This used to read User.query.filter_by(session_token=token), but that generates "session_token is NULL" when token is None, and we need "session_token = NULL", or else we will match arbitrary users(!). This is a bit of WTF from SQLAlchemy here, IMO: it dangerously opts for idiomatic Python over idiomatic SQL. We fell prey, at least. :-/
This barely fixes the immediate problem. We really would need to refactor to implement this properly, and possibly bring on a client-side framework (Backbone, Ember, Angular, etc.). For example, we don't handle the case when a tip change would make receiving greater than receiving, so that we want to flip the display of those values in the box/card. Or if this is the first tip received, we don't add that in. That kind of thing.