@actual-app/sync-server 25.4.0-alpha.0

package/.dockerignore

@@ -0,0 +1,12 @@
+node_modules
+user-files
+server-files
+
+# Yarn
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions

package/README.md

@@ -0,0 +1,19 @@
+This is the main project to run [Actual](https://github.com/actualbudget/actual), a local-first personal finance tool. It comes with the latest version of Actual, and a server to persist changes and make data available across all devices.
+
+### Getting Started
+
+Actual is a local-first personal finance tool. It is 100% free and open-source, written in NodeJS, it has a synchronization element so that all your changes can move between devices without any heavy lifting.
+
+If you are interested in contributing, or want to know how development works, see our [contributing](https://actualbudget.org/docs/contributing/) document we would love to have you.
+
+Want to say thanks? Click the ⭐ at the top of the page.
+
+### Documentation
+
+We have a wide range of documentation on how to use Actual. This is all available in our [Community Documentation](https://actualbudget.org/docs/), including topics on [installing](https://actualbudget.org/docs/install/), [Budgeting](https://actualbudget.org/docs/budgeting/), [Account Management](https://actualbudget.org/docs/accounts/), [Tips & Tricks](https://actualbudget.org/docs/getting-started/tips-tricks) and some documentation for developers.
+
+### Feature Requests
+
+Current feature requests can be seen [here](https://github.com/actualbudget/actual/issues?q=is%3Aissue+label%3A%22needs+votes%22+sort%3Areactions-%2B1-desc). Vote for your favorite requests by reacting 👍 to the top comment of the request.
+
+To add new feature requests, open a new Issue of the "Feature Request" type.

package/app.js

@@ -0,0 +1,11 @@
+import { run as runMigrations } from './src/migrations.js';
+
+runMigrations()
+  .then(() => {
+    //import the app here becasue initial migrations need to be run first - they are dependencies of the app.js
+    import('./src/app.js').then(app => app.run()); // run the app
+  })
+  .catch(err => {
+    console.log('Error starting app:', err);
+    process.exit(1);
+  });

package/babel.config.json

@@ -0,0 +1,3 @@
+{
+  "presets": ["@babel/preset-typescript"]
+}

package/bin/@actual-app/sync-server

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+
+'use strict';
+import packageJson from '../../package.json' with { type: 'json' };
+
+const getArgs = () =>
+  process.argv.reduce((args, arg) => {
+    // long arg
+    if (arg.slice(0, 2) === '--') {
+      const longArg = arg.split('=');
+      const longArgFlag = longArg[0].slice(2);
+      const longArgValue = longArg.length > 1 ? longArg[1] : true;
+      args[longArgFlag] = longArgValue;
+    }
+    // flags
+    else if (arg[0] === '-') {
+      const flags = arg.slice(1).split('');
+      flags.forEach(flag => {
+        args[flag] = true;
+      });
+    }
+    return args;
+  }, {});
+
+const args = getArgs();
+
+if (args.h || args.help) {
+  console.log(
+    [
+      'usage: @actual-app/sync-server [options]',
+      '',
+      'options:',
+      '  --config           Path to config file',
+      '',
+      '  -h --help          Print this list and exit.',
+      '  -v --version       Print the version and exit.',
+    ].join('\n'),
+  );
+
+  process.exit();
+}
+
+if (args.v || args.version) {
+  console.log('v' + packageJson.version);
+
+  process.exit();
+}
+
+// start the sync server
+if (args.config) {
+  console.log(`Loading config from ${args.config}`);
+  process.env.ACTUAL_CONFIG_PATH = args.config;
+}
+
+import('../../app.js');

