session, updates last_login_at, and returns {sessionId, user} or null.
- createSession(userId) — creates a session for an OIDC-provisioned or existing local user after validating that the user is active.
- logout(sessionId) — deletes one session.
- getSessionUser(sessionId) — returns public user fields when the session exists, is unexpired, and belongs to an active user.
- rotateSessionId(oldSessionId, userId) — validates the current session, deletes it, and inserts a replacement session in a transaction. Password changes use this to prevent session fixation.
- invalidateOtherSessions(userId, keepSessionId) — deletes all sessions for a user except the supplied current session; when keepSessionId is null, deletes every session for that user.
- pruneExpiredSessions() — deletes expired sessions.
- publicUser(user) — strips password/session secrets and normalizes booleans.

Password changes through /api/auth/change-password update the password hash, clear must_change_password, stamp last_password_change_at, invalidate all other sessions, rotate the current session ID when a valid session cookie is present, set a replacement bt_session cookie, and audit password.change.

/api/auth/logout-all calls invalidateOtherSessions(req.user.id, null), deletes the current cookie session if present, audits logout.all, clears bt_session, and returns {success:true}.

`services/oidcService.js`

Handles Authentik/OIDC login with openid-client:

Reads settings first, then env fallbacks: issuer URL, client ID/secret, redirect URI, token auth method, scopes, provider name, admin group, auto-provision flag.
Builds PKCE login state in oidc_states.
Discovers provider and caches OIDC client for 1 hour.
Exchanges callback code, verifies nonce/state, maps claims to local user.
Role mapping uses configured admin group; default role is user.
Client secret is write-only through admin settings.

`services/backupService.js`

Backup directory: BACKUP_PATH || backups/.
Valid backup IDs match managed prefixes only: bill-tracker-backup, pre-restore, imported-backup, scheduled-backup.
Creates SQLite backups with checksum and metadata.
Validates uploads by SQLite integrity_check and optional SHA-256 checksum.
Restore creates a pre-restore backup before swapping DB.
Path traversal is prevented by ID regex and path.relative checks.

`services/backupScheduler.js`

Validates daily/weekly schedule, HH:MM time, retention count 1-365.
Stores schedule settings in settings.
Uses node-cron, supports run-now, reload, next-run status, and retention cleanup.

`services/cleanupService.js`

Cleanup tasks:

Expired import sessions.
Stale temp SQLite export files in OS temp dir.
Orphan .partial/.upload backup files.
Optional old import-history pruning.

Settings are stored in settings; run results are stored as JSON.

`services/notificationService.js`

Builds SMTP transport from global notification settings.
Sends test email to an admin-provided address.
Runs due-bill notifications for 3 days, 1 day, due today, and overdue.
De-duplicates sends via notifications unique key.
Recipients come from user notification settings when enabled/allowed or global recipient settings.

`services/spreadsheetImportService.js`

Accepts XLSX buffers only, max 10 MB, max 5,000 rows.
Detects monthly sheets, headers, categories, bills, amounts, and ambiguous rows.
Creates import_sessions preview records with 24-hour TTL.
Apply step creates/updates user-owned categories, bills, payments, monthly state, and import history.

`services/userDbImportService.js`

Accepts user SQLite export files up to 50 MB.
Requires export metadata and known tables.
Sanitizes categories, bills, payments, monthly state, and starting amounts.
Preview stores an import session; apply maps export IDs to current user-owned IDs.

`services/statusService.js`

Shared tracker/calendar logic:

resolveDueDate(bill, year, month) clamps due day to month length.
resolveBucket(bill) uses bucket or due-day threshold.
getCycleRange(year, month) returns first/last day of month.
calculateStatus(...) returns paid/autodraft/upcoming/due/overdue-style status.
buildTrackerRow(...) returns row data for the monthly tracker.

`services/auditService.js`

Writes audit_log rows for security-sensitive events such as login, logout, password changes, role changes, CSRF failures, user seed flag resets, migration runs, and migration rollback attempts.

db/database.js does not import logAudit at module load time. It uses a lazy getLogAudit() helper so migration code can write audit rows without creating a circular dependency: auditService imports database.js, and database.js needs audit logging during migrations. If the lazy require fails, the helper degrades to a no-op audit function while console logging still records migration progress/errors.

5. API Reference

All routes are prefixed with /api unless stated otherwise. Most mutating endpoints require CSRF token header x-csrf-token. Auth is cookie-based. User routes are scoped to the authenticated user unless noted.

Response conventions:

Success: JSON object/array unless endpoint downloads a file.
Validation: 400 {error, code?, field?}.
Unauthenticated: 401.
Forbidden: 403.
Missing resource: 404.
Conflict: 409.
Rate-limited: 429.

5.1 Auth

Mounted under /api/auth.

