backend-manager 5.0.121 → 5.0.123

package/src/manager/libraries/openai.js

@@ -7,13 +7,63 @@ const path = require('path');
 const mimeTypes = require('mime-types');
 
 // Constants
-const DEFAULT_MODEL = 'gpt-4o';
+const DEFAULT_MODEL = 'gpt-5-mini';
 const MODERATION_MODEL = 'omni-moderation-latest';
 
-// OpenAI model pricing table
+// OpenAI model pricing table (per 1M tokens)
 // https://platform.openai.com/docs/pricing
 const MODEL_TABLE = {
-  // Jul 11, 2025
+  // Mar 9, 2026
+  // GPT-5 family
+  'gpt-5.4': {
+    input: 2.50,
+    output: 15.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5.2': {
+    input: 1.75,
+    output: 14.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5.1': {
+    input: 1.25,
+    output: 10.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5': {
+    input: 1.25,
+    output: 10.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5-mini': {
+    input: 0.25,
+    output: 2.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5-nano': {
+    input: 0.05,
+    output: 0.40,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  // GPT-4.5
   'gpt-4.5-preview': {
     input: 75.00,
     output: 150.00,
@@ -22,6 +72,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  // GPT-4.1 family
   'gpt-4.1': {
     input: 2.00,
     output: 8.00,
@@ -46,6 +97,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  // GPT-4o family
   'gpt-4o': {
     input: 2.50,
     output: 10.00,
@@ -62,9 +114,10 @@ const MODEL_TABLE = {
       json: true,
     },
   },
-  'o1-pro': {
-    input: 150.00,
-    output: 600.00,
+  // Reasoning models
+  'o4-mini': {
+    input: 1.10,
+    output: 4.40,
     provider: 'openai',
     features: {
       json: true,
@@ -86,7 +139,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
-  'o4-mini': {
+  'o3-mini': {
     input: 1.10,
     output: 4.40,
     provider: 'openai',
@@ -94,6 +147,22 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  'o1-pro': {
+    input: 150.00,
+    output: 600.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'o1': {
+    input: 15.00,
+    output: 60.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
   'o1-preview': {
     input: 15.00,
     output: 60.00,

package/src/manager/libraries/payment/discount-codes.js

@@ -0,0 +1,40 @@
+/**
+ * Discount codes — hardcoded for now, move to Firestore/config later
+ *
+ * Each code maps to a discount definition:
+ *   - percent: Percentage off (1-100)
+ *   - duration: 'once' (first payment only)
+ */
+const DISCOUNT_CODES = {
+  'FLASH20': { percent: 20, duration: 'once' },
+  'SAVE10': { percent: 10, duration: 'once' },
+  'WELCOME15': { percent: 15, duration: 'once' },
+};
+
+/**
+ * Validate a discount code
+ * @param {string} code - The discount code (case-insensitive)
+ * @returns {{ valid: boolean, code: string, percent: number, duration: string } | { valid: boolean, code: string }}
+ */
+function validate(code) {
+  const normalized = (code || '').trim().toUpperCase();
+
+  if (!normalized) {
+    return { valid: false, code: normalized };
+  }
+
+  const entry = DISCOUNT_CODES[normalized];
+
+  if (!entry) {
+    return { valid: false, code: normalized };
+  }
+
+  return {
+    valid: true,
+    code: normalized,
+    percent: entry.percent,
+    duration: entry.duration,
+  };
+}
+
+module.exports = { validate, DISCOUNT_CODES };

package/src/manager/libraries/recaptcha.js

@@ -0,0 +1,36 @@
+const fetch = require('wonderful-fetch');
+
+/**
+ * Verify a Google reCAPTCHA token
+ * @param {string} token - The reCAPTCHA response token
+ * @param {object} [options] - Options
+ * @param {number} [options.minScore=0.5] - Minimum score threshold (v3)
+ * @returns {Promise<boolean>} Whether the token is valid
+ */
+async function verify(token, options) {
+  const minScore = options?.minScore || 0.5;
+
+  if (!process.env.RECAPTCHA_SECRET_KEY) {
+    return true;
+  }
+
+  if (!token) {
+    return false;
+  }
+
+  try {
+    const data = await fetch('https://www.google.com/recaptcha/api/siteverify', {
+      method: 'post',
+      response: 'json',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`,
+    });
+
+    return data.success && (data.score === undefined || data.score >= minScore);
+  } catch (e) {
+    console.error('reCAPTCHA verification error:', e);
+    return false;
+  }
+}
+
+module.exports = { verify };

