backend-manager 5.0.102 → 5.0.104

package/test/routes/payments/cancel.js

@@ -0,0 +1,124 @@
+/**
+ * Test: POST /payments/cancel - Validation errors
+ * Tests rejection cases before any processor call is made.
+ * See test/events/payments/journey-payments-cancel-endpoint.js for the full end-to-end journey.
+ */
+module.exports = {
+  description: 'Payment cancel endpoint: validation errors',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'rejects-unauthenticated',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('payments/cancel', {
+          confirmed: true,
+        });
+
+        assert.isError(response, 401, 'Should reject unauthenticated request');
+      },
+    },
+
+    {
+      name: 'rejects-missing-confirmed',
+      async run({ http, assert }) {
+        const response = await http.as('basic').post('payments/cancel', {
+          reason: 'Too expensive',
+        });
+
+        assert.isError(response, 400, 'Should reject missing confirmed field');
+      },
+    },
+
+    {
+      name: 'rejects-basic-user',
+      async run({ http, assert }) {
+        const response = await http.as('basic').post('payments/cancel', {
+          confirmed: true,
+        });
+
+        assert.isError(response, 400, 'Should reject basic user with no paid subscription');
+      },
+    },
+
+    {
+      name: 'rejects-no-processor-or-resource-id',
+      async run({ http, assert }) {
+        // cancel-no-processor starts with payment.processor=null
+        const response = await http.as('cancel-no-processor').post('payments/cancel', {
+          confirmed: true,
+        });
+
+        assert.isError(response, 400, 'Should reject when no processor or resourceId is set');
+      },
+    },
+
+    {
+      name: 'rejects-already-pending-cancellation',
+      async run({ http, assert }) {
+        // cancel-already-pending starts with cancellation.pending=true
+        const response = await http.as('cancel-already-pending').post('payments/cancel', {
+          confirmed: true,
+        });
+
+        assert.isError(response, 400, 'Should reject when cancellation already pending');
+      },
+    },
+
+    {
+      name: 'rejects-unknown-processor',
+      async run({ http, assert }) {
+        // cancel-unknown-processor starts with processor='unknown-processor'
+        const response = await http.as('cancel-unknown-processor').post('payments/cancel', {
+          confirmed: true,
+        });
+
+        assert.isError(response, 400, 'Should reject unknown processor');
+      },
+    },
+
+    {
+      name: 'succeeds-with-test-processor',
+      async run({ http, assert, config, accounts, firestore, waitFor }) {
+        const uid = accounts['route-cancel-success'].uid;
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices?.monthly);
+
+        // Step 1: Create a test subscription intent to set up a proper paid subscription
+        const intentResponse = await http.as('route-cancel-success').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isSuccess(intentResponse, 'Intent should succeed');
+
+        // Wait for the auto-webhook to activate the subscription
+        await waitFor(async () => {
+          const userDoc = await firestore.get(`users/${uid}`);
+          return userDoc?.subscription?.payment?.processor === 'test'
+            && userDoc?.subscription?.payment?.resourceId
+            && userDoc?.subscription?.status === 'active';
+        }, 15000, 500);
+
+        // Step 2: Call the cancel endpoint
+        const cancelResponse = await http.as('route-cancel-success').post('payments/cancel', {
+          confirmed: true,
+          reason: 'Too expensive',
+        });
+
+        assert.isSuccess(cancelResponse, 'Cancel should succeed');
+        assert.equal(cancelResponse.data.success, true, 'Should return success: true');
+
+        // Step 3: Verify cancellation.pending was set via the webhook pipeline
+        await waitFor(async () => {
+          const userDoc = await firestore.get(`users/${uid}`);
+          return userDoc?.subscription?.cancellation?.pending === true;
+        }, 15000, 500);
+
+        const userDoc = await firestore.get(`users/${uid}`);
+        assert.equal(userDoc?.subscription?.cancellation?.pending, true, 'Cancellation should be pending');
+      },
+    },
+  ],
+};

package/test/routes/payments/intent.js

@@ -116,9 +116,10 @@ module.exports = {
     {
       name: 'succeeds-with-test-processor',
       async run({ http, assert, config, firestore, accounts, waitFor }) {
+        const uid = accounts['journey-payments-intent'].uid;
         const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
 