POST /auth/login
- Body: {username, password}.
- Validation: both required; local login must be enabled.
- Response: sets bt_session; {user}.
- Errors: 401 invalid credentials, 403 disabled login.
POST /auth/logout
- Auth: required.
- Body: none.
- Response: clears cookie; {success:true}.
POST /auth/logout-all
- Auth: required; CSRF skip is set before the router mount, matching other auth/session mutation routes.
- Body: none.
- Behavior: deletes every session for the current user by calling invalidateOtherSessions(userId, null), also deletes the current cookie session, audits logout.all, clears bt_session, and returns {success:true}.
GET /auth/me
- Auth: required unless single-user mode supplies user.
- Response: public user object.
GET /auth/mode
- Public.
- Response: auth mode, local-login flag, OIDC public info, single-user status.
POST /auth/restore-multi-user-mode
- Auth: required.
- Body: none.
- Response: restores multi-user mode where allowed.
POST /auth/acknowledge-privacy
- Auth: required.
- Body: none.
- Response: updates first-login/privacy acknowledgement flags.
POST /auth/change-password
- Auth: required; password limiter; CSRF skip is set before the router mount.
- Body: {current_password, new_password}.
- Validation: current password required unless must_change_password is set; new password min 8.
- Behavior: updates password hash, clears must_change_password, updates last_password_change_at, invalidates all other sessions, rotates the current session ID when a valid bt_session exists, sets the new cookie, audits password.change, and returns {success:true}.
GET /auth/has-users
- Response: whether non-default users exist.
GET /auth/users
- Auth: admin.
- Response: safe user list.
POST /auth/users
- Auth: admin.
- Body: {username, password}.
- Validation: username min 3, password min 8, unique username.
- Response: created safe user.

Server also mounts routes/authLogin.js at /api/auth/login; that router defines POST /login, creating an effective compatibility path /api/auth/login/login with the same local-login behavior. The frontend uses /api/auth/login.

5.2 OIDC Auth

Mounted under /api/auth/oidc; OIDC rate limiter applies.

GET /auth/oidc/login?redirect_to=/path
- Public when OIDC active.
- Creates PKCE state and redirects to provider authorization URL.
GET /auth/oidc/callback?code=&state=
- Public callback.
- Validates state/nonce, exchanges code, provisions/fetches user, creates session, redirects to saved path or app root.
- Error redirects use query errors such as access_denied or authentication_failed.

5.3 Admin

Mounted under /api/admin; all require requireAuth + requireAdmin + adminActionLimiter at the mount level. Backup subroutes also use backupOperationLimiter.

GET /admin/has-users
- Response: {has_users:boolean} for users other than current admin.
GET /admin/users
- Response: safe users ordered by default-admin, role, username.
POST /admin/users
- Body: {username, password}.
- Validation: username min 3, password min 8, unique.
- Response 201: created user.
PUT /admin/users/:id/password
- Body: {password}.
- Validation: password min 8; user exists.
- Response: {success:true}; invalidates target sessions and requires password change.
PUT /admin/users/:id/role
- Body: {role:"admin"|"user"}.
- Validation: cannot change own role; cannot remove last admin.
- Response: updated safe user; invalidates target sessions; audits role change.
PUT /admin/users/:id/active
- Body: {active:boolean}.
- Validation: user exists; cannot deactivate self.
- Response: updated safe user; deactivation invalidates sessions.
DELETE /admin/users/:id
- Validation: user exists; cannot delete self.
- Response: {success:true, deleted_user_id}; transaction deletes import sessions/history, sessions, and user.
POST /admin/backups
- Body: none.
- Response 201: backup metadata {id, filename, size_bytes, checksum, ...}.
GET /admin/backups
- Response: {backups:[metadata...]}.
GET /admin/backups/settings
- Response: backup schedule status/settings.
PUT /admin/backups/settings
- Body: {enabled, frequency:"daily"|"weekly", time:"HH:MM", retention_count}.
- Validation: frequency, valid time, retention 1-365.
- Response: saved schedule status.
POST /admin/backups/run-scheduled-now
- Body: none.
- Response 201: scheduled backup result.
POST /admin/backups/import
- Content-Type: application/octet-stream, application/x-sqlite3, or application/vnd.sqlite3.
- Body: raw SQLite backup, max 100 MB.
- Optional checksum: X-Checksum-Sha256 header or ?checksum=.
- Response 201: imported backup metadata.
GET /admin/backups/:id/download
- Response: file download. ID must be a managed backup filename.
POST /admin/backups/:id/restore
- Response: {restored_from, pre_restore_backup}; validates and restores managed backup.
DELETE /admin/backups/:id
- Response: {deleted:true, id, deleted_at}.
GET /admin/cleanup
- Response: cleanup settings and last result.
PUT /admin/cleanup
- Body: any of {import_sessions_enabled, temp_exports_enabled, temp_export_max_age_hours, backup_partials_enabled, import_history_enabled, import_history_max_age_days}.
- Validation: booleans; temp export age 1-72 hours; import history age 30-3650 days.
- Response: updated cleanup status.
POST /admin/cleanup/run
- Response: cleanup run result by task.
GET /admin/auth-mode
- Response: local/single-user/OIDC settings and lockout warnings. Client secret is not returned.
POST /admin/auth-mode/oidc-test
- Body: submitted or saved OIDC config fields.
- Response: {ok:true,...} or 400 with test error. Never returns secret/token material.
PUT /admin/auth-mode
- Body: legacy {auth_mode, default_user_id} plus OIDC/local settings such as local_login_enabled, oidc_login_enabled, oidc_issuer_url, oidc_client_id, oidc_client_secret, oidc_redirect_uri, oidc_scopes, oidc_admin_group, oidc_auto_provision.
- Validation: cannot disable all login methods; cannot disable local login until OIDC is configured, enabled, and has an admin group; cannot enable incomplete OIDC.
- Response: {success:true, ...authModeStatus}.
POST /admin/migrations/rollback
- Body: {version:"v0.44"|"v0.45"|"v0.46"}.
- Validation: version required; migration must be present in schema_migrations; ROLLBACK_SQL_MAP must define rollback SQL for that version.
- Behavior: calls rollbackMigration(version) from db/database.js, audits success as migration.rollback, and returns {success:true, version, description, elapsed_ms}.
- Error mapping: NOT_APPLIED becomes HTTP 404 with {error}; ROLLBACK_NOT_SUPPORTED becomes HTTP 422 with {error}; other rollback failures become HTTP 500 with {error:"Rollback failed", details} and are audited as migration.rollback.failure.