package/docker/alpine.Dockerfile

@@ -0,0 +1,62 @@
+FROM alpine:3.18 AS deps
+
+# Install required packages
+RUN apk add --no-cache nodejs yarn python3 openssl build-base
+
+WORKDIR /app
+
+# Copy only the files needed for installing dependencies
+COPY .yarn ./.yarn
+COPY yarn.lock package.json .yarnrc.yml ./
+COPY packages/api/package.json packages/api/package.json
+COPY packages/component-library/package.json packages/component-library/package.json
+COPY packages/crdt/package.json packages/crdt/package.json
+COPY packages/desktop-client/package.json packages/desktop-client/package.json
+COPY packages/desktop-electron/package.json packages/desktop-electron/package.json
+COPY packages/eslint-plugin-actual/package.json packages/eslint-plugin-actual/package.json
+COPY packages/loot-core/package.json packages/loot-core/package.json
+COPY packages/sync-server/package.json packages/sync-server/package.json
+
+# Avoiding memory issues with ARMv7
+RUN if [ "$(uname -m)" = "armv7l" ]; then yarn config set taskPoolConcurrency 2; yarn config set networkConcurrency 5; fi
+
+# Focus the workspaces in production mode
+RUN if [ "$(uname -m)" = "armv7l" ]; then npm_config_build_from_source=true yarn workspaces focus @actual-app/sync-server --production; else yarn workspaces focus @actual-app/sync-server --production; fi
+
+FROM deps AS builder
+
+WORKDIR /app
+
+COPY packages/sync-server ./packages/sync-server
+
+# Remove symbolic links for @actual-app/web and @actual-app/sync-server
+RUN rm -rf ./node_modules/@actual-app/web ./node_modules/@actual-app/sync-server
+
+# Copy in the @actual-app/web artifacts manually, so we don't need the entire packages folder
+COPY packages/desktop-client/package.json ./node_modules/@actual-app/web/package.json
+COPY packages/desktop-client/build ./node_modules/@actual-app/web/build
+
+FROM alpine:3.18 AS prod
+
+# Minimal runtime dependencies
+RUN apk add --no-cache nodejs tini
+
+# Create a non-root user
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN addgroup -S ${USERNAME} -g ${USER_GID} && adduser -S ${USERNAME} -G ${USERNAME} -u ${USER_UID}
+RUN mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
+WORKDIR /app
+ENV NODE_ENV=production
+
+# Pull in only the necessary artifacts (built node_modules, server files, etc.)
+COPY --from=builder /app/node_modules /app/node_modules
+COPY --from=builder /app/packages/sync-server/package.json /app/packages/sync-server/app.js ./
+COPY --from=builder /app/packages/sync-server/src ./src
+COPY --from=builder /app/packages/sync-server/migrations ./migrations
+
+ENTRYPOINT ["/sbin/tini","-g",  "--"]
+EXPOSE 5006
+CMD ["node", "app.js"]

package/docker/ubuntu.Dockerfile

@@ -0,0 +1,63 @@
+FROM node:18-bookworm AS deps
+
+# Install required packages
+RUN apt-get update && apt-get install -y openssl
+
+WORKDIR /app
+
+# Copy only the files needed for installing dependencies
+COPY .yarn ./.yarn
+COPY yarn.lock package.json .yarnrc.yml ./
+COPY packages/api/package.json packages/api/package.json
+COPY packages/component-library/package.json packages/component-library/package.json
+COPY packages/crdt/package.json packages/crdt/package.json
+COPY packages/desktop-client/package.json packages/desktop-client/package.json
+COPY packages/desktop-electron/package.json packages/desktop-electron/package.json
+COPY packages/eslint-plugin-actual/package.json packages/eslint-plugin-actual/package.json
+COPY packages/loot-core/package.json packages/loot-core/package.json
+COPY packages/sync-server/package.json packages/sync-server/package.json
+
+# Avoiding memory issues with ARMv7
+RUN if [ "$(uname -m)" = "armv7l" ]; then yarn config set taskPoolConcurrency 2; yarn config set networkConcurrency 5; fi
+
+# Focus the workspaces in production mode
+RUN yarn workspaces focus @actual-app/sync-server --production
+
+FROM deps AS builder
+
+WORKDIR /app
+
+COPY packages/sync-server ./packages/sync-server
+
+# Remove symbolic links for @actual-app/web and @actual-app/sync-server
+RUN rm -rf ./node_modules/@actual-app/web ./node_modules/@actual-app/sync-server
+
+# Copy in the @actual-app/web artifacts manually, so we don't need the entire packages folder
+COPY packages/desktop-client/package.json ./node_modules/@actual-app/web/package.json
+COPY packages/desktop-client/build ./node_modules/@actual-app/web/build
+
+FROM node:18-bookworm-slim AS prod
+
+# Minimal runtime dependencies
+RUN apt-get update && apt-get install tini && apt-get clean -y && rm -rf /var/lib/apt/lists/*
+
+# Create a non-root user
+ARG USERNAME=actual
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
+RUN groupadd --gid $USER_GID $USERNAME \
+    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
+    && mkdir /data && chown -R ${USERNAME}:${USERNAME} /data
+
+WORKDIR /app
+ENV NODE_ENV=production
+
+# Pull in only the necessary artifacts (built node_modules, server files, etc.)
+COPY --from=builder /app/node_modules /app/node_modules
+COPY --from=builder /app/packages/sync-server/package.json /app/packages/sync-server/app.js ./
+COPY --from=builder /app/packages/sync-server/src ./src
+COPY --from=builder /app/packages/sync-server/migrations ./migrations
+
+ENTRYPOINT ["/usr/bin/tini","-g",  "--"]
+EXPOSE 5006
+CMD ["node", "app.js"]