package/src/manager/routes/app/get.js

@@ -10,7 +10,7 @@ module.exports = async ({ assistant, Manager }) => {
 
 /**
  * Build a public-safe config object from Manager.config
- * Excludes sensitive fields: sentry, google_analytics, ghostii, etc.
+ * Excludes sensitive fields: sentry, googleAnalytics, ghostii, etc.
  */
 function buildPublicConfig(config) {
   return {

package/src/manager/routes/marketing/contact/post.js

@@ -5,6 +5,7 @@
 const fetch = require('wonderful-fetch');
 const path = require('path');
 const dns = require('dns').promises;
+const recaptcha = require('../../../libraries/recaptcha.js');
 
 // Load disposable domains list
 const DISPOSABLE_DOMAINS = require(path.join(__dirname, '..', '..', '..', 'libraries', 'disposable-domains.json'));
@@ -43,15 +44,17 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
 
   // Public access protection
   if (!isAdmin) {
-    // Verify reCAPTCHA
-    const recaptchaToken = settings['g-recaptcha-response'];
-    if (!recaptchaToken) {
-      return assistant.respond('reCAPTCHA token required', { code: 400 });
-    }
+    // Verify reCAPTCHA (skip during automated tests)
+    if (!assistant.isTesting()) {
+      const recaptchaToken = settings['g-recaptcha-response'];
+      if (!recaptchaToken) {
+        return assistant.respond('Request could not be verified', { code: 403 });
+      }
 
-    const recaptchaValid = await verifyRecaptcha(recaptchaToken);
-    if (!recaptchaValid) {
-      return assistant.respond('reCAPTCHA verification failed', { code: 400 });
+      const recaptchaValid = await recaptcha.verify(recaptchaToken);
+      if (!recaptchaValid) {
+        return assistant.respond('Request could not be verified', { code: 403 });
+      }
     }
 
     // Check rate limit via Usage API
@@ -160,27 +163,6 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
   return assistant.respond({ success: true });
 };
 
-// Helper: Verify Google reCAPTCHA token
-async function verifyRecaptcha(token) {
-  if (!process.env.RECAPTCHA_SECRET_KEY) {
-    return true;
-  }
-
-  try {
-    const data = await fetch('https://www.google.com/recaptcha/api/siteverify', {
-      method: 'post',
-      response: 'json',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`,
-    });
-
-    return data.success && (data.score === undefined || data.score >= 0.5);
-  } catch (e) {
-    console.error('reCAPTCHA verification error:', e);
-    return false;
-  }
-}
-
 // Helper: Validate email with ZeroBounce API
 async function validateWithZeroBounce(email) {
   try {

package/src/manager/routes/payments/discount/get.js

@@ -0,0 +1,22 @@
+/**
+ * GET /payments/discount?code=FLASH20
+ * Validates a discount code and returns the discount details
+ */
+const discountCodes = require('../../../libraries/payment/discount-codes.js');
+
+module.exports = async ({ assistant, settings }) => {
+  const result = discountCodes.validate(settings.code);
+
+  assistant.log(`Discount validation: code=${result.code}, valid=${result.valid}`);
+
+  if (!result.valid) {
+    return assistant.respond({ valid: false }, { code: 200 });
+  }
+
+  return assistant.respond({
+    valid: true,
+    code: result.code,
+    percent: result.percent,
+    duration: result.duration,
+  });
+};