5.4 Bills

Mounted under /api/bills; auth: user/admin tracker access.

Bill object fields include id, user_id, name, category_id, category_name, due_day, override_due_date, bucket, expected_amount, interest_rate, billing_cycle, autopay_enabled, autodraft_status, website, username, account_info, has_2fa, active, notes, history_visibility, is_seeded, cycle_type, cycle_day, timestamps, and has_history_ranges on list/detail queries.

Validation shared by create/update:

name required for create.
due_day: integer 1-31.
expected_amount: numeric, defaults to 0.
interest_rate: null/empty or number 0-100.
category_id: must belong to current user.
history_visibility: default, all, ranges, or none.
cycle_type: monthly, weekly, biweekly, quarterly, annual.
cycle_day: monthly 1-31; weekly/biweekly day name; quarterly/annual text up to 50 chars.

Endpoints:

GET /bills?inactive=true
- Response: current user's bills; inactive excluded unless inactive=true.
GET /bills/:id
- Response: one owned bill or 404.
POST /bills
- Body: bill fields.
- Response 201: created bill.
PUT /bills/:id
- Body: partial bill fields.
- Response: updated bill.
DELETE /bills/:id
- Hard delete; cascades payments, monthly state, history ranges.
- Response: {success:true, deleted_bill_id, deleted_bill_name, warning}.
GET /bills/:id/monthly-state?year=&month=
- Validation: year 2000-2100; month 1-12.
- Response: {bill_id, year, month, actual_amount, notes, is_skipped}.
PUT /bills/:id/monthly-state
- Body: {year, month, actual_amount, notes, is_skipped}.
- Validation: year/month; actual_amount null or non-negative.
- Response: saved monthly state with timestamps.
GET /bills/:id/payments?page=1&limit=20
- Validation: limit capped at 100.
- Response: {bill_id, bill_name, total, page, limit, pages, payments}.
POST /bills/:id/toggle-paid
- Body optional: {amount, paid_date, method, notes}.
- If latest live payment exists, soft-deletes it. Otherwise creates a payment for amount or bill expected amount.
- Response: {success, isPaid, action, payment?}.
GET /bills/:id/history-ranges
- Response: {bill_id, history_visibility, ranges}.
POST /bills/:id/history-ranges
- Body: {start_year, start_month, end_year?, end_month?, label?}.
- Validation: years 2000-2100, months 1-12, end both present/absent and not before start.
- Response 201: created range.
PUT /bills/:id/history-ranges/:rangeId
- Body: partial range fields.
- Response: updated range.
DELETE /bills/:id/history-ranges/:rangeId
- Response: {success:true}.

5.5 Payments

Mounted under /api/payments; auth: user/admin tracker access. All queries are user-owned through joined bill ownership. Delete is soft delete via deleted_at.

GET /payments?bill_id=&year=&month=
- Validation: year and month must be supplied together; year 2000-2100; month 1-12.
- Response: live payments ordered descending by paid_date.
GET /payments/:id
- Response: live payment or 404.
POST /payments
- Body: {bill_id, amount, paid_date, method?, notes?}.
- Validation: bill exists and owned; amount > 0; required fields present.
- Response 201: created payment.
POST /payments/quick
- Body: {bill_id, amount?, paid_date?, method?, notes?}.
- Defaults amount to bill expected amount and date to today; confirms autodraft status for autopay bills.
- Response 201: created payment.
POST /payments/bulk
- Body: {payments:[{bill_id, amount, paid_date, method?, notes?}]}.
- Validation: array required; max 50; bill_id integer; paid_date YYYY-MM-DD; amount finite >= 0.
- Duplicate live payments by user/bill/date/amount are skipped.
- Response 201: {created:[...], skipped:[...], errors:[...]}.
PUT /payments/:id
- Body: partial {amount, paid_date, method, notes}.
- Response: updated payment. Current code preserves existing fields when omitted.
DELETE /payments/:id
- Response: {success:true} after setting deleted_at.
POST /payments/:id/restore
- Response: restored payment with deleted_at:null.

5.6 Categories

Mounted under /api/categories; auth: user/admin tracker access.

GET /categories
- Seeds default categories for user if needed.
- Response: categories with bill counts/payment counts and bill summaries.
POST /categories
- Body: {name}.
- Validation: non-empty name; unique per user case-insensitive.
- Response 201: created category.
PUT /categories/:id
- Body: {name}.
- Validation: category belongs to user; non-empty unique name.
- Response: updated category.
DELETE /categories/:id
- Validation: category belongs to user.
- Behavior: transaction nulls category on owned bills, then deletes category.
- Response: deletion summary.

5.7 Tracker and Calendar

GET /tracker?year=&month=
- Auth: user/admin tracker access.
- Defaults to current year/month.
- Response includes year, month, tracker rows, totals, starting amount info, previous month paid total, three-month averages/trends, and generated timestamp.
- Row fields come from buildTrackerRow plus monthly override state and previous-month payment data.
GET /tracker/upcoming?days=30
- Auth: user/admin tracker access.
- Response: upcoming active bills in the requested horizon.
GET /calendar?year=&month=
- Auth: user/admin tracker access.
- Defaults current year/month.
- Response: month days with payment entries, bills/due-status entries, and totals {expectedTotal, paidTotal, remainingTotal, paidPercent}.