package/docker-compose.yml

@@ -0,0 +1,29 @@
+services:
+  actual_server:
+    image: docker.io/actualbudget/actual-server:latest
+    ports:
+      # This line makes Actual available at port 5006 of the device you run the server on,
+      # i.e. http://localhost:5006. You can change the first number to change the port, if you want.
+      - '5006:5006'
+    environment:
+      # Uncomment any of the lines below to set configuration options.
+      # - ACTUAL_HTTPS_KEY=/data/selfhost.key
+      # - ACTUAL_HTTPS_CERT=/data/selfhost.crt
+      # - ACTUAL_PORT=5006
+      # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20
+      # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50
+      # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20
+      # See all options and more details at https://actualbudget.github.io/docs/Installing/Configuration
+      # !! If you are not using any of these options, remove the 'environment:' tag entirely.
+    volumes:
+      # Change './actual-data' below to the path to the folder you want Actual to store its data in on your server.
+      # '/data' is the path Actual will look for its files in by default, so leave that as-is.
+      - ./actual-data:/data
+    healthcheck:
+      # Enable health check for the instance
+      test: ['CMD-SHELL', 'node src/scripts/health-check.js']
+      interval: 60s
+      timeout: 10s
+      retries: 3
+      start_period: 20s
+    restart: unless-stopped

package/jest.config.json

@@ -0,0 +1,19 @@
+{
+  "globalSetup": "./jest.global-setup.js",
+  "globalTeardown": "./jest.global-teardown.js",
+  "testPathIgnorePatterns": ["dist", "/node_modules/", "/build/"],
+  "roots": ["<rootDir>"],
+  "moduleFileExtensions": ["ts", "js", "json"],
+  "testEnvironment": "node",
+  "collectCoverage": true,
+  "collectCoverageFrom": ["**/*.{js,ts,tsx}"],
+  "coveragePathIgnorePatterns": [
+    "dist",
+    "/node_modules/",
+    "/build/",
+    "/coverage/"
+  ],
+  "coverageReporters": ["html", "lcov", "text", "text-summary"],
+  "resetMocks": true,
+  "restoreMocks": true
+}

package/jest.global-setup.js

@@ -0,0 +1,101 @@
+import { getAccountDb } from './src/account-db.js';
+import { run as runMigrations } from './src/migrations.js';
+
+const GENERIC_ADMIN_ID = 'genericAdmin';
+const GENERIC_USER_ID = 'genericUser';
+const ADMIN_ROLE_ID = 'ADMIN';
+const BASIC_ROLE_ID = 'BASIC';
+
+const createUser = (userId, userName, role, owner = 0, enabled = 1) => {
+  const missingParams = [];
+  if (!userId) missingParams.push('userId');
+  if (!userName) missingParams.push('userName');
+  if (!role) missingParams.push('role');
+  if (missingParams.length > 0) {
+    throw new Error(`Missing required parameters: ${missingParams.join(', ')}`);
+  }
+
+  if (
+    typeof userId !== 'string' ||
+    typeof userName !== 'string' ||
+    typeof role !== 'string'
+  ) {
+    throw new Error(
+      'Invalid parameter types. userId, userName, and role must be strings',
+    );
+  }
+
+  try {
+    getAccountDb().mutate(
+      'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, ?, ?, ?)',
+      [userId, userName, userName, enabled, owner, role],
+    );
+  } catch (error) {
+    console.error(`Error creating user ${userName}:`, error);
+    throw error;
+  }
+};
+
+const setSessionUser = (userId, token = 'valid-token') => {
+  if (!userId) {
+    throw new Error('userId is required');
+  }
+
+  try {
+    const db = getAccountDb();
+    const session = db.first('SELECT token FROM sessions WHERE token = ?', [
+      token,
+    ]);
+    if (!session) {
+      throw new Error(`Session not found for token: ${token}`);
+    }
+
+    db.mutate('UPDATE sessions SET user_id = ? WHERE token = ?', [
+      userId,
+      token,
+    ]);
+  } catch (error) {
+    console.error(`Error updating session for user ${userId}:`, error);
+    throw error;
+  }
+};
+
+// eslint-disable-next-line import/no-default-export
+export default async function setup() {
+  const NEVER_EXPIRES = -1; // or consider using a far future timestamp
+
+  await runMigrations();
+
+  createUser(GENERIC_ADMIN_ID, 'admin', ADMIN_ROLE_ID, 1);
+
+  // Insert a fake "valid-token" fixture that can be reused
+  const db = getAccountDb();
+  try {
+    await db.mutate('BEGIN TRANSACTION');
+
+    await db.mutate('DELETE FROM sessions');
+    await db.mutate(
+      'INSERT INTO sessions (token, expires_at, user_id) VALUES (?, ?, ?)',
+      ['valid-token', NEVER_EXPIRES, 'genericAdmin'],
+    );
+    await db.mutate(
+      'INSERT INTO sessions (token, expires_at, user_id) VALUES (?, ?, ?)',
+      ['valid-token-admin', NEVER_EXPIRES, 'genericAdmin'],
+    );
+
+    await db.mutate(
+      'INSERT INTO sessions (token, expires_at, user_id) VALUES (?, ?, ?)',
+      ['valid-token-user', NEVER_EXPIRES, 'genericUser'],
+    );
+
+    await db.mutate('COMMIT');
+  } catch (error) {
+    await db.mutate('ROLLBACK');
+    throw new Error(`Failed to setup test sessions: ${error.message}`);
+  }
+
+  setSessionUser('genericAdmin');
+  setSessionUser('genericAdmin', 'valid-token-admin');
+
+  createUser(GENERIC_USER_ID, 'user', BASIC_ROLE_ID, 1);
+}