-        const response = await http.as('basic').post('payments/intent', {
+        const response = await http.as('journey-payments-intent').post('payments/intent', {
           processor: 'test',
           productId: paidProduct.id,
           frequency: 'monthly',
@@ -137,30 +138,26 @@ module.exports = {
         assert.equal(intentDoc.processor, 'test', 'Processor should be test');
         assert.equal(intentDoc.productId, paidProduct.id, 'Product should match');
 
-        // Clean up: wait for auto-webhook to process, then restore basic user
+        // Wait for auto-webhook to process and activate the subscription
         await waitFor(async () => {
-          const userDoc = await firestore.get(`users/${accounts.basic.uid}`);
+          const userDoc = await firestore.get(`users/${uid}`);
           return userDoc?.subscription?.product?.id === paidProduct.id;
         }, 15000, 500).catch(() => {});
-
-        await firestore.set(`users/${accounts.basic.uid}`, {
-          subscription: { product: { id: 'basic' }, status: 'active' },
-        }, { merge: true });
       },
     },
 
     {
       name: 'downgrades-trial-for-user-with-history',
       async run({ http, assert, config, accounts, firestore, waitFor }) {
+        const uid = accounts['journey-payments-intent-trial'].uid;
         const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
-        const uid = accounts.basic.uid;
         const orderDocPath = `payments-orders/_test-order-history-${uid}`;
 
         // Create fake subscription history so user is ineligible for trial
         await firestore.set(orderDocPath, { owner: uid, type: 'subscription', processor: 'test', status: 'cancelled' });
 
         try {
-          const response = await http.as('basic').post('payments/intent', {
+          const response = await http.as('journey-payments-intent-trial').post('payments/intent', {
             processor: 'test',
             productId: paidProduct.id,
             frequency: 'monthly',
@@ -174,15 +171,11 @@ module.exports = {
           const intentDoc = await firestore.get(`payments-intents/${response.data.orderId}`);
           assert.equal(intentDoc.trial, false, 'Trial should be false (downgraded)');
 
-          // Clean up: wait for auto-webhook, restore basic user
+          // Wait for auto-webhook to activate the subscription
           await waitFor(async () => {
             const userDoc = await firestore.get(`users/${uid}`);
             return userDoc?.subscription?.product?.id === paidProduct.id;
           }, 15000, 500).catch(() => {});
-
-          await firestore.set(`users/${uid}`, {
-            subscription: { product: { id: 'basic' }, status: 'active' },
-          }, { merge: true });
         } finally {
           await firestore.delete(orderDocPath);
         }

package/test/routes/payments/portal.js

@@ -0,0 +1,89 @@
+/**
+ * Test: POST /payments/portal - Validation errors
+ * Tests rejection cases before any processor call is made.
+ */
+module.exports = {
+  description: 'Payment portal endpoint: validation errors',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'rejects-unauthenticated',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('payments/portal', {
+          returnUrl: 'https://example.com/account',
+        });
+
+        assert.isError(response, 401, 'Should reject unauthenticated request');
+      },
+    },
+
+    {
+      name: 'rejects-basic-user',
+      async run({ http, assert }) {
+        const response = await http.as('basic').post('payments/portal', {
+          returnUrl: 'https://example.com/account',
+        });
+
+        assert.isError(response, 400, 'Should reject basic user with no paid subscription');
+      },
+    },
+
+    {
+      name: 'rejects-no-processor',
+      async run({ http, assert }) {
+        // portal-no-processor starts with payment.processor=null
+        const response = await http.as('portal-no-processor').post('payments/portal', {
+          returnUrl: 'https://example.com/account',
+        });
+
+        assert.isError(response, 400, 'Should reject when no processor is set');
+      },
+    },
+
+    {
+      name: 'rejects-unknown-processor',
+      async run({ http, assert }) {
+        // portal-unknown-processor starts with processor='unknown-processor'
+        const response = await http.as('portal-unknown-processor').post('payments/portal', {
+          returnUrl: 'https://example.com/account',
+        });
+
+        assert.isError(response, 400, 'Should reject unknown processor');
+      },
+    },
+
+    {
+      name: 'succeeds-with-test-processor',
+      async run({ http, assert, config, accounts, firestore, waitFor }) {
+        const uid = accounts['journey-payments-portal-route'].uid;
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices?.monthly);
+
+        // Set up a paid subscription with the test processor
+        const intentResponse = await http.as('journey-payments-portal-route').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isSuccess(intentResponse, 'Intent should succeed');
+
+        // Wait for the auto-webhook to activate the subscription
+        await waitFor(async () => {
+          const userDoc = await firestore.get(`users/${uid}`);
+          return userDoc?.subscription?.payment?.processor === 'test'
+            && userDoc?.subscription?.status === 'active';
+        }, 15000, 500);
+
+        // Call the portal endpoint
+        const portalResponse = await http.as('journey-payments-portal-route').post('payments/portal', {
+          returnUrl: 'https://example.com/account',
+        });
+
+        assert.isSuccess(portalResponse, 'Portal should succeed');
+        assert.ok(portalResponse.data.url, 'Should return a URL');
+      },
+    },
+  ],
+};