5.8 Summary and Starting Amounts

GET /summary?year=&month=
- Auth: user/admin tracker access.
- Validation: valid year/month.
- Response: {year, month, income, expenses, starting_amounts, previous_month, summary, chart, generated_at}.
PUT /summary/income
- Body: {year, month, amount, label?}.
- Validation: valid year/month; amount 0-1,000,000,000; label trimmed to 80 chars.
- Response: {year, month, income} after upsert into monthly_income.
GET /monthly-starting-amounts?year=&month=
- Response: {year, month, first_amount, fifteenth_amount, other_amount, combined_amount, paid deductions, remaining values, notes}.
PUT /monthly-starting-amounts
- Body: {year, month, first_amount, fifteenth_amount, other_amount, notes?}.
- Validation: valid year/month; numeric amounts.
- Response: recomputed starting-amount response after upsert.

5.9 Analytics

GET /analytics/summary?year=&month=&months=&category_id=&bill_id=&include_inactive=true&include_skipped=false
- Auth: user/admin tracker access.
- Validation: year/month valid; months clamped by route validation; IDs parsed as integers.
- Response includes monthly spending, expected vs actual, category totals, bill totals, filters, and generated timestamp.

5.10 Settings

GET /settings
- Auth: user/admin tracker access.
- Response: user-visible settings from the allowed settings key list.
PUT /settings
- Auth: user/admin tracker access.
- Body: key/value object for allowed user setting keys.
- Response: updated settings object.
POST /settings/seed-demo-data
- Auth: user/admin tracker access.
- Response: demo seed result.

5.11 Notifications

Mounted under /api/notifications. Server mount requires requireAuth; route-level guards further restrict.

GET /notifications/admin
- Auth: admin.
- Response: global SMTP/notification settings.
PUT /notifications/admin
- Auth: admin.
- Body: allowed global SMTP and notification settings.
- Response: saved settings.
POST /notifications/test
- Auth: admin.
- Body: {to}.
- Validation: recipient required.
- Response: send result or SMTP error.
GET /notifications/me
- Auth: user/admin tracker access.
- Response: current user's notification email and toggle settings.
PUT /notifications/me
- Auth: user/admin tracker access.
- Body: {notification_email, notifications_enabled, notify_3d, notify_1d, notify_due, notify_overdue}.
- Response: saved user notification settings.

5.12 Profile

Mounted under /api/profile; auth: user/admin tracker access; password limiter applies at mount.

GET /profile
- Response: safe profile, notification settings, export URLs, import-history URL.
PATCH /profile
- Body: {display_name}.
- Validation: string, max 100 chars.
- Response: {success:true, profile}.
GET /profile/settings
- Response: user notification preferences only.
PATCH /profile/settings
- Body: {notification_email|email, notifications_enabled, notify_3d, notify_1d, notify_due, notify_overdue}.
- Validation: email value string/null, max 255 chars.
- Response: {success:true}.
POST /profile/change-password
- Body: {current_password, new_password, confirm_new_password}.
- Validation: all required; confirmation matches; new password min 8; current password must verify.
- Response: rotates current session, invalidates others, {success:true}.
GET /profile/exports
- Response: metadata for user_db and user_excel export URLs.
GET /profile/import-history
- Response: {history:[...]}.

5.13 User Demo Data

Mounted under /api/user; auth: user/admin tracker access.

POST /user/seed-demo-data
- Response: seed result for current user.
POST /user/clear-demo-data
- Rate-limited by demo-data limiter.
- Behavior: deletes is_seeded=1 bills/categories for current user and records import history.
- Response: deletion counts.

5.14 Import

Mounted under /api/import; auth: user/admin tracker access; import limiter applies.

POST /import/spreadsheet/preview?parse_all_sheets=true&year=&month=
- Content-Type: application/octet-stream.
- Headers: optional X-Filename.
- Body: XLSX file buffer, max 10 MB.
- Response: preview session, parsed rows, categories/bills/payment candidates, ambiguous decisions, errors.
POST /import/spreadsheet/apply
- Body: {import_session_id, decisions, options}.
- Validation: session exists, not expired, belongs to user.
- Response: created/updated/skipped/error counts and import history summary.
POST /import/user-db/preview
- Content-Type: application/octet-stream.
- Headers: optional X-Filename.
- Body: user SQLite export file, max 50 MB.
- Response: preview session and sanitized import plan.
POST /import/user-db/apply
- Body: {import_session_id, options}.
- Validation: session exists, not expired, belongs to user.
- Response: apply result with ID mappings/counts.
GET /import/history
- Response: current user's import history.

5.15 Export

Mounted under /api/export; auth: user/admin tracker access; export limiter applies.

GET /export?year=YYYY&format=csv|xlsx
- Response: file download of payment/bill history for the requested year. CSV includes date, bill, category, expected, paid, method, notes, actual amount, monthly notes. XLSX includes enriched rows.
GET /export/user-excel
- Response: Excel workbook with user categories, bills, payments, monthly state, monthly starting amounts, and notes/metadata.
GET /export/user-db
- Response: portable SQLite file with export metadata and user-owned categories, bills, payments, monthly state, monthly starting amounts, and notes.

