A secure, production-ready payroll automation system built with FastAPI, Streamlit, and Paystack integration. This system enables automatic salary payments, worker management, and comprehensive audit trails with bank-level security.
- Secure Authentication: Password + 2FA (Google Authenticator) login
- Worker Management: Complete CRUD operations for employee records
- Automated Payments: Scheduled salary payments via Paystack
- Payment Processing: Manual and automated payment processing
- Real-time Dashboard: Balance tracking and payment history
- Audit Logging: Complete activity tracking and security logs
- Multi-factor Authentication: TOTP-based 2FA with QR codes
- Password Security: bcrypt hashing with salt (12 rounds)
- JWT Tokens: Secure, stateless authentication
- Rate Limiting: API protection against abuse
- Input Validation: Comprehensive data sanitization
- Audit Trail: All actions logged with timestamps and IP addresses
- Paystack API: Nigerian bank account transfers
- Account Verification: Real-time bank account validation
- Transfer Management: Secure money transfers to Nigerian banks
- Payment History: Complete transaction records
- Balance Monitoring: Real-time Paystack account balance
- FastAPI: Modern, fast Python web framework
- SQLAlchemy: Database ORM with type safety
- SQLite: Lightweight database (development) / PostgreSQL (production)
- APScheduler: Job scheduling for automated payments
- PyJWT: JWT token management
- bcrypt: Password hashing
- PyOTP: TOTP 2FA implementation
- Streamlit: Python-based web application framework
- Plotly: Interactive charts and analytics
- Pandas: Data manipulation and analysis
- Paystack: Nigerian payment gateway
- Bank Integration: Support for all Nigerian banks
payroll-automation-system/
โโโ backend/ # FastAPI backend application
โ โโโ auth/ # Authentication & security
โ โ โโโ security.py # Password hashing, JWT tokens
โ โ โโโ two-factor.py # 2FA implementation
โ โ โโโ middleware.py # Security middleware
โ โโโ database.py # Database configuration
โ โโโ Config.py # Application settings
โ โโโ main.py # Application entry point
โ โโโ models/ # Database models
โ โโโ routes/ # API endpoints
โ โ โโโ auth.py # Authentication routes
โ โ โโโ worker.py # Worker management routes
โ โ โโโ payment.py # Payment processing routes
โ โโโ services/ # Business logic
โ โ โโโ paystack.py # Paystack API wrapper
โ โ โโโ Payment_scheduler.py # Automated payment scheduler
โ โโโ utils/ # Utility functions
โ โโโ validators.py # Input validation
โโโ frontend/ # Streamlit frontend
โ โโโ app.py # Main application
โ โโโ pages/
โ โ โโโ balance.py # Dashboard page
โ โ โโโ edit_salaries.py # Worker management page
โ โโโ components/ # Reusable UI components
โโโ database/ # Database files
โ โโโ migrations/ # SQL migration scripts
โ โโโ seeds/ # Initial data setup
โโโ scripts/ # Utility scripts
โ โโโ setup_db.py # Database initialization
โ โโโ create_user.py # Admin user creation
โ โโโ backup_db.py # Database backup utility
โโโ requirements.txt # Python dependencies
โโโ .env.example # Environment template
โโโ README.md # This file
- Python 3.8 or higher
- Git
- Paystack account (for payment processing)
# Clone the repository
git clone <repository-url>
cd payroll-automation-system
# Create virtual environment
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt# Copy environment template
cp .env.example .env
# Edit .env file with your settings
nano .envRequired Settings:
SECRET_KEY: Generate a secure secret keyPAYSTACK_SECRET_KEY: Your Paystack secret keyPAYSTACK_PUBLIC_KEY: Your Paystack public keyJWT_SECRET_KEY: JWT signing secret
# Initialize database
python scripts/setup_db.py init
# Verify database setup
python scripts/setup_db.py status# Create first admin user
python scripts/create_user.py create --username admin1 --email admin1@company.com
# Create second admin user
python scripts/create_user.py create --username admin2 --email admin2@company.com
# List all users
python scripts/create_user.py listImportant: Save the credentials file and QR code for 2FA setup!
