[GNC-dev] Patelco stopped supporting OFX... other options
Jean Laroche
ripngo at gmail.com
Fri Jun 19 12:49:32 EDT 2020
On 6/19/20 9:38 AM, John Ralls wrote:
> The actual OAUTH implementation begins with https://cdn.plaid.com/link/v2/stable/link-initialize.js. I don't really have time ATM to reformat and study it, but it supports my initial suspicion that they're setting up a man-in-the-middle to obtain an OAUTH token to monitor the user's bank account. I wouldn't be comfortable permitting a third party that kind of access, and I'll bet that very few of plaid's customers disclose to their users that that's what's going on.
>
Yes, that's also my understanding. They store the tokens, which actually
give them and anybody who would hack them full read access to your
account (the tokens do not allow anything else than reading)
> It's also apparent that server.py is intended as example code and that plaid customers would probably write their own, likely in php running on their web servers. It's very simple and could be easily ported to C++ or Scheme. Since it appears so far to be a one-time setup step it could live in an assistant that would use a webkitgtkwebview for the user to authenticate with the bank. The other half of the implementation would live in gnucash/import-export/plaid and handle the plaid API interaction and converting the json response into the transactions to present to the matcher. A bit of a project.
>
Yes, I concur with you. Server.py is just an example. But integrating
all this in GC would be a bit of a project, but I can't seen any serious
roadblock.
> Documentation would have to include strong warnings and disclaimers about the third-party involvement and links to plaid's documentation and terms of use as well as to the registration page.
>
> Plaid's terms of use are at https://plaid.com/legal/. I don't see anything in the Developer TOU that would preclude GnuCash providing the facility outlined above; it would be incumbent on every user to obtain the developer credentials just like they do for Alphavantage.
>
> Regards,
> John Ralls
The *main* issue for me is that you can't get investment data. The free
account access only provide transactions for regular bank accounts. So
I'm really not sure it's worth the effort to integrate this in GC, honestly.
Jean
More information about the gnucash-devel
mailing list