backend-manager 5.0.121 → 5.0.123

package/src/manager/routes/payments/intent/processors/stripe.js

@@ -16,7 +16,7 @@ module.exports = {
    * @param {string} options.cancelUrl - Cancel redirect URL
    * @returns {object} { id, url, raw }
    */
-  async createIntent({ uid, orderId, product, productId, frequency, trial, confirmationUrl, cancelUrl, assistant }) {
+  async createIntent({ uid, orderId, product, productId, frequency, trial, discount, confirmationUrl, cancelUrl, assistant }) {
     // Initialize Stripe SDK
     const StripeLib = require('../../../../libraries/payment/processors/stripe.js');
     const stripe = StripeLib.init();
@@ -30,15 +30,21 @@ module.exports = {
     const email = assistant?.getUser()?.auth?.email || null;
     const customer = await StripeLib.resolveCustomer(uid, email, assistant);
 
-    assistant.log(`Stripe checkout: type=${productType}, priceId=${priceId}, uid=${uid}, customerId=${customer.id}, trial=${trial}, trialDays=${product.trial?.days || 'none'}`);
+    // Resolve Stripe coupon if discount is present
+    let stripeCouponId = null;
+    if (discount) {
+      stripeCouponId = await resolveStripeCoupon(stripe, discount, assistant);
+    }
+
+    assistant.log(`Stripe checkout: type=${productType}, priceId=${priceId}, uid=${uid}, customerId=${customer.id}, trial=${trial}, trialDays=${product.trial?.days || 'none'}, discount=${discount?.code || 'none'}`);
 
     // Build session params based on product type
     let sessionParams;
 
     if (productType === 'subscription') {
-      sessionParams = buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, confirmationUrl, cancelUrl });
+      sessionParams = buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, stripeCouponId, confirmationUrl, cancelUrl });
     } else {
-      sessionParams = buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, confirmationUrl, cancelUrl });
+      sessionParams = buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, stripeCouponId, confirmationUrl, cancelUrl });
     }
 
     // Create the checkout session
@@ -57,7 +63,7 @@ module.exports = {
 /**
  * Build Stripe Checkout Session params for a subscription
  */
-function buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, confirmationUrl, cancelUrl }) {
+function buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, stripeCouponId, confirmationUrl, cancelUrl }) {
   const sessionParams = {
     mode: 'subscription',
     customer: customer.id,
@@ -86,14 +92,19 @@ function buildSubscriptionSession({ priceId, customer, uid, orderId, productId,
     sessionParams.subscription_data.trial_period_days = product.trial.days;
   }
 
+  // Apply discount coupon (first payment only)
+  if (stripeCouponId) {
+    sessionParams.discounts = [{ coupon: stripeCouponId }];
+  }
+
   return sessionParams;
 }
 
 /**
  * Build Stripe Checkout Session params for a one-time payment
  */
-function buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, confirmationUrl, cancelUrl }) {
-  return {
+function buildOneTimeSession({ priceId, customer, uid, orderId, productId, stripeCouponId, confirmationUrl, cancelUrl }) {
+  const sessionParams = {
     mode: 'payment',
     customer: customer.id,
     line_items: [{
@@ -114,5 +125,42 @@ function buildOneTimeSession({ priceId, customer, uid, orderId, productId, produ
       productId: productId,
     },
   };
+
+  // Apply discount coupon
+  if (stripeCouponId) {
+    sessionParams.discounts = [{ coupon: stripeCouponId }];
+  }
+
+  return sessionParams;
+}
+
+/**
+ * Resolve or create a Stripe coupon for a discount code
+ * Uses a deterministic ID so the same code always maps to the same coupon
+ */
+async function resolveStripeCoupon(stripe, discount, assistant) {
+  const couponId = `BEM_${discount.code}_${discount.percent}OFF_ONCE`;
+
+  try {
+    // Check if coupon already exists
+    await stripe.coupons.retrieve(couponId);
+    assistant.log(`Stripe coupon exists: ${couponId}`);
+    return couponId;
+  } catch (e) {
+    if (e.code !== 'resource_missing') {
+      throw e;
+    }
+  }
+
+  // Create the coupon
+  await stripe.coupons.create({
+    id: couponId,
+    percent_off: discount.percent,
+    duration: 'once',
+    name: `${discount.code} (${discount.percent}% off first payment)`,
+  });
+
+  assistant.log(`Stripe coupon created: ${couponId}`);
+  return couponId;
 }
 

package/src/manager/schemas/payments/discount/get.js

@@ -0,0 +1,9 @@
+/**
+ * Schema: GET /payments/discount
+ */
+module.exports = () => ({
+  code: {
+    types: ['string'],
+    required: true,
+  },
+});