package/src/manager/routes/forms/delete.js

@@ -1,37 +0,0 @@
-/**
- * DELETE /forms - Delete a form
- * Requires authentication and ownership.
- */
-module.exports = async ({ assistant, user, settings, analytics, libraries }) => {
-  const { admin } = libraries;
-
-  // Require authentication
-  if (!user.authenticated) {
-    return assistant.respond('Authentication required', { code: 401 });
-  }
-
-  if (!settings.id) {
-    return assistant.respond('Missing required parameter: id', { code: 400 });
-  }
-
-  const uid = user.auth.uid;
-  const formRef = admin.firestore().doc(`forms/${settings.id}`);
-  const doc = await formRef.get();
-
-  if (!doc.exists) {
-    return assistant.respond('Form not found', { code: 404 });
-  }
-
-  // Ownership check
-  if (doc.data().owner !== uid) {
-    return assistant.respond('Not authorized to delete this form', { code: 403 });
-  }
-
-  await formRef.delete();
-
-  assistant.log(`Deleted form ${settings.id} for user ${uid}`);
-
-  analytics.event('forms', { action: 'delete' });
-
-  return assistant.respond({ data: { deleted: true } });
-};

package/src/manager/routes/forms/get.js

@@ -1,46 +0,0 @@
-/**
- * GET /forms - Get a single form or list all forms for the authenticated user
- * Requires authentication.
- * - With ?id=xxx: returns a single form (with ownership check)
- * - Without id: returns all forms owned by the user
- */
-module.exports = async ({ assistant, user, settings, analytics, libraries }) => {
-  const { admin } = libraries;
-
-  // Require authentication
-  if (!user.authenticated) {
-    return assistant.respond('Authentication required', { code: 401 });
-  }
-
-  const uid = user.auth.uid;
-
-  // Single form
-  if (settings.id) {
-    const doc = await admin.firestore().doc(`forms/${settings.id}`).get();
-
-    if (!doc.exists) {
-      return assistant.respond('Form not found', { code: 404 });
-    }
-
-    if (doc.data().owner !== uid) {
-      return assistant.respond('Not authorized to view this form', { code: 403 });
-    }
-
-    analytics.event('forms', { action: 'get' });
-
-    return assistant.respond({ data: { form: doc.data() } });
-  }
-
-  // List all forms
-  const snapshot = await admin.firestore()
-    .collection('forms')
-    .where('owner', '==', uid)
-    .orderBy('created.timestampUNIX', 'desc')
-    .get();
-
-  const forms = snapshot.docs.map(doc => doc.data());
-
-  analytics.event('forms', { action: 'list' });
-
-  return assistant.respond({ data: { forms } });
-};

package/src/manager/routes/forms/post.js

@@ -1,45 +0,0 @@
-/**
- * POST /forms - Create a new form
- * Requires authentication. Creates a Firestore doc in the `forms` collection.
- */
-module.exports = async ({ assistant, Manager, user, settings, analytics, libraries }) => {
-  const { admin } = libraries;
-
-  // Require authentication
-  if (!user.authenticated) {
-    return assistant.respond('Authentication required', { code: 401 });
-  }
-
-  const uid = user.auth.uid;
-  const now = new Date().toISOString();
-  const nowUnix = Date.now();
-
-  // Generate a new document reference
-  const docRef = admin.firestore().collection('forms').doc();
-
-  const form = {
-    id: docRef.id,
-    owner: uid,
-    name: settings.name || 'Untitled Form',
-    description: settings.description || '',
-    settings: settings.settings || {},
-    pages: settings.pages || [],
-    created: {
-      timestamp: now,
-      timestampUNIX: nowUnix,
-    },
-    edited: {
-      timestamp: now,
-      timestampUNIX: nowUnix,
-    },
-    metadata: Manager.Metadata().set({ tag: 'forms/post' }),
-  };
-
-  await docRef.set(form);
-
-  assistant.log(`Created form ${docRef.id} for user ${uid}`);
-
-  analytics.event('forms', { action: 'create' });
-
-  return assistant.respond({ data: { id: docRef.id, form } });
-};

