This is an automated archive made by the Lemmit Bot.
The original was posted on /r/selfhosted by /u/Dramatic_Ad5442 on 2025-03-03 14:19:04+00:00.
Hello all, Noah here with the March update!
For those of you that are new, welcome! Receipt Wrangler is a self-hosted, ai powered app that makes managing receipts easy. Receipt Wrangler is capable of scanning your receipts from desktop uploads, mobile app scans, or via email, or entering manually. Users can itemize, categorize, and split them amongst users in the app. Check out for more information.
February consisted of a lot of maintenance development, polish, and a few enhancements to top it off.
Development Highlights:
CSV Export (Desktop): Users may now export their receipts in CSV format. Export works from any group's table, it will export all of the receipts using the applied filter and sort order. Users may also export from a dashboard, or individually selected receipts from the table. The export returns a zip containing receipt data, and item data as well.
Added API Key to Custom Open AI: Custom Open AI now supports API keys which allows for use with Azure Open AI endpoints, or any configuration that requires an API key. As a heads up, Custom Open AI used to require a FULL URL, now it only requires a base, f.ex . This is due to an implementation change, so now Open AI and Open AI Custom use the same library to handle requests, and responses.
Angular 19 Upgrade: Desktop's Angular version was upgrade from 17 to 19 and upgraded to Angular's new build system, which results in smaller builds and faster initial loads.
Major API library upgrades: Upgraded go-jwt from 4.5.1 to 5.2.1 (handles generating and validating auth tokens), Upgraded imagick from v2.7.0 to v3.7.2 (handles image manipulation when) and every other package updated to latest version.
SQL injection fixes: A few days ago I discovered and confirmed two SQL injection instances. These are possible via the tag delete, or category delete endpoint which only Receipt Wrangler Admins have access to. These endpoints delete a category, or a tag by id, however, if a malicious id is sent that contains sql, then the sql script will be executed. Receipt Wrangler uses GORM to handle database interactions, and GORM itself handles SQL injection by sanitizing inputs and providing syntax to make it easy to obtain this sanitation. However, in these two instances, the SQL query was constructed directly instead of letting GORM construct the query, and that circumvented the sanitation. I did not find any other instances of SQL injection after testing different endpoints that also constructed their own queries. Fixes made in this PR.
Token storage fix: The API stores all generated jwts and refresh tokens so that they may be revoked when the user logs out, or requests a new token (happens in the background), however the tokens were not hashed before stored, so now they are and all old tokens will be removed. This means if a threat actor had access to the db, they could gain access to unrevoked tokens and, act as other users.
Bug Fixes/Enhancements: Adjusted dashboard's responsiveness and layout. Still some jank, but it its significantly better than before, fixed broken links when admin navigates to another user's group settings, fixed whole app reloading when navigating via queue
Coming Up in March:
Custom Fields: Users will be able to create custom fields, to be used on Receipts. Custom field types will include: Currency fields, Date fields, Text Fields and Select Fields for now.
Itemization Updates: Currently itemization is a bit weird in that the only way to itemize is through shares. This works, but the language and UI is less than ideal. Coming up will rework things a bit. A share will be an item that is charged to another user, and an item will be an item that is not charged to anyone. The UI will be adjusted to make itemization much faster.
Lastly, itemization is already possible via prompts, but admins need to write their own prompt. So itemization via AI will be integrated tighter, and easier to do before, making it possible to automatically itemize via quick scan, email ingestion and on the form itself.
Notes:
Arm Builds: Arm builds were broken early last month, and were fixed in the 6.1.0 release
PikaPod: Drop a vote here: if you'd like to see Receipt Wrangler get added to PikaPods as an easy one click install for Receipt Wrangler!
As always, thanks for reading!
Noah