package/src/manager/schemas/payments/dispute-alert/post.js

@@ -0,0 +1,6 @@
+/**
+ * Schema: POST /payments/dispute-alert
+ * Minimal schema - dispute alert payloads are validated by the processor, not the schema
+ * The key comes from query params, not the body
+ */
+module.exports = () => ({});

package/src/manager/schemas/payments/intent/post.js

@@ -19,4 +19,20 @@ module.exports = () => ({
     types: ['boolean'],
     default: false,
   },
+  verification: {
+    types: ['object'],
+    default: {},
+  },
+  attribution: {
+    types: ['object'],
+    default: {},
+  },
+  discount: {
+    types: ['string'],
+    default: null,
+  },
+  supplemental: {
+    types: ['object'],
+    default: {},
+  },
 });

package/src/test/runner.js

@@ -372,15 +372,25 @@ class TestRunner {
     try {
       const searchPaths = [
         path.join(this.options.projectDir, 'functions'),
+        path.join(this.options.projectDir, 'functions', 'node_modules'),
         path.resolve(__dirname, '../../'),
       ];
       const origResolve = Module._resolveFilename.bind(Module);
       Module._resolveFilename = function (request, parent, isMain, options) {
-        if (!request.startsWith('.') && !path.isAbsolute(request)) {
-          const extra = (options && options.paths) ? options.paths : [];
-          options = { ...options, paths: [...extra, ...searchPaths] };
+        // Try normal resolution first (preserves nested node_modules traversal)
+        try {
+          return origResolve(request, parent, isMain, options);
+        } catch (err) {
+          // Fallback: try resolving from project's search paths
+          if (!request.startsWith('.') && !path.isAbsolute(request)) {
+            const extra = (options && options.paths) ? options.paths : [];
+            return origResolve(request, parent, isMain, {
+              ...options,
+              paths: [...extra, ...searchPaths],
+            });
+          }
+          throw err;
         }
-        return origResolve(request, parent, isMain, options);
       };
       try {
         testModule = require(testFile);

package/src/test/test-accounts.js

@@ -238,6 +238,24 @@ const JOURNEY_ACCOUNTS = {
       subscription: { product: { id: 'basic' }, status: 'active' },
     },
   },
+  'journey-payments-intent-discount': {
+    id: 'journey-payments-intent-discount',
+    uid: '_test-journey-payments-intent-discount',
+    email: '_test.journey-payments-intent-discount@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'basic' }, status: 'active' },
+    },
+  },
+  'journey-payments-intent-attribution': {
+    id: 'journey-payments-intent-attribution',
+    uid: '_test-journey-payments-intent-attribution',
+    email: '_test.journey-payments-intent-attribution@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'basic' }, status: 'active' },
+    },
+  },
   'journey-payments-intent-trial': {
     id: 'journey-payments-intent-trial',
     uid: '_test-journey-payments-intent-trial',

package/templates/backend-manager-config.json

@@ -20,10 +20,16 @@
   sentry: {
     dsn: 'https://d965557418748jd749d837asf00552f@o777489.ingest.sentry.io/8789941',
   },
-  google_analytics: {
+  googleAnalytics: {
     id: 'UA-123456789-1',
     secret: 'ABCx1234567890ABCDEFGH',
   },
+  meta: {
+    pixelId: null,
+  },
+  tiktok: {
+    pixelCode: null,
+  },
   oauth2: {},
   payment: {
     processors: {

package/templates/firestore.rules

@@ -24,6 +24,14 @@ service cloud.firestore {
       allow create: if true;
     }
 
+    // Protect abandoned cart data
+    match /payments-carts/{uid} {
+      allow create, update: if belongsTo(uid)
+        && incomingData().owner == uid
+        && incomingData().status == 'pending';
+      allow read: if belongsTo(uid);
+    }
+
     // Auth functions
     function authEmail() {
       return request.auth.token.email;
@@ -56,7 +64,7 @@ service cloud.firestore {
       return isWritingField('auth')
         || isWritingField('roles')
         || isWritingField('flags')
-        || isWritingField('plan') // REMOVE THIS WHEN ALL PROJECTS UPDATED
+        || isWritingField('plan') // TODO: REMOVE THIS WHEN ALL PROJECTS UPDATED
         || isWritingField('subscription')
         || isWritingField('affiliate')
         || isWritingField('api')

package/test/routes/marketing/contact.js

@@ -338,6 +338,7 @@ module.exports = {
       name: 'add-unauthenticated-requires-recaptcha',
       auth: 'none',
       timeout: 15000,
+      skip: !process.env.TEST_EXTENDED_MODE && 'reCAPTCHA is skipped in test mode (TEST_EXTENDED_MODE not set)',
 
       async run({ http, assert, config }) {
         // Public request without reCAPTCHA should fail
@@ -346,8 +347,8 @@ module.exports = {
           source: 'bem-test',
         });
 