package/src/manager/routes/payments/dispute-alert/post.js

@@ -0,0 +1,93 @@
+const path = require('path');
+const powertools = require('node-powertools');
+
+/**
+ * POST /payments/dispute-alert?alerts=chargeblast&key=XXX
+ * Receives dispute alert webhooks (e.g., from Chargeblast), validates them,
+ * and saves to Firestore for async processing via onWrite trigger
+ *
+ * Query params:
+ *   - alerts: alert provider name (default: 'chargeblast')
+ *   - key: must match BACKEND_MANAGER_KEY
+ */
+module.exports = async ({ assistant, Manager, libraries }) => {
+  const { admin } = libraries;
+  const body = assistant.request.body;
+  const query = assistant.request.query;
+
+  // Validate key against BACKEND_MANAGER_KEY
+  const key = query.key;
+  if (!key || key !== process.env.BACKEND_MANAGER_KEY) {
+    return assistant.respond('Invalid key', { code: 401 });
+  }
+
+  // Determine alert provider (default: chargeblast)
+  const provider = query.alerts || 'chargeblast';
+
+  // Load the processor module
+  let processorModule;
+  try {
+    processorModule = require(path.resolve(__dirname, `processors/${provider}.js`));
+  } catch (e) {
+    return assistant.respond(`Unknown alert provider: ${provider}`, { code: 400 });
+  }
+
+  // Normalize the payload using the processor
+  let alert;
+  try {
+    alert = processorModule.normalize(body);
+  } catch (e) {
+    return assistant.respond(`Failed to normalize alert: ${e.message}`, { code: 400 });
+  }
+
+  const alertId = alert.id;
+
+  assistant.log(`Parsed dispute alert: id=${alertId}, provider=${provider}, processor=${alert.processor}, amount=${alert.amount}, card=****${alert.card.last4}`);
+
+  // Check for duplicate (skip if already processing/completed)
+  const existingDoc = await admin.firestore().doc(`payments-disputes/${alertId}`).get();
+  if (existingDoc.exists) {
+    const existingStatus = existingDoc.data()?.status;
+    if (existingStatus !== 'failed') {
+      assistant.log(`Duplicate dispute alert ${alertId}, existing status=${existingStatus}, skipping`);
+      return assistant.respond({ received: true, duplicate: true });
+    }
+    assistant.log(`Retrying previously failed dispute alert ${alertId}`);
+  }
+
+  // Build timestamps
+  const now = powertools.timestamp(new Date(), { output: 'string' });
+  const nowUNIX = powertools.timestamp(now, { output: 'unix' });
+
+  // Save to Firestore with status=pending (trigger handles the rest)
+  await admin.firestore().doc(`payments-disputes/${alertId}`).set({
+    id: alertId,
+    provider: provider,
+    status: 'pending',
+    alert: alert,
+    match: null,
+    actions: {
+      refund: 'pending',
+      cancel: 'pending',
+      email: 'pending',
+    },
+    errors: [],
+    error: null,
+    metadata: {
+      created: {
+        timestamp: now,
+        timestampUNIX: nowUNIX,
+      },
+      completed: {
+        timestamp: null,
+        timestampUNIX: null,
+      },
+    },
+    raw: body,
+  });
+
+  assistant.log(`Saved payments-disputes/${alertId}: provider=${provider}, processor=${alert.processor}`);
+
+  // Return 200 immediately — async processing via Firestore trigger
+  return assistant.respond({ received: true });
+};

