ihatemoney/docs/security.rst

Security
########

Ihatemoney does not have user accounts. Instead, authorization is based around
shared projects: this is a bit unusual and deserves some explanation about
the security model.

First of all, Ihatemoney fundamentally assumes that all members of a project trust
each other. Otherwise, you would probably not share expenses in the first place!

That being said, there are a few mechanisms to limit the impact of a malicious
member and to manage changes in membership (e.g. ensuring that a previous member
can no longer access the project). But these mechanisms don't prevent a malicious member
from breaking things in your project!

Security model
==============

A project has three main parameters when it comes to security:

- **project identifier** (equivalent to a "login")
- **private code** (equivalent to a "password")
- **token** (cryptographically derived from the private code)

Somebody with the private code can:

- access the project through the web interface or the API
- add, modify or remove bills
- view project history
- change basic settings of the project
- change the email address associated to the project
- change the private code of the project

Somebody with the token can manipulate the project through the API to
do essentially the same thing:

- access the project
- add, modify or remove bills
- change basic settings of the project
- change the email address associated to the project
- change the private code of the project

The token can also be used to build "invitation links". These links allow
to login on the web interface without knowing the private code, see below.

Giving access to a project
==========================

There are two main ways to give access to a project to a new person:

- share the project identifier and private code using any out-of-band
  communication method

- share an invitation link that allows to login on the web interface
  without knowing the private code

The second method is interesting because it does not reveal the private code.
In particular, somebody that is logged-in through the invitation link will not be able
to change the private code, because the web interface requires a confirmation
of the existing private code to change it.
However, a motivated person could extract the token from the invitation link,
use it to access the project through the API, and change the private code through
the API.

Removing access to a project
============================

If a person should no longer be able to access a project, the only way is to change
the private code.

This will also automatically change the token: old invitation links won't
work anymore, and anybody with the old token will no longer be able to access
the project through the API.

Recovering access to a project
==============================

If the private code is no longer known, the creator of the project can still recover
access. He/she must have provided an email address when creating the project,
and Ihatemoney can send a reset link to this email address (classical "forgot
your password" functionality).

Note, however, that somebody with the private code could have changed the email
address in the settings at any time.

Recovering lost data
====================

A member can delete or change bills. There is no way to revert such actions for now.
However, each project has an history page that lists all actions done on the project.
This history can be used to manually correct previous changes.

Note, however, that the history feature is primarily meant to protect against mistakes:
a malicious member can easily remove all entries from the history!

The best defense against this kind of issues is... backups! All data for a project can be
exported through the settings page or through the API.