ray-finance 0.2.2 → 0.2.3

package/src/db/encryption.test.ts

@@ -0,0 +1,86 @@
+import { describe, it, expect } from "vitest";
+import { generateKey, encryptPlaidToken, decryptPlaidToken } from "./encryption.js";
+import { createCipheriv, randomBytes, scryptSync } from "crypto";
+
+describe("generateKey", () => {
+  it("returns a 64-char hex string (32 bytes)", () => {
+    const key = generateKey();
+    expect(key).toMatch(/^[0-9a-f]{64}$/);
+  });
+
+  it("returns unique keys each call", () => {
+    expect(generateKey()).not.toBe(generateKey());
+  });
+});
+
+describe("encryptPlaidToken / decryptPlaidToken", () => {
+  const secret = "test-secret-passphrase";
+
+  it("roundtrips a token", () => {
+    const token = "access-sandbox-abc123";
+    const encrypted = encryptPlaidToken(token, secret);
+    expect(decryptPlaidToken(encrypted, secret)).toBe(token);
+  });
+
+  it("produces 4-part format (salt:iv:authTag:data)", () => {
+    const encrypted = encryptPlaidToken("token", secret);
+    expect(encrypted.split(":")).toHaveLength(4);
+  });
+
+  it("produces different ciphertext each time (random salt+iv)", () => {
+    const a = encryptPlaidToken("same-token", secret);
+    const b = encryptPlaidToken("same-token", secret);
+    expect(a).not.toBe(b);
+  });
+
+  it("roundtrips empty string", () => {
+    const encrypted = encryptPlaidToken("", secret);
+    expect(decryptPlaidToken(encrypted, secret)).toBe("");
+  });
+
+  it("roundtrips unicode", () => {
+    const token = "tökén-with-émojis-🔑";
+    const encrypted = encryptPlaidToken(token, secret);
+    expect(decryptPlaidToken(encrypted, secret)).toBe(token);
+  });
+
+  it("throws with wrong secret", () => {
+    const encrypted = encryptPlaidToken("token", secret);
+    expect(() => decryptPlaidToken(encrypted, "wrong-secret")).toThrow();
+  });
+
+  it("throws when authTag is tampered", () => {
+    const encrypted = encryptPlaidToken("token", secret);
+    const parts = encrypted.split(":");
+    // Flip a byte in the auth tag
+    const tampered = parts[2][0] === "a" ? "b" + parts[2].slice(1) : "a" + parts[2].slice(1);
+    parts[2] = tampered;
+    expect(() => decryptPlaidToken(parts.join(":"), secret)).toThrow();
+  });
+
+  it("throws when encrypted data is tampered", () => {
+    const encrypted = encryptPlaidToken("token", secret);
+    const parts = encrypted.split(":");
+    const tampered = parts[3][0] === "a" ? "b" + parts[3].slice(1) : "a" + parts[3].slice(1);
+    parts[3] = tampered;
+    expect(() => decryptPlaidToken(parts.join(":"), secret)).toThrow();
+  });
+});
+
+describe("legacy 3-part format", () => {
+  it("decrypts tokens encrypted with static salt", () => {
+    const secret = "legacy-secret";
+    const token = "access-sandbox-legacy";
+
+    // Manually create a 3-part encrypted token using the hardcoded legacy salt
+    const salt = Buffer.from("ray-finance-plaid-token", "utf8");
+    const key = scryptSync(secret, salt, 32);
+    const iv = randomBytes(16);
+    const cipher = createCipheriv("aes-256-gcm", key, iv);
+    const encrypted = Buffer.concat([cipher.update(token, "utf8"), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+
+    const legacy = `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+    expect(decryptPlaidToken(legacy, secret)).toBe(token);
+  });
+});

package/src/db/encryption.ts

@@ -1,28 +1,38 @@
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
 
-const SCRYPT_SALT = "ray-finance-plaid-token"; // Static salt is fine — secret is already high-entropy
 const SCRYPT_KEYLEN = 32;
+const SALT_LEN = 16;
 
 export function generateKey(): string {
   return randomBytes(32).toString("hex");
 }
 