package/src/manager/routes/payments/dispute-alert/processors/chargeblast.js

@@ -0,0 +1,43 @@
+/**
+ * Chargeblast dispute alert processor
+ * Normalizes Chargeblast webhook payloads into a standard dispute alert shape
+ *
+ * Chargeblast sends:
+ *   id, card (full number or last4), cardBrand, amount (dollars),
+ *   transactionDate ("YYYY-MM-DD HH:MM:SS"), app, processor, alerts
+ */
+module.exports = {
+  /**
+   * Normalize a Chargeblast webhook payload
+   *
+   * @param {object} body - Raw request body from Chargeblast
+   * @returns {object} Normalized dispute alert
+   */
+  normalize(body) {
+    if (!body.id) {
+      throw new Error('Missing required field: id');
+    }
+    if (!body.card) {
+      throw new Error('Missing required field: card');
+    }
+    if (!body.amount && body.amount !== 0) {
+      throw new Error('Missing required field: amount');
+    }
+    if (!body.transactionDate) {
+      throw new Error('Missing required field: transactionDate');
+    }
+
+    const cardStr = String(body.card);
+
+    return {
+      id: String(body.id),
+      card: {
+        last4: cardStr.slice(-4),
+        brand: body.cardBrand ? String(body.cardBrand).toLowerCase() : null,
+      },
+      amount: parseFloat(body.amount),
+      transactionDate: String(body.transactionDate).split(' ')[0], // date only, no time
+      processor: body.processor ? String(body.processor).toLowerCase() : 'stripe',
+    };
+  },
+};

package/src/manager/routes/payments/intent/post.js

@@ -1,6 +1,8 @@
 const path = require('path');
 const powertools = require('node-powertools');
 const OrderId = require('../../../libraries/payment/order-id.js');
+const recaptcha = require('../../../libraries/recaptcha.js');
+const discountCodes = require('../../../libraries/payment/discount-codes.js');
 
 /**
  * POST /payments/intent
@@ -15,10 +17,22 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     return assistant.respond('Authentication required', { code: 401 });
   }
 
+  // Verify reCAPTCHA (skip during automated tests)
+  if (!assistant.isTesting()) {
+    const recaptchaToken = settings.verification?.['g-recaptcha-response'];
+    const recaptchaValid = await recaptcha.verify(recaptchaToken);
+    if (!recaptchaValid) {
+      return assistant.respond('Request could not be verified', { code: 403 });
+    }
+  }
+
   const uid = user.auth.uid;
   const processor = settings.processor;
   const productId = settings.productId;
   const frequency = settings.frequency;
+  const attribution = settings.attribution;
+  const discount = settings.discount;
+  const supplemental = settings.supplemental;
   let trial = settings.trial;
 
   assistant.log(`Intent request: uid=${uid}, processor=${processor}, product=${productId}, frequency=${frequency}, trial=${trial}`);
@@ -66,6 +80,17 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     trial = false;
   }
 
+  // Validate discount code (if provided)
+  let resolvedDiscount = null;
+  if (discount) {
+    const discountResult = discountCodes.validate(discount);
+    if (!discountResult.valid) {
+      return assistant.respond(`Invalid discount code: ${discount}`, { code: 400 });
+    }
+    resolvedDiscount = discountResult;
+    assistant.log(`Discount validated: code=${resolvedDiscount.code}, percent=${resolvedDiscount.percent}, duration=${resolvedDiscount.duration}`);
+  }
+
   // Generate order ID
   const orderId = OrderId.generate();
 
@@ -93,6 +118,7 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
       productId,
       frequency,
       trial,
+      discount: resolvedDiscount,
       confirmationUrl,
       cancelUrl,
       assistant,
@@ -119,6 +145,9 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     type: productType,
     frequency: frequency,
     trial: trial,
+    attribution: attribution,
+    discount: resolvedDiscount,
+    supplemental: supplemental,
     raw: result.raw,
     metadata: {
       created: {

package/src/manager/routes/payments/intent/processors/chargebee.js

@@ -18,19 +18,25 @@ module.exports = {
    * @param {object} options.assistant - Assistant instance for logging
    * @returns {object} { id, url, raw }
    */
-  async createIntent({ uid, orderId, product, productId, frequency, trial, confirmationUrl, cancelUrl, assistant }) {
+  async createIntent({ uid, orderId, product, productId, frequency, trial, discount, confirmationUrl, cancelUrl, assistant }) {
     const ChargebeeLib = require('../../../../libraries/payment/processors/chargebee.js');
     ChargebeeLib.init();
 
     const productType = product.type || 'subscription';
     const metaData = ChargebeeLib.buildMetaData(uid, orderId, productType === 'one-time' ? productId : undefined);
 