-        // Should fail with 400 because no reCAPTCHA token
-        assert.isError(response, 400, 'Public request without reCAPTCHA should fail');
+        // Should fail with 403 because no reCAPTCHA token
+        assert.isError(response, 403, 'Public request without reCAPTCHA should fail');
       },
     },
 

package/test/routes/payments/discount.js

@@ -0,0 +1,80 @@
+/**
+ * Test: GET /payments/discount
+ * Tests discount code validation endpoint
+ */
+module.exports = {
+  description: 'Discount code validation',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'rejects-missing-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount');
+
+        assert.isError(response, 400, 'Should reject missing code');
+      },
+    },
+
+    {
+      name: 'returns-valid-for-known-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'FLASH20',
+        });
+
+        assert.isSuccess(response, 'Should succeed for valid code');
+        assert.equal(response.data.valid, true, 'Should be valid');
+        assert.equal(response.data.code, 'FLASH20', 'Should return normalized code');
+        assert.equal(response.data.percent, 20, 'Should return correct percent');
+        assert.equal(response.data.duration, 'once', 'Should return duration');
+      },
+    },
+
+    {
+      name: 'returns-valid-case-insensitive',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'flash20',
+        });
+
+        assert.isSuccess(response, 'Should succeed for lowercase code');
+        assert.equal(response.data.valid, true, 'Should be valid (case-insensitive)');
+        assert.equal(response.data.code, 'FLASH20', 'Should return uppercase code');
+      },
+    },
+
+    {
+      name: 'returns-invalid-for-unknown-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'NOTAREALCODE',
+        });
+
+        assert.isSuccess(response, 'Should return 200 even for invalid code');
+        assert.equal(response.data.valid, false, 'Should be invalid');
+      },
+    },
+
+    {
+      name: 'validates-all-known-codes',
+      async run({ http, assert }) {
+        const codes = [
+          { code: 'FLASH20', percent: 20 },
+          { code: 'SAVE10', percent: 10 },
+          { code: 'WELCOME15', percent: 15 },
+        ];
+
+        for (const { code, percent } of codes) {
+          const response = await http.as('none').get('payments/discount', { code });
+
+          assert.isSuccess(response, `Should succeed for ${code}`);
+          assert.equal(response.data.valid, true, `${code} should be valid`);
+          assert.equal(response.data.percent, percent, `${code} should be ${percent}%`);
+          assert.equal(response.data.duration, 'once', `${code} should be once`);
+        }
+      },
+    },
+  ],
+};