package/jest.global-teardown.js

@@ -0,0 +1,6 @@
+import { run as runMigrations } from './src/migrations.js';
+
+// eslint-disable-next-line import/no-default-export
+export default async function teardown() {
+  await runMigrations('down');
+}

package/migrations/1694360000000-create-folders.js

@@ -0,0 +1,25 @@
+import fs from 'node:fs/promises';
+
+import { config } from '../src/load-config.js';
+
+async function ensureExists(path) {
+  try {
+    await fs.mkdir(path);
+  } catch (err) {
+    if (err.code === 'EEXIST') {
+      return null;
+    }
+
+    throw err;
+  }
+}
+
+export const up = async function () {
+  await ensureExists(config.get('serverFiles'));
+  await ensureExists(config.get('userFiles'));
+};
+
+export const down = async function () {
+  await fs.rm(config.get('serverFiles'), { recursive: true, force: true });
+  await fs.rm(config.get('userFiles'), { recursive: true, force: true });
+};

package/migrations/1694360479680-create-account-db.js

@@ -0,0 +1,30 @@
+import { getAccountDb } from '../src/account-db.js';
+
+export const up = async function () {
+  await getAccountDb().exec(`
+    CREATE TABLE IF NOT EXISTS auth
+      (password TEXT PRIMARY KEY);
+
+    CREATE TABLE IF NOT EXISTS sessions
+      (token TEXT PRIMARY KEY);
+
+    CREATE TABLE IF NOT EXISTS files
+      (id TEXT PRIMARY KEY,
+       group_id TEXT,
+       sync_version SMALLINT,
+       encrypt_meta TEXT,
+       encrypt_keyid TEXT,
+       encrypt_salt TEXT,
+       encrypt_test TEXT,
+       deleted BOOLEAN DEFAULT FALSE,
+       name TEXT);
+  `);
+};
+
+export const down = async function () {
+  await getAccountDb().exec(`
+    DROP TABLE auth;
+    DROP TABLE sessions;
+    DROP TABLE files;
+  `);
+};

package/migrations/1694362247011-create-secret-table.js

@@ -0,0 +1,16 @@
+import { getAccountDb } from '../src/account-db.js';
+
+export const up = async function () {
+  await getAccountDb().exec(`
+    CREATE TABLE IF NOT EXISTS secrets (
+      name TEXT PRIMARY KEY,
+      value BLOB
+    );
+  `);
+};
+
+export const down = async function () {
+  await getAccountDb().exec(`
+    DROP TABLE secrets;
+  `);
+};

package/migrations/1702667624000-rename-nordigen-secrets.js

@@ -0,0 +1,19 @@
+import { getAccountDb } from '../src/account-db.js';
+
+export const up = async function () {
+  await getAccountDb().exec(
+    `UPDATE secrets SET name = 'gocardless_secretId' WHERE name = 'nordigen_secretId'`,
+  );
+  await getAccountDb().exec(
+    `UPDATE secrets SET name = 'gocardless_secretKey' WHERE name = 'nordigen_secretKey'`,
+  );
+};
+
+export const down = async function () {
+  await getAccountDb().exec(
+    `UPDATE secrets SET name = 'nordigen_secretId' WHERE name = 'gocardless_secretId'`,
+  );
+  await getAccountDb().exec(
+    `UPDATE secrets SET name = 'nordigen_secretKey' WHERE name = 'gocardless_secretKey'`,
+  );
+};