+    // Resolve Chargebee coupon if discount is present
+    let chargebeeCouponId = null;
+    if (discount) {
+      chargebeeCouponId = await resolveChargebeeCoupon(ChargebeeLib, discount, assistant);
+    }
+
     let hostedPage;
 
     if (productType === 'subscription') {
-      hostedPage = await createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, confirmationUrl, cancelUrl, assistant });
+      hostedPage = await createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant });
     } else {
-      hostedPage = await createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, confirmationUrl, cancelUrl, assistant });
+      hostedPage = await createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant });
     }
 
     assistant.log(`Chargebee hosted page created: id=${hostedPage.id}, type=${productType}, url=${hostedPage.url}`);
@@ -46,7 +52,7 @@ module.exports = {
 /**
  * Create a Chargebee Hosted Page for a new subscription
  */
-async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, confirmationUrl, cancelUrl, assistant }) {
+async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant }) {
   const chargebeeItemId = product.chargebee?.itemId;
 
   if (!chargebeeItemId) {
@@ -76,7 +82,12 @@ async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product,
     params.subscription.trial_end = 0;
   }
 
-  assistant.log(`Chargebee subscription checkout: itemPriceId=${itemPriceId}, uid=${uid}, trial=${trial}`);
+  // Apply discount coupon (first payment only)
+  if (chargebeeCouponId) {
+    params.coupon_ids = [chargebeeCouponId];
+  }
+
+  assistant.log(`Chargebee subscription checkout: itemPriceId=${itemPriceId}, uid=${uid}, trial=${trial}, coupon=${chargebeeCouponId || 'none'}`);
 
   const result = await ChargebeeLib.request('/hosted_pages/checkout_new_for_items', {
     method: 'POST',
@@ -89,7 +100,7 @@ async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product,
 /**
  * Create a Chargebee Hosted Page for a one-time charge
  */
-async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, confirmationUrl, cancelUrl, assistant }) {
+async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant }) {
   const price = product.prices?.once;
 
   if (!price) {
@@ -109,7 +120,12 @@ async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, prod
     pass_thru_content: metaData,
   };
 
-  assistant.log(`Chargebee one-time checkout: amount=${amountCents}, productId=${productId}, uid=${uid}`);
+  // Apply discount coupon
+  if (chargebeeCouponId) {
+    params.coupon_ids = [chargebeeCouponId];
+  }
+
+  assistant.log(`Chargebee one-time checkout: amount=${amountCents}, productId=${productId}, uid=${uid}, coupon=${chargebeeCouponId || 'none'}`);
 
   const result = await ChargebeeLib.request('/hosted_pages/checkout_one_time_for_items', {
     method: 'POST',
@@ -118,3 +134,39 @@ async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, prod
 
   return result.hosted_page;
 }
+
+/**
+ * Resolve or create a Chargebee coupon for a discount code
+ * Uses a deterministic ID so the same code always maps to the same coupon
+ */
+async function resolveChargebeeCoupon(ChargebeeLib, discount, assistant) {
+  const couponId = `BEM_${discount.code}_${discount.percent}OFF_ONCE`;
+
+  try {
+    // Check if coupon already exists
+    await ChargebeeLib.request(`/coupons/${couponId}`, { method: 'GET' });
+    assistant.log(`Chargebee coupon exists: ${couponId}`);
+    return couponId;
+  } catch (e) {
+    // Chargebee returns 404 for missing resources
+    if (e.status !== 404 && e.statusCode !== 404) {
+      throw e;
+    }
+  }
+
+  // Create the coupon
+  await ChargebeeLib.request('/coupons', {
+    method: 'POST',
+    body: {
+      id: couponId,
+      name: `${discount.code} (${discount.percent}% off first payment)`,
+      discount_type: 'percentage',
+      discount_percentage: discount.percent,
+      duration_type: 'one_time',
+      apply_on: 'invoice_amount',
+    },
+  });
+
+  assistant.log(`Chargebee coupon created: ${couponId}`);
+  return couponId;
+}