-function deriveKey(secret: string): Buffer {
-  return scryptSync(secret, SCRYPT_SALT, SCRYPT_KEYLEN);
+function deriveKey(secret: string, salt: Buffer): Buffer {
+  return scryptSync(secret, salt, SCRYPT_KEYLEN);
 }
 
 export function encryptPlaidToken(token: string, secret: string): string {
-  const key = deriveKey(secret);
+  const salt = randomBytes(SALT_LEN);
+  const key = deriveKey(secret, salt);
   const iv = randomBytes(16);
   const cipher = createCipheriv("aes-256-gcm", key, iv);
   const encrypted = Buffer.concat([cipher.update(token, "utf8"), cipher.final()]);
   const authTag = cipher.getAuthTag();
-  return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+  return `${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
 }
 
 export function decryptPlaidToken(encrypted: string, secret: string): string {
-  const [ivHex, authTagHex, dataHex] = encrypted.split(":");
-  const key = deriveKey(secret);
+  const parts = encrypted.split(":");
+  // Support legacy 3-part format (static salt) and new 4-part format (random salt)
+  let salt: Buffer, ivHex: string, authTagHex: string, dataHex: string;
+  if (parts.length === 3) {
+    salt = Buffer.from("ray-finance-plaid-token", "utf8");
+    [ivHex, authTagHex, dataHex] = parts;
+  } else {
+    [, ivHex, authTagHex, dataHex] = parts;
+    salt = Buffer.from(parts[0], "hex");
+  }
+  const key = deriveKey(secret, salt);
   const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(ivHex, "hex"));
   decipher.setAuthTag(Buffer.from(authTagHex, "hex"));
   return decipher.update(Buffer.from(dataHex, "hex")) + decipher.final("utf8");

package/src/db/schema.test.ts

@@ -0,0 +1,53 @@
+import { describe, it, expect } from "vitest";
+import Database from "better-sqlite3-multiple-ciphers";
+import { migrate } from "./schema.js";
+
+function freshDb() {
+  const db = new Database(":memory:");
+  db.pragma("foreign_keys = ON");
+  return db;
+}
+
+describe("migrate", () => {
+  it("creates all 18 tables", () => {
+    const db = freshDb();
+    migrate(db);
+
+    const tables = db
+      .prepare(`SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' ORDER BY name`)
+      .all()
+      .map((r: any) => r.name);
+
+    const expected = [
+      "accounts",
+      "achievements",
+      "ai_audit_log",
+      "budgets",
+      "conversation_history",
+      "daily_scores",
+      "goals",
+      "holdings",
+      "institutions",
+      "liabilities",
+      "memories",
+      "milestones",
+      "net_worth_history",
+      "recategorization_rules",
+      "recurring",
+      "recurring_bills",
+      "securities",
+      "settings",
+      "transactions",
+    ];
+
+    for (const t of expected) {
+      expect(tables, `missing table: ${t}`).toContain(t);
+    }
+  });
+
+  it("is idempotent", () => {
+    const db = freshDb();
+    migrate(db);
+    expect(() => migrate(db)).not.toThrow();
+  });
+});

package/src/db/schema.ts

@@ -102,7 +102,7 @@ export function migrate(db: Database.Database): void {
       name TEXT NOT NULL,
       target_amount REAL NOT NULL,
       current_amount REAL DEFAULT 0,
-      deadline TEXT,
+      target_date TEXT,
       status TEXT DEFAULT 'active'
     );
 
@@ -193,4 +193,10 @@ export function migrate(db: Database.Database): void {
       created_at TEXT DEFAULT (datetime('now'))
     );
   `);
+
+  // Migrate: rename goals.deadline -> target_date for existing databases
+  const goalCols = db.prepare(`PRAGMA table_info(goals)`).all() as { name: string }[];
+  if (goalCols.some(c => c.name === "deadline") && !goalCols.some(c => c.name === "target_date")) {
+    db.exec(`ALTER TABLE goals RENAME COLUMN deadline TO target_date`);
+  }
 }