package/migrations/1718889148000-openid.js

@@ -0,0 +1,41 @@
+import { getAccountDb } from '../src/account-db.js';
+
+export const up = async function () {
+  await getAccountDb().exec(
+    `
+    BEGIN TRANSACTION;
+     CREATE TABLE auth_new
+        (method TEXT PRIMARY KEY,
+        display_name TEXT,
+        extra_data TEXT, active INTEGER);
+
+    INSERT INTO auth_new (method, display_name, extra_data, active)
+      SELECT 'password', 'Password', password, 1 FROM auth;
+        DROP TABLE auth;
+        ALTER TABLE auth_new RENAME TO auth;
+
+    CREATE TABLE pending_openid_requests
+      (state TEXT PRIMARY KEY,
+      code_verifier TEXT,
+      return_url TEXT,
+      expiry_time INTEGER);
+    COMMIT;`,
+  );
+};
+
+export const down = async function () {
+  await getAccountDb().exec(
+    `
+    BEGIN TRANSACTION;
+    ALTER TABLE auth RENAME TO auth_temp;
+    CREATE TABLE auth
+        (password TEXT);
+    INSERT INTO auth (password)
+      SELECT extra_data FROM auth_temp WHERE method = 'password';
+    DROP TABLE auth_temp;
+
+    DROP TABLE pending_openid_requests;
+    COMMIT;
+      `,
+  );
+};

package/migrations/1719409568000-multiuser.js

@@ -0,0 +1,116 @@
+import { v4 as uuidv4 } from 'uuid';
+
+import { getAccountDb } from '../src/account-db.js';
+
+export const up = async function () {
+  const accountDb = getAccountDb();
+
+  accountDb.transaction(() => {
+    accountDb.exec(
+      `
+    CREATE TABLE users
+        (id TEXT PRIMARY KEY,
+        user_name TEXT,
+        display_name TEXT,
+        role TEXT,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        owner INTEGER NOT NULL DEFAULT 0);
+
+    CREATE TABLE user_access
+      (user_id TEXT,
+      file_id TEXT,
+      PRIMARY KEY (user_id, file_id),
+      FOREIGN KEY (user_id) REFERENCES users(id),
+      FOREIGN KEY (file_id) REFERENCES files(id)
+      );
+
+    ALTER TABLE files
+        ADD COLUMN owner TEXT;
+
+    ALTER TABLE sessions
+        ADD COLUMN expires_at INTEGER;
+
+    ALTER TABLE sessions
+        ADD COLUMN user_id TEXT;
+
+    ALTER TABLE sessions
+        ADD COLUMN auth_method TEXT;
+        `,
+    );
+
+    const userId = uuidv4();
+    accountDb.mutate(
+      'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, 1, 1, ?)',
+      [userId, '', '', 'ADMIN'],
+    );
+
+    accountDb.mutate(
+      'UPDATE sessions SET user_id = ?, expires_at = ?, auth_method = ? WHERE auth_method IS NULL',
+      [userId, -1, 'password'],
+    );
+  });
+};
+
+export const down = async function () {
+  await getAccountDb().exec(
+    `
+      BEGIN TRANSACTION;
+
+      DROP TABLE IF EXISTS user_access;
+
+      CREATE TABLE sessions_backup (
+          token TEXT PRIMARY KEY
+      );
+
+      INSERT INTO sessions_backup (token)
+      SELECT token FROM sessions;
+
+      DROP TABLE sessions;
+
+      ALTER TABLE sessions_backup RENAME TO sessions;
+
+      CREATE TABLE files_backup (
+          id TEXT PRIMARY KEY,
+          group_id TEXT,
+          sync_version SMALLINT,
+          encrypt_meta TEXT,
+          encrypt_keyid TEXT,
+          encrypt_salt TEXT,
+          encrypt_test TEXT,
+          deleted BOOLEAN DEFAULT FALSE,
+          name TEXT
+      );
+
+      INSERT INTO files_backup (
+          id,
+          group_id,
+          sync_version,
+          encrypt_meta,
+          encrypt_keyid,
+          encrypt_salt,
+          encrypt_test,
+          deleted,
+          name
+      )
+      SELECT
+          id,
+          group_id,
+          sync_version,
+          encrypt_meta,
+          encrypt_keyid,
+          encrypt_salt,
+          encrypt_test,
+          deleted,
+          name
+      FROM files;
+
+      DROP TABLE files;
+
+      ALTER TABLE files_backup RENAME TO files;
+
+      DROP TABLE IF EXISTS users;
+
+      COMMIT;
+      `,
+  );
+};