5.16 Status

GET /status
- Auth: admin.
- Response: app version, uptime, runtime worker state, DB health/counts/path/size, SMTP configuration status, backup status/schedule, current-month tracker health, recent errors.

5.17 About and Version

GET /about
- Public.
- Response: package version and public project/about metadata.
GET /about-admin
- Auth: admin; admin action limiter; CSRF middleware.
- Response: package version plus sanitized/redacted FUTURE.md and DEVELOPMENT_LOG.md content.
- File allowlist only: FUTURE.md, DEVELOPMENT_LOG.md.
GET /version
- Public.
- Response: current package version and latest structured notes from HISTORY.md.
GET /version/history
- Public.
- Response: package version and raw history text, or error if unavailable.

6. Database Reference

SQLite uses WAL mode and foreign keys. Base schema is in db/schema.sql; db/database.js applies migrations to reach the current schema.

Tables and columns

`users`

id INTEGER PRIMARY KEY
username TEXT NOT NULL UNIQUE COLLATE NOCASE
password_hash TEXT NOT NULL
role TEXT NOT NULL DEFAULT 'user' (admin or user)
must_change_password INTEGER NOT NULL DEFAULT 0
first_login INTEGER NOT NULL DEFAULT 1
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
notification_email TEXT
notifications_enabled INTEGER NOT NULL DEFAULT 0
notify_3d INTEGER NOT NULL DEFAULT 1
notify_1d INTEGER NOT NULL DEFAULT 1
notify_due INTEGER NOT NULL DEFAULT 1
notify_overdue INTEGER NOT NULL DEFAULT 1
display_name TEXT
last_password_change_at TEXT
auth_provider TEXT NOT NULL DEFAULT 'local'
external_subject TEXT
email TEXT
last_login_at TEXT
active INTEGER NOT NULL DEFAULT 1
is_default_admin INTEGER NOT NULL DEFAULT 0

`sessions`

id TEXT PRIMARY KEY
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
expires_at TEXT NOT NULL
created_at TEXT DEFAULT datetime('now')

`categories`

id INTEGER PRIMARY KEY
user_id INTEGER REFERENCES users(id) ON DELETE CASCADE
name TEXT NOT NULL
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
is_seeded INTEGER NOT NULL DEFAULT 0

`bills`

id INTEGER PRIMARY KEY
user_id INTEGER REFERENCES users(id) ON DELETE CASCADE
name TEXT NOT NULL
category_id INTEGER REFERENCES categories(id) ON DELETE SET NULL
due_day INTEGER NOT NULL CHECK 1-31
override_due_date TEXT
bucket TEXT CHECK ('1st','15th')
expected_amount REAL NOT NULL DEFAULT 0
interest_rate REAL CHECK null or 0-100
billing_cycle TEXT DEFAULT 'monthly' CHECK ('monthly','quarterly','annually','irregular')
autopay_enabled INTEGER NOT NULL DEFAULT 0
autodraft_status TEXT NOT NULL DEFAULT 'none' CHECK ('none','pending','assumed_paid','confirmed')
website TEXT
username TEXT
account_info TEXT
has_2fa INTEGER NOT NULL DEFAULT 0
active INTEGER NOT NULL DEFAULT 1
notes TEXT
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
history_visibility TEXT NOT NULL DEFAULT 'default'
is_seeded INTEGER NOT NULL DEFAULT 0
cycle_type TEXT NOT NULL DEFAULT 'monthly'
cycle_day TEXT

`payments`

id INTEGER PRIMARY KEY
bill_id INTEGER NOT NULL REFERENCES bills(id) ON DELETE CASCADE
amount REAL NOT NULL
paid_date TEXT NOT NULL
method TEXT
notes TEXT
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
deleted_at TEXT

`monthly_bill_state`

id INTEGER PRIMARY KEY
bill_id INTEGER NOT NULL REFERENCES bills(id) ON DELETE CASCADE
year INTEGER NOT NULL CHECK 2000-2100
month INTEGER NOT NULL CHECK 1-12
actual_amount REAL
notes TEXT
is_skipped INTEGER NOT NULL DEFAULT 0
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
Unique: (bill_id, year, month)

`monthly_income`

id INTEGER PRIMARY KEY
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
year INTEGER NOT NULL
month INTEGER NOT NULL
label TEXT NOT NULL DEFAULT 'Salary'
amount REAL NOT NULL DEFAULT 0
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
Unique intended/current logic: (user_id, year, month) via migration/index.

`monthly_starting_amounts`

id INTEGER PRIMARY KEY
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
year INTEGER NOT NULL
month INTEGER NOT NULL
first_amount REAL NOT NULL DEFAULT 0
fifteenth_amount REAL NOT NULL DEFAULT 0
other_amount REAL NOT NULL DEFAULT 0
notes TEXT
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')
Unique intended/current logic: (user_id, year, month) via migration/index.

`bill_history_ranges`

id INTEGER PRIMARY KEY
bill_id INTEGER NOT NULL REFERENCES bills(id) ON DELETE CASCADE
start_year INTEGER NOT NULL
start_month INTEGER NOT NULL
end_year INTEGER
end_month INTEGER
label TEXT
created_at TEXT DEFAULT datetime('now')
updated_at TEXT DEFAULT datetime('now')

`settings`

key TEXT PRIMARY KEY
value TEXT NOT NULL
updated_at TEXT DEFAULT datetime('now')

Used for app settings, auth mode, OIDC settings, SMTP settings, backup schedule, cleanup settings, and worker state.