Terminal 1 - Backend API:
cd backend
uvicorn main:app --reload --port 8000Terminal 2 - Frontend:
streamlit run frontend/app.py --server.port 8501- Frontend: http://localhost:8501
- API Documentation: http://localhost:8000/docs
- Health Check: http://localhost:8000/health
- Login to the system with 2FA
- Go to "Worker Management" tab
- Click "Add Worker" and fill in:
- Full name
- Email (optional)
- Bank details (automatically validated)
- Salary amount
- Payment frequency
- Manual Payment: Select worker and process payment immediately
- Scheduled Payment: Workers are automatically paid based on their frequency
- Bulk Payment: Process multiple workers at once
- View all transaction records
- Filter by date, status, worker
- Export to CSV
- Track payment references
- Minimum 8 characters
- Must contain: uppercase, lowercase, digit, special character
- Prevents common weak passwords
- Secure hashing with bcrypt (12 rounds)
- TOTP-based authentication
- Google Authenticator compatible
- QR code setup
- Backup codes for account recovery
- JWT token authentication
- Rate limiting (100 requests/minute)
- Input validation and sanitization
- CORS protection
- SQL injection prevention
Users Table
- User accounts with 2FA support
- Password hashing and salt storage
- Login attempt tracking
- Audit trail integration
Workers Table
- Employee information
- Bank details and verification
- Salary and payment settings
- Payment scheduling
Payment History Table
- Complete transaction records
- Paystack integration details
- Status tracking (pending, success, failed)
- Audit trail integration
Audit Logs Table
- Security event tracking
- User action logging
- IP address recording
- Timestamp tracking
| Variable | Description | Default |
|---|---|---|
DEBUG |
Enable debug mode | true |
DATABASE_URL |
Database connection | sqlite:///./database/payroll.db |
PAYSTACK_SECRET_KEY |
Paystack secret key | Required |
JWT_SECRET_KEY |
JWT signing secret | Required |
AUTO_PAYMENT_ENABLED |
Enable automated payments | false |
PAYMENT_SCHEDULE_HOUR |
Daily payment check hour | 9 |
- Create account at https://paystack.com
- Get API keys from dashboard
- Add keys to
.envfile - Test with sandbox keys first
# Run all tests
pytest
# Run specific test
pytest tests/test_auth.py
# Run with coverage
pytest --cov=backend# Reset database
python scripts/setup_db.py reset
# Backup database
python scripts/backup_db.py backup
# Restore database
python scripts/backup_db.py restore --file backups/payroll_backup_manual_20250101_120000.db.gz# Format code
black backend frontend scripts
# Sort imports
isort backend frontend scripts
# Lint code
flake8 backend frontend scripts
# Type checking
mypy backendRequirements:
- Python 3.8+
- PostgreSQL database
- Paystack production keys
- SSL certificate
Steps:
- Set
DEBUG=falsein environment - Use PostgreSQL instead of SQLite
- Configure proper database credentials
- Set up SSL/TLS certificates
- Configure reverse proxy (nginx)
- Set up monitoring and logging
# Dockerfile example
FROM python:3.9-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
EXPOSE 8000 8501
CMD ["uvicorn", "backend.main:app", "--host", "0.0.0.0", "--port", "8000"]- Render: Connect GitHub repo, set environment variables
- Railway: Simple deployment with database included
- Heroku: Traditional PaaS deployment
- AWS/GCP/Azure: Full cloud infrastructure
- API health:
GET /health - Database connectivity
- Payment scheduler status
- Paystack API status
- Application logs:
./logs/payroll.log - Audit logs: Database
audit_logstable - Error tracking and alerting
- Automated daily backups
- Compressed and encrypted storage
- 30-day retention policy
- Point-in-time recovery capability
Database Connection Error
# Check database file permissions
ls -la database/payroll.db
# Reset database if corrupted
python scripts/setup_db.py resetPayment Processing Failed
- Verify Paystack API keys
- Check account balance
- Validate bank account details
- Review error logs
2FA Not Working
- Check system time synchronization
- Verify QR code scan accuracy
- Use backup codes if available
- Reset 2FA for user account
Frontend Connection Error
- Ensure backend is running on port 8000
- Check CORS settings
- Verify API endpoints are accessible
- Application logs:
logs/payroll.log - Database logs: Check database file location
- Frontend logs: Browser developer console
POST /api/auth/login- User loginPOST /api/auth/verify-2fa- 2FA verificationPOST /api/auth/logout- User logout
GET /api/workers- List workersPOST /api/workers- Create workerPUT /api/workers/{id}- Update workerDELETE /api/workers/{id}- Delete worker
GET /api/payments/balance- Get Paystack balancePOST /api/payments/process- Process paymentGET /api/payments/history- Payment historyGET /api/payments/stats- Payment statistics
- Fork the repository
- Create feature branch:
git checkout -b feature/new-feature - Commit changes:
git commit -am 'Add new feature' - Push to branch:
git push origin feature/new-feature - Submit pull request
- Follow PEP 8 style guidelines
- Write comprehensive tests
- Document new features
- Update README for major changes
This project is licensed under the MIT License - see the LICENSE file for details.
For support and questions:
- Check the documentation
- Review API documentation at
/docs - Check troubleshooting section
- Create GitHub issue for bugs
- Multi-currency support
- Advanced reporting and analytics
- Email notifications
- Mobile application
- Third-party integrations
- Advanced scheduling options
- API rate limiting improvements
- Multi-tenant support
Built with โค๏ธ for secure payroll automation