package/src/public/link.html

@@ -2,18 +2,15 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <link rel="preconnect" href="https://fonts.googleapis.com">
-  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-  <link href="https://fonts.googleapis.com/css2?family=Geist+Mono:wght@700&display=swap" rel="stylesheet">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 100 100'><circle cx='50' cy='50' r='40' fill='%231a1a1a'/></svg>">
+  <link rel="icon" href="/favicon.png">
   <title>Ray — Connect Account</title>
   <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
+    * { margin: 0; padding: 0; box-sizing: border-box; -webkit-font-smoothing: antialiased; -moz-osx-font-smoothing: grayscale; }
     body {
-      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
-      background: #fafafa;
-      color: #1a1a1a;
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+      background: #fafaf9;
+      color: #1c1917;
       display: flex;
       align-items: center;
       justify-content: center;
@@ -22,36 +19,37 @@
     }
     .card {
       background: #fff;
-      border-radius: 12px;
-      padding: 40px 32px;
+      border: 1px solid rgba(214, 211, 209, 0.6);
+      border-radius: 16px;
+      padding: 48px 40px;
       max-width: 400px;
       width: 100%;
       text-align: center;
-      box-shadow: 0 1px 3px rgba(0,0,0,0.08);
     }
-    h1 { font-size: 22px; font-weight: 600; margin-bottom: 8px; }
-    p { font-size: 15px; color: #666; margin-bottom: 24px; line-height: 1.5; }
+    .logo { margin-bottom: 32px; }
+    .logo img { height: 24px; }
+    h1 { font-size: 20px; font-weight: 600; margin-bottom: 8px; color: #1c1917; }
+    p { font-size: 15px; color: #78716c; margin-bottom: 24px; line-height: 1.6; }
     button {
-      background: #1a1a1a;
+      background: #1c1917;
       color: #fff;
       border: none;
       padding: 14px 32px;
       border-radius: 9999px;
-      font-size: 16px;
+      font-size: 15px;
       font-weight: 500;
       cursor: pointer;
       width: 100%;
       transition: background 0.2s;
     }
-    button:hover { background: #333; }
-    button:disabled { background: #ccc; cursor: not-allowed; }
-    .success { color: #28a745; font-weight: 600; }
+    button:hover { background: #292524; }
+    button:disabled { background: #d6d3d1; cursor: not-allowed; }
+    .success { color: #6ab318; font-weight: 600; }
     .error { color: #dc3545; font-size: 14px; margin-top: 16px; }
-    .logo { font-size: 28px; font-weight: 700; margin-bottom: 24px; color: #1a1a1a; font-family: 'Geist Mono', monospace; }
     .checkmark {
       width: 48px;
       height: 48px;
-      border: 2.5px solid #28a745;
+      border: 2.5px solid #6ab318;
       border-radius: 50%;
       display: flex;
       align-items: center;
@@ -61,7 +59,7 @@
     .checkmark svg {
       width: 24px;
       height: 24px;
-      stroke: #28a745;
+      stroke: #6ab318;
       fill: none;
       stroke-width: 2.5;
       stroke-linecap: round;
@@ -74,12 +72,24 @@
       object-fit: contain;
       margin-bottom: 16px;
     }
+    .spinner {
+      display: inline-block;
+      width: 20px;
+      height: 20px;
+      border: 2px solid #d6d3d1;
+      border-top-color: #78716c;
+      border-radius: 50%;
+      animation: spin 0.6s linear infinite;
+      margin-bottom: 16px;
+    }
+    @keyframes spin { to { transform: rotate(360deg); } }
   </style>
 </head>
 <body>
   <div class="card">
-    <div class="logo">RAY</div>
+    <div class="logo"><img src="/ray-logo-dark.png" alt="Ray"></div>
     <div id="connect-view">
+      <div class="spinner"></div>
       <p>Opening Plaid...</p>
       <div id="error" class="error" style="display:none"></div>
     </div>
@@ -97,13 +107,26 @@
     let linkHandler = null;
 
     async function initPlaid() {
+      // Wait for Plaid SDK to load
+      if (typeof Plaid === 'undefined') {
+        let attempts = 0;
+        await new Promise((resolve, reject) => {
+          const check = setInterval(() => {
+            if (typeof Plaid !== 'undefined') { clearInterval(check); resolve(); }
+            else if (++attempts > 50) { clearInterval(check); reject(new Error('Failed to load Plaid SDK. Check your ad blocker or network connection.')); }
+          }, 100);
+        });
+      }
       try {
         const res = await fetch('/api/link-token', {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({ session_id: sessionId }),
         });
-        if (!res.ok) throw new Error('Session expired');
+        if (!res.ok) {
+          const data = await res.json().catch(() => ({}));
+          throw new Error(data.error || 'Failed to connect. Please run "ray link" again.');
+        }
         const { link_token } = await res.json();
 
         linkHandler = Plaid.create({
@@ -145,7 +168,7 @@
         // Auto-open Plaid Link
         linkHandler.open();
       } catch (e) {
-        showError('This link has expired. Please run "ray link" again.');
+        showError(e.message || 'This link has expired. Please run "ray link" again.');
       }
     }