`notifications`

id INTEGER PRIMARY KEY
bill_id INTEGER NOT NULL REFERENCES bills(id) ON DELETE CASCADE
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
year INTEGER NOT NULL
month INTEGER NOT NULL
type TEXT NOT NULL (due_3d, due_1d, due_today, overdue)
sent_date TEXT NOT NULL DEFAULT date('now')
Unique: (bill_id, user_id, year, month, type, sent_date)

`import_sessions`

id TEXT PRIMARY KEY
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
created_at TEXT NOT NULL
expires_at TEXT NOT NULL
preview_json TEXT NOT NULL

`import_history`

id INTEGER PRIMARY KEY
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE
imported_at TEXT NOT NULL
source_filename TEXT
file_type TEXT DEFAULT 'xlsx'
sheet_name TEXT
rows_parsed INTEGER DEFAULT 0
rows_created INTEGER DEFAULT 0
rows_updated INTEGER DEFAULT 0
rows_skipped INTEGER DEFAULT 0
rows_ambiguous INTEGER DEFAULT 0
rows_errored INTEGER DEFAULT 0
options_json TEXT
summary_json TEXT

`oidc_states`

id TEXT PRIMARY KEY
nonce TEXT NOT NULL
code_verifier TEXT NOT NULL
redirect_to TEXT
created_at TEXT NOT NULL
expires_at TEXT NOT NULL

`audit_log`

id INTEGER PRIMARY KEY
user_id INTEGER
action TEXT NOT NULL
entity_type TEXT
entity_id INTEGER
details_json TEXT
ip_address TEXT
user_agent TEXT
created_at TEXT DEFAULT datetime('now')

`schema_migrations`

id INTEGER PRIMARY KEY
version TEXT NOT NULL UNIQUE
description TEXT NOT NULL
applied_at TEXT NOT NULL DEFAULT datetime('now')

Indexes

Important indexes include:

idx_bills_active(active)
idx_bills_user_active(user_id, active)
idx_bills_user_name(user_id, name)
idx_categories_user_name(user_id, name)
idx_categories_user_name_unique(user_id, name COLLATE NOCASE)
idx_payments_bill_id(bill_id)
idx_payments_paid_date(paid_date)
idx_payments_bill_date_del(bill_id, paid_date, deleted_at)
idx_payments_deleted(deleted_at)
idx_payments_method(method)
idx_sessions_user_id(user_id)
idx_sessions_expires(expires_at)
idx_monthly_bill_state_lookup(bill_id, year, month)
idx_monthly_income_user_month(user_id, year, month)
idx_monthly_starting_amounts_user(user_id)
idx_monthly_starting_amounts_user_month(user_id, year, month)
idx_notifications_lookup(bill_id, user_id, year, month)
idx_import_sessions_user(user_id), idx_import_sessions_expires(expires_at)
idx_import_history_user(user_id), idx_import_history_imported_at(imported_at)
idx_oidc_states_expires(expires_at)
idx_bill_history_ranges_bill(bill_id)
idx_audit_log_user(user_id, created_at), idx_audit_log_action(action, created_at)

Migration system

db/database.js:

Reads db/schema.sql in initSchema().
Creates schema_migrations.
Detects and reconciles legacy databases.
Applies ordered migrations only when not already recorded.
Validates dependency chains before applying dependent migrations.
Uses a column whitelist for dynamic ALTER TABLE statements.
Wraps versioned migrations in transactions, with special handling for v0.40 because it uses PRAGMA-driven table rebuild work.
Supports rollback SQL for selected migrations through ROLLBACK_SQL_MAP and rollbackMigration(version).

Current migration set:

v0.2 payments soft delete.
v0.3 tracker payment compound index.
v0.4 monthly bill state.
v0.13 user profile columns.
v0.14 bill history visibility.
v0.14.4 bill interest rate.
v0.15 import sessions/history.
v0.17 OIDC/external identity columns and state table.
v0.18.1 monthly income.
v0.18.2 monthly starting amounts.
v0.18.3 other starting amount bucket.
v0.38 per-user import audit history.
v0.40 ownership for bills/categories.
v0.41 seeded demo-data flags.
v0.42 bill history ranges.
v0.43 session created_at.
v0.44 performance indexes.
v0.45 audit log.
v0.46 bill cycle_type and cycle_day.
Unversioned user notification columns are also reconciled.

Migration logging is both console-based and audit-backed:

runMigrations() logs start, dependency status, transaction begin/commit, per-migration elapsed time, skips for already-applied migrations, failures with rollback messages, and total elapsed time.
Audit events use the lazy getLogAudit() helper to avoid the auditService -> database.js -> auditService circular dependency.
Audit actions include migration.start, migration.complete, and migration.failure.
Rollback paths audit migration.rollback and migration.rollback.failure.

Rollback support is defined by ROLLBACK_SQL_MAP:

v0.44 — drops selected performance indexes: idx_bills_user_name, idx_payments_method, idx_monthly_starting_amounts_user, and idx_import_history_imported_at.
v0.45 — drops idx_audit_log_user, idx_audit_log_action, and the audit_log table.
v0.46 — drops bills.cycle_day and bills.cycle_type.

rollbackMigration(version) requires an initialized database, verifies the version exists in schema_migrations, looks up rollback SQL in ROLLBACK_SQL_MAP, executes all rollback statements inside a transaction, deletes the migration record, logs elapsed time, audits success, and returns {success:true, version, description, elapsed_ms}. If the migration is not recorded, it throws NOT_APPLIED. If no rollback definition exists, it throws ROLLBACK_NOT_SUPPORTED. Execution failures roll back the transaction and are audited as migration.rollback.failure.