package/src/manager/routes/forms/public/get.js

@@ -1,37 +0,0 @@
-/**
- * GET /forms/public - Get a public form by ID
- * No authentication required. Only returns forms with settings.public = true.
- */
-module.exports = async ({ assistant, settings, analytics, libraries }) => {
-  const { admin } = libraries;
-
-  if (!settings.id) {
-    return assistant.respond('Missing required parameter: id', { code: 400 });
-  }
-
-  const doc = await admin.firestore().doc(`forms/${settings.id}`).get();
-
-  if (!doc.exists) {
-    return assistant.respond('Form not found', { code: 404 });
-  }
-
-  const form = doc.data();
-
-  // Only allow access to public forms
-  if (!form.settings?.public) {
-    return assistant.respond('Form not found', { code: 404 });
-  }
-
-  // Strip sensitive fields
-  const publicForm = {
-    id: form.id,
-    name: form.name,
-    description: form.description,
-    settings: form.settings,
-    pages: form.pages,
-  };
-
-  analytics.event('forms/public', { action: 'get' });
-
-  return assistant.respond({ payload: publicForm });
-};

package/src/manager/routes/forms/put.js

@@ -1,52 +0,0 @@
-/**
- * PUT /forms - Update an existing form
- * Requires authentication and ownership.
- */
-module.exports = async ({ assistant, Manager, user, settings, analytics, libraries }) => {
-  const { admin } = libraries;
-
-  // Require authentication
-  if (!user.authenticated) {
-    return assistant.respond('Authentication required', { code: 401 });
-  }
-
-  if (!settings.id) {
-    return assistant.respond('Missing required parameter: id', { code: 400 });
-  }
-
-  const uid = user.auth.uid;
-  const formRef = admin.firestore().doc(`forms/${settings.id}`);
-  const doc = await formRef.get();
-
-  if (!doc.exists) {
-    return assistant.respond('Form not found', { code: 404 });
-  }
-
-  // Ownership check
-  if (doc.data().owner !== uid) {
-    return assistant.respond('Not authorized to edit this form', { code: 403 });
-  }
-
-  const now = new Date().toISOString();
-  const nowUnix = Date.now();
-
-  const updates = {
-    name: settings.name,
-    description: settings.description,
-    settings: settings.settings,
-    pages: settings.pages,
-    edited: {
-      timestamp: now,
-      timestampUNIX: nowUnix,
-    },
-    metadata: Manager.Metadata().set({ tag: 'forms/put' }),
-  };
-
-  await formRef.update(updates);
-
-  assistant.log(`Updated form ${settings.id} for user ${uid}`);
-
-  analytics.event('forms', { action: 'update' });
-
-  return assistant.respond({ data: { id: settings.id } });
-};

package/src/manager/schemas/forms/delete.js

@@ -1,6 +0,0 @@
-/**
- * Schema for DELETE /forms
- */
-module.exports = () => ({
-  id: { types: ['string'], default: undefined, required: true },
-});

package/src/manager/schemas/forms/get.js

@@ -1,6 +0,0 @@
-/**
- * Schema for GET /forms
- */
-module.exports = () => ({
-  id: { types: ['string'], default: undefined },
-});

package/src/manager/schemas/forms/post.js

@@ -1,9 +0,0 @@
-/**
- * Schema for POST /forms (create)
- */
-module.exports = () => ({
-  name: { types: ['string'], default: 'Untitled Form' },
-  description: { types: ['string'], default: '' },
-  settings: { types: ['object'], default: {} },
-  pages: { types: ['array'], default: [] },
-});

package/src/manager/schemas/forms/public/get.js

@@ -1,6 +0,0 @@
-/**
- * Schema for GET /forms/public
- */
-module.exports = () => ({
-  id: { types: ['string'], default: undefined, required: true },
-});

package/src/manager/schemas/forms/put.js

@@ -1,10 +0,0 @@
-/**
- * Schema for PUT /forms (update)
- */
-module.exports = () => ({
-  id: { types: ['string'], default: undefined, required: true },
-  name: { types: ['string'], default: undefined },
-  description: { types: ['string'], default: undefined },
-  settings: { types: ['object'], default: undefined },
-  pages: { types: ['array'], default: undefined },
-});