The actual OAUTH implementation begins with 
https://cdn.plaid.com/link/v2/stable/link-initialize.js. I don't really have 
time ATM to reformat and study it, but it supports my initial suspicion that 
they're setting up a man-in-the-middle to obtain an OAUTH token to monitor the 
user's bank account. I wouldn't be comfortable permitting a third party that 
kind of access, and I'll bet that very few of plaid's customers disclose to 
their users that that's what's going on.

It's also apparent that server.py is intended as example code and that plaid 
customers would probably write their own, likely in php running on their web 
servers. It's very simple and could be easily ported to C++ or Scheme. Since it 
appears so far to be a one-time setup step it could live in an assistant that 
would use a webkitgtkwebview for the user to authenticate with the bank. The 
other half of the implementation would live in gnucash/import-export/plaid and 
handle the plaid API interaction and converting the json response into the 
transactions to present to the matcher. A bit of a project.

Documentation would have to include strong warnings and disclaimers about the 
third-party involvement and links to plaid's documentation and terms of use as 
well as to the registration page.

Plaid's terms of use are at https://plaid.com/legal/. I don't see anything in 
the Developer TOU that would preclude GnuCash providing the facility outlined 
above; it would be incumbent on every user to obtain the developer credentials 
just like they do for Alphavantage.

Regards,
John Ralls


> On Jun 18, 2020, at 10:05 AM, Jean Laroche <rip...@gmail.com> wrote:
> 
> The server code clearly mentions OAUTH. Let me know what you can determined 
> from the server code if you find something interesting...
> J.
> 
> On 6/18/20 9:51 AM, Derek Atkins wrote:
>>> This is interesting. It sounds like OAUTH, where the mini-webserver
>>> redirects to the bank's website for authentication and gets a token back,
>>> but OAUTH tokens are supposed to be single-use and expire. The fact that
>>> neither seems to be the case is a bit worrying. Does plaid provide the
>>> source code for this web server?
>> That's not always the case.  OAuth has long-lived tokens that can be
>> refreshed and reused, they are not (always) single-use tokens.  You're
>> right that it DOES sound like OAuth, but it also sounds like you're
>> obtaining a client token that can be re-used.
>>> Regards,
>>> John Ralls
>> -derek

_______________________________________________
gnucash-devel mailing list
gnucash-devel@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-devel

Reply via email to