The admin API exposes rollback through POST /api/admin/migrations/rollback. The route requires admin auth through the /api/admin mount. It maps NOT_APPLIED to HTTP 404, ROLLBACK_NOT_SUPPORTED to HTTP 422, and unexpected rollback failures to HTTP 500.

The lazy audit helper in db/database.js is:

let _logAudit = null;
function getLogAudit() {
  if (!_logAudit) {
    try { _logAudit = require('../services/auditService').logAudit; } catch { _logAudit = () => {}; }
  }
  return _logAudit;
}

Use this pattern for database-layer audit calls instead of a top-level require('../services/auditService').

7. Frontend Reference

Frontend stack

React ^18.3.1
Vite ^5.4.10
React Router ^6.26.2
TanStack Query ^5.100.9
Tailwind CSS ^3.4.14
Radix/shadcn-style UI primitives
sonner for toasts
react-markdown, remark-gfm, rehype-sanitize for markdown rendering

`client/main.jsx`

Creates the React root and wraps App with global providers including auth/theme where defined.

`client/App.jsx`

Creates a TanStack QueryClient with staleTime 2 minutes, retry 1, no refetch on focus.
Uses lazy loading and Suspense with PageLoader for most pages.
Wraps route elements in ErrorBoundary.
Exposes ReactQueryDevtools.
Provides skip link for keyboard users.

Routes:

/login → LoginPage public.
/about → AboutPage public.
/release-notes → ReleaseNotesPage public.
/admin → AdminPage, admin only.
/admin/about → admin shell + AboutPage admin, admin only.
/admin/roadmap → admin shell + AboutPage admin, admin only.
/admin/status → admin shell + StatusPage, admin only.
/status → redirects admin to /admin/status.
/ → authenticated user layout index, TrackerPage.
/calendar → CalendarPage.
/summary → SummaryPage.
/bills → BillsPage.
/categories → CategoriesPage.
/analytics → AnalyticsPage.
/settings → SettingsPage.
/data → DataPage.
/profile → ProfilePage.
* under user layout → redirect /.

RequireAuth behavior:

Shows loading while auth state is undefined.
Redirects unauthenticated users to /login.
Allows admins to access user routes except default admin is redirected to /admin.
Allows single-user mode only for user routes.
Redirects role mismatches to /admin or /.

API client

client/api.js:

_fetch(method, path, body) calls /api${path} with JSON headers and credentials: include.
Mutating methods read bt_csrf_token cookie and send x-csrf-token.
Non-OK responses throw Error with status, data, details, and code.
Exposes grouped functions for auth, admin, notifications, profile, tracker, calendar, summary, bills, payments, categories, settings, analytics, status, version/about, import, and export.
File download/upload endpoints use raw fetch because responses/bodies are blobs or octet streams.

Auth state

client/hooks/useAuth.jsx:

Maintains user, singleUserMode, and loading state.
Calls api.authMode() and api.me() on startup.
Exposes logout() and refresh().

Query hooks

client/hooks/useQueries.js:

useTracker(year, month) → api.tracker(year, month).
useBills() → api.allBills().
useCategories() → api.categories().

These use TanStack Query keys and cache server data for common pages.

Components

Layout: Layout, Sidebar, BrandBlock, NavPill.
Domain UI: AdminDashboard, BillModal, BillsTableInner, MobileBillRow, MobileTrackerRow, StatusBadge, SummaryCard, MarkdownText, ReleaseNotesDialog.
Reliability: ErrorBoundary, PageLoader.
UI primitives: alert dialog, badge, button, card, checkbox, confirm dialog, dialog, dropdown menu, input dialog, input, label, select, separator, skeleton, switch, table, tabs, theme toggle, tooltip.

Frontend security notes

CSRF header is sent on POST/PUT/PATCH/DELETE.
Auth is cookie/session based; no tokens are stored in localStorage.
Admin routes are client-guarded and server-guarded.
Markdown rendering uses rehype-sanitize.
Error boundaries prevent route crashes from taking down the whole SPA.

8. Infrastructure and Deployment

`package.json`

Version: 0.23.1.

Scripts:

npm run dev:api — node --watch server.js.
npm run dev:ui — Vite dev server.
npm run dev — concurrently runs API and UI.
npm run build — Vite production build.
npm start — node server.js.

Key runtime dependencies:

Express, cookie-parser, cors, express-rate-limit.
better-sqlite3.
bcryptjs.
openid-client.
nodemailer.
node-cron.
React, React DOM, React Router, TanStack Query.
Radix UI primitives, lucide-react, Tailwind utilities.
xlsx for spreadsheet import/export.

Dockerfile

Multi-stage build:

Builder: node:18-alpine, installs build deps python3 make g++, runs npm install, copies source, runs npm run build.
Runtime: node:18-alpine, installs bash nano su-exec, creates non-root bill user, copies built app, creates /data/db, /data/backups, /app/backups, sets ownership and restrictive permissions.

Runtime environment:

NODE_ENV=production
PORT=3000
DB_PATH=/data/db/bills.db
BACKUP_PATH=/data/backups

Exposes port 3000, declares volume /data, entrypoint docker-entrypoint.sh, command node server.js.

