WISEUP

Wise Up Project Image
Check it out on GitHub

Project Overview

This project involves creating a serverless function using AWS SAM (Serverless Application Model) that listens to a webhook from Up (My favourite bank) and automatically creates expenses in Splitwise based on the transaction data received.

I was inspired to create this project while traveling through South America with my partner. We decided to split expenses and set up a Splitwise group to track our spending over the next couple of months. I quickly found this task tedious, as I had to review transactions at the end of each day, add the relevant ones to the Splitwise group, include a title and description, and convert the transaction amounts from AUD to CAD (our agreed currency, as I would be moving to Canada after South America).

Having always wanted to use the Up API to build something, I thought this would be the perfect project. I could utilize the power of Up's webhooks to receive notifications of new transactions, use their API to fetch transaction details, and automatically create new expenses in Splitwise. This not only eliminated the manual work but also added transactions to Splitwise in real-time.

Design and Architecture

Architecture Overview

  • Serverless Framework: The project utilizes AWS SAM to manage the serverless infrastructure.
  • Function Flow:
    1. Up triggers a webhook on new transactions.
    2. The serverless function receives the webhook data and fetches the relevant transaction data.
    3. The function processes the data and creates a corresponding expense in Splitwise.

Technology Stack

  • Backend: Node.js
  • Cloud Provider: AWS
  • Services: AWS Lambda, API Gateway, Systems Manager (Parameter Store)
  • Third-party Integrations: Up API, Splitwise API

Security

Webhook Security

To ensure that webhook events are securely received and processed, the Up API includes a verification mechanism using the X-Up-Authenticity-Signature header. This header contains a signature that can be used to verify the authenticity of the incoming webhook event requests.

Verification Process

The verification process involves the following steps:

  1. Obtain the Secret Key: A shared secretKey is provided upon the creation of the webhook. This key is only known to your application and Up.
  2. Compute the Signature: Take the raw, unparsed webhook event request body. Compute the SHA-256 HMAC signature of the request body using the shared secretKey.
  3. Compare Signatures: Compare the computed SHA-256 HMAC signature with the value of the X-Up-Authenticity-Signature header provided in the request.

If the computed signature matches the X-Up-Authenticity-Signature header, the request is confirmed to be from Up and can be safely processed. This verification step helps prevent unauthorized or malicious attempts to trigger your webhook.

Secure API Access

  • API Key Management: The Splitwise API Key, Up API Key and Up Webhook Secret are stored using AWS Parameter Store. While the Secrets Manager would provide better security, personally the Parameters Store is sufficient for this use case as this application is hosted on a private AWS account.
  • Permission Management: The serverless function has restricted IAM roles to minimize access to only necessary resources.

Features

Automatic Expense Creation

  • Creation: The function maps Up transaction data to create a Splitwise expense.
  • Expense Categorization: Categorizes expenses based on the transaction category.
  • Ignore Transactions: Ability to ignore transactions based on the Up transaction description.

Learning Outcomes

Challenges

  • Data Matching: Mapping of Up transaction data to Splitwise expense data.
  • API Key Security: By making this project public it was important to ensure keys and secrets stayed private when uploading to a repository. AWS Parameter Store ended up being an easy and appropriate solution.

Skills Acquired

  • AWS Serverless Application Model (SAM): Gained experience in building and deploying serverless functions using AWS SAM.
  • Webhooks: Understanding of building a serverless function that responds to a webhook event
  • API Integration: Reinforced understanding of integrating with third-party APIs securely and efficiently.

Conclusion

This project was not only fun to build but successfully automated my needs of adding travel expenses to a Splitwise group based on my card transactions in real time. I got to work with some new technologies such as AWS SAM and webhooks. I got to enjoy traveling through South America with my partner, not worry about expenses, and now I can't wait to use this again for our next trip.

Future Improvements

  • Multi Splitwise Group Support: Extend functionality to support multiple Splitwise groups and create expenses within a group depending on the transaction.
  • User Notifications: Optional notifications can be sent to users via email or SMS when a new expense is created.
  • Monitoring: AWS CloudWatch Metrics and Alarms are set up for monitoring function performance and alerting on failures.
  • Testing: Build out unit testing
  • Custom Authorizer: Move the authorization check out of the create expense Lambda and into a custom authorizer attached to the API Gateway
  • CI/CD: Investigate extending this project and building a CI/CD pipeline