Possible Hosted Version

Question

Possible Hosted Version

scottrobertson opened this issue 6 years ago · comments

So... i have been thinking about how we can have a hosted version of this app so that webhooks can easily be setup for Monzo and Starling users. 1 major criteria is that we do not store any access tokens etc. This is mainly because i just don't want to have to deal with the security of YNAB data, and also because I don't think YNAB would like this.

What we could do is allow people to send their YNAB access token in with the webhook, similar to how we do it with ynab_account_id. So for example, they would setup their webhook URL to be:

https://hosted.app/monzo?ynab_access_token=blah&ynab_account_id=blah

That way we are not storing any access tokens at all, but it allows for super easy setup for people.

Any suggestions? Questions? Concerns? Is this a stupid idea?

Ross Dargan · Answer 1 · Sat Sep 08 2018 21:54:05 GMT+0800 (China Standard Time)

Its an interesting idea, but the tokens don't expire so it's as good as having the keys to the kingdom. I suspect eventually they open it up to allow others to "use" your application " The Monzo Developer API is not suitable for building public applications." it will be possible, and that will be the correct way to do it.

Personally, I'd wait :)

Scott Robertson · Answer 2 · Sat Oct 06 2018 19:01:59 GMT+0800 (China Standard Time)

@rossdargan to be clear, we would not store any Monzo tokens at all.

Ganey · Answer 3 · Sat Oct 06 2018 20:56:57 GMT+0800 (China Standard Time)

Wouldn't the YNAB tokens end up in all the logs if passed in via GET? As far as I can tell that's about all that would happen as far as tokens being retrievable from anywhere. Worst case scenario if logs are breached, someone's YNAB ends up with a ton of random data in it / missing.

It would certainly be an easy way to setup webhooks while keeping up to date with the app code, I'd happily use it.

Scott Robertson · Answer 4 · Sat Oct 06 2018 21:05:48 GMT+0800 (China Standard Time)

To be honest, I would feel comfortable storing the ynab tokens and logging in via oAuth.

Ganey · Answer 5 · Sat Oct 06 2018 21:12:48 GMT+0800 (China Standard Time)

Would users then be able to just select thier YNAB bank account id's via the hosted version? Set the Monzo one and the Starling one via the hosted app?

I assume users could then just set the webhooks to hosted.app/user-id-thing/monzo unless you plan on checking where the webhooks come from? Then determine if monzo or starling

Scott Robertson · Answer 6 · Sun Oct 07 2018 01:28:38 GMT+0800 (China Standard Time)

@ganey Would probably encode an access token, ynab account id, and source (monzo, starling etc) in the webhook url.

Scott Robertson · Answer 7 · Thu Oct 18 2018 07:58:00 GMT+0800 (China Standard Time)

I need some beta testers :D

Ganey · Answer 8 · Thu Oct 18 2018 08:14:00 GMT+0800 (China Standard Time)

I'll happily test

Scott Robertson · Answer 9 · Thu Oct 18 2018 08:16:39 GMT+0800 (China Standard Time)

@ganey can you send me an email at scottymeuk @ gmail and i will get back to you :)

Scott Robertson · Answer 10 · Sat Oct 27 2018 17:07:55 GMT+0800 (China Standard Time)

Closing this, as it's inbound very soon.

Scott Robertson · Answer 11 · Wed Nov 07 2018 04:45:09 GMT+0800 (China Standard Time)

And it's been approved! https://syncforynab.com