`docker-compose.yml`

Service: bill-tracker.

Image: dream.scheller.ltd/null/billtracker:latest.
Container name: bill-tracker.
Ports: host 3030 to container 3000.
Volume: /portainer/hosting/bill-tracker/data:/data.
Restart: unless-stopped.
Environment includes INIT_ADMIN_USER, INIT_ADMIN_PASS, and CSRF cookie settings.

Important deployment note: the compose file currently sets CSRF_SECURE: "true"; for plain HTTP development this prevents CSRF cookies from being sent by browsers. Use HTTPS or override to false only in local/dev.

9. Auth and Security Flows

Client calls GET /auth/mode to determine local/OIDC visibility.
Client submits POST /auth/login.
Server checks local_login_enabled, validates credentials through bcrypt, rejects inactive users, cleans expired sessions, creates a 7-day session.
Server sets bt_session cookie using cookieOpts(req).
Client calls GET /auth/me to populate auth state.

Client navigates to /api/auth/oidc/login.
Server verifies active OIDC config, creates PKCE state, redirects to provider.
Provider returns to /api/auth/oidc/callback.
Server validates state/nonce, exchanges code, maps/provisions user, creates local session cookie, redirects back into SPA.

Password change

Current password and matching new password are required.
New password must be at least 8 chars.
Server updates hash, clears must_change_password, sets last_password_change_at.
Other sessions are invalidated and current session is rotated when possible.

Authorization

All user data routes enforce owner scope by req.user.id in SQL.
Admin-only routes require requireAdmin on server.
Default admin cannot use tracker routes.
Role changes invalidate target sessions.
Deactivation invalidates target sessions.

Backup safety

Managed filename regex and path checks prevent traversal.
Uploads are written to temp paths first, validated, then moved.
Restore creates a pre-restore backup.

Import safety

Spreadsheet import accepts only XLSX and validates size, sheets, rows, cells, headers, and decisions.
User DB import validates SQLite magic, size, required metadata/tables, and maps all data to current user ownership.

10. Operational Notes

Startup behavior

DB path is DB_PATH or db/bills.db.
DB open logging prints only path.basename(DB_PATH) instead of the full database path, so startup logs identify the file without exposing the full filesystem location.
SQLite WAL and foreign keys are enabled.
Schema and migrations run automatically.
Default categories/settings are seeded.
Expired sessions are purged at startup.
A periodic expired-session cleanup interval is scheduled.
Backup scheduler and daily worker are started where server code imports/starts them.

Environment-seeded regular users use INIT_REGULAR_USER and INIT_REGULAR_PASS. New seeded users are inserted with first_login = 0 and must_change_password = 0. Existing seeded regular users have their password hash updated and both flags reset to 0, then the server audits seed.flag_reset with the username, reset flags, and source: "server-seed". This lets ENV-managed users skip first-login/privacy/password-change gates after seed refreshes.

Environment variables

Common variables used by current code:

PORT
DB_PATH
BACKUP_PATH
INIT_ADMIN_USER
INIT_ADMIN_PASS
INIT_REGULAR_USER
INIT_REGULAR_PASS
SESSION_CLEANUP_INTERVAL_MS
CORS_ORIGIN
COOKIE_SECURE
HTTPS
CSRF_HTTP_ONLY
CSRF_SAME_SITE
CSRF_SECURE
CSRF_COOKIE_NAME
OIDC_ISSUER_URL
OIDC_CLIENT_ID
OIDC_CLIENT_SECRET
OIDC_REDIRECT_URI
OIDC_TOKEN_AUTH_METHOD

Most notification, OIDC, backup, cleanup, and auth-mode settings are also stored in the settings table and managed from Admin UI.

Known code characteristics to preserve

Use transactions for multi-step destructive or bulk DB changes.
Keep user-owned SQL scoped by req.user.id.
Keep admin lockout protection before changing login methods.
Do not expose password_hash, session IDs, OIDC client secret, or internal backup paths in API responses.
Keep import preview/apply separated so users can resolve ambiguous spreadsheet data before DB writes.
Prefer soft delete for payments; bill deletion is intentionally hard delete and returns an explicit warning.
DB path support: db/database.js uses path.basename(DB_PATH) in logging to anonymize the DB path while still providing useful diagnostic information. Absolute and relative paths are both supported.

11. Verification Checklist Used for This Reference

Reviewed current code sources:

server.js
all route files under routes/
service files under services/
middleware files under middleware/
db/schema.sql and db/database.js
actual initialized SQLite schema via better-sqlite3 introspection
client/App.jsx, client/api.js, client/hooks/useAuth.jsx, client/hooks/useQueries.js
page/component inventory under client/pages/ and client/components/
package.json
Dockerfile
docker-compose.yml

The previous manual contained large historical update sections and stale route/page descriptions. This version replaces those with a current-state engineering reference.

52 KiB Raw Blame History

Engineering Reference Manual — Bill Tracker

1. System Overview

2. Project Layout

3. Backend Entry Point and Middleware

server.js

Authentication middleware

CSRF middleware

Rate limits

Security headers

Error formatting

4. Services

services/authService.js

services/oidcService.js

services/backupService.js

services/backupScheduler.js

services/cleanupService.js

services/notificationService.js

services/spreadsheetImportService.js

services/userDbImportService.js

services/statusService.js

services/auditService.js