package/test/routes/payments/dispute-alert.js

@@ -0,0 +1,271 @@
+/**
+ * Test: POST /payments/dispute-alert
+ * Tests the dispute alert endpoint validates requests and saves to Firestore
+ */
+module.exports = {
+  description: 'Dispute alert endpoint',
+  type: 'group',
+  timeout: 30000,
+
+  tests: [
+    {
+      name: 'rejects-missing-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('payments/dispute-alert', {});
+
+        assert.isError(response, 401, 'Should reject missing key');
+      },
+    },
+
+    {
+      name: 'rejects-invalid-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post('payments/dispute-alert?key=wrong-key', {});
+
+        assert.isError(response, 401, 'Should reject invalid key');
+      },
+    },
+
+    {
+      name: 'rejects-unknown-provider',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(`payments/dispute-alert?alerts=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: '_test-dispute-unknown-provider',
+          card: '4242',
+          amount: 9.99,
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isError(response, 400, 'Should reject unknown alert provider');
+      },
+    },
+
+    {
+      name: 'rejects-missing-id',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          card: '4242',
+          amount: 9.99,
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isError(response, 400, 'Should reject missing id');
+      },
+    },
+
+    {
+      name: 'rejects-missing-card',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: '_test-dispute-no-card',
+          amount: 9.99,
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isError(response, 400, 'Should reject missing card');
+      },
+    },
+
+    {
+      name: 'rejects-missing-amount',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: '_test-dispute-no-amount',
+          card: '4242',
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isError(response, 400, 'Should reject missing amount');
+      },
+    },
+
+    {
+      name: 'rejects-missing-transaction-date',
+      auth: 'none',
+      async run({ http, assert }) {
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: '_test-dispute-no-date',
+          card: '4242',
+          amount: 9.99,
+        });
+
+        assert.isError(response, 400, 'Should reject missing transactionDate');
+      },
+    },
+
+    {
+      name: 'accepts-valid-chargeblast-alert',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-valid';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '4242424242424242',
+          cardBrand: 'Visa',
+          amount: 29.99,
+          transactionDate: '2026-03-07 14:30:00',
+          processor: 'stripe',
+        });
+
+        assert.isSuccess(response, 'Should accept valid Chargeblast alert');
+        assert.equal(response.data.received, true, 'Should confirm receipt');
+
+        // Verify doc was saved to Firestore
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.ok(doc, 'Dispute doc should exist in Firestore');
+        assert.equal(doc.provider, 'chargeblast', 'Provider should be chargeblast');
+        assert.ok(
+          doc.status === 'pending' || doc.status === 'processing',
+          'Status should be pending or processing',
+        );
+
+        // Verify normalized alert data
+        assert.equal(doc.alert.card.last4, '4242', 'Should extract last4 from full card number');
+        assert.equal(doc.alert.card.brand, 'visa', 'Should lowercase card brand');
+        assert.equal(doc.alert.amount, 29.99, 'Amount should be preserved');
+        assert.equal(doc.alert.transactionDate, '2026-03-07', 'Should extract date without time');
+        assert.equal(doc.alert.processor, 'stripe', 'Processor should be stripe');
+
+        // Verify raw payload is preserved
+        assert.ok(doc.raw, 'Raw payload should be preserved');
+        assert.equal(doc.raw.id, alertId, 'Raw id should match');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
+    {
+      name: 'accepts-alert-with-last4-only',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-last4';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '1234',
+          amount: 9.99,
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isSuccess(response, 'Should accept alert with card last4 only');
+
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.equal(doc.alert.card.last4, '1234', 'Should use card value as last4 when already 4 digits');
+        assert.equal(doc.alert.processor, 'stripe', 'Processor should default to stripe');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
+    {
+      name: 'deduplicates-dispute-alerts',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-duplicate';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        // Send first alert
+        await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '4242',
+          amount: 29.99,
+          transactionDate: '2026-03-07',
+        });
+
+        // Send duplicate
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '4242',
+          amount: 29.99,
+          transactionDate: '2026-03-07',
+        });
+
+        assert.isSuccess(response, 'Duplicate should still return 200');
+        assert.equal(response.data.duplicate, true, 'Should indicate duplicate');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
+    {
+      name: 'retries-failed-alerts',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-retry';
+
+        // Pre-seed a failed dispute
+        await firestore.set(`payments-disputes/${alertId}`, {
+          id: alertId,
+          status: 'failed',
+          error: 'Previous error',
+        });
+
+        // Send alert with same ID — should retry since previous status was 'failed'
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '4242',
+          amount: 29.99,
+          transactionDate: '2026-03-07',
+        });
+
+        assert.isSuccess(response, 'Should accept retry of failed alert');
+        assert.ok(!response.data.duplicate, 'Should not indicate duplicate for failed retry');
+
+        // Verify doc was updated
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.ok(
+          doc.status === 'pending' || doc.status === 'processing',
+          'Status should be pending or processing after retry',
+        );
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
+    {
+      name: 'defaults-alerts-to-chargeblast',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-default-provider';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        // Send without alerts query param
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '4242',
+          amount: 9.99,
+          transactionDate: '2026-01-15',
+        });
+
+        assert.isSuccess(response, 'Should accept without explicit alerts param');
+
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.equal(doc.provider, 'chargeblast', 'Provider should default to chargeblast');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+  ],
+};

package/test/routes/payments/intent.js

@@ -113,6 +113,66 @@ module.exports = {
       },
     },
 
+    {
+      name: 'rejects-invalid-discount-code',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('basic').post('payments/intent', {
+          processor: 'stripe',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+          discount: 'FAKECODE',
+        });
+
+        assert.isError(response, 400, 'Should reject invalid discount code');
+      },
+    },
+
+    {
+      name: 'saves-discount-to-intent-doc',
+      async run({ http, assert, config, firestore }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('journey-payments-intent-discount').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+          discount: 'FLASH20',
+        });
+
+        assert.isSuccess(response, 'Should succeed with valid discount');
+
+        // Verify discount was resolved and saved to intent doc
+        const intentDoc = await firestore.get(`payments-intents/${response.data.orderId}`);
+        assert.ok(intentDoc.discount, 'Discount should be saved on intent');
+        assert.equal(intentDoc.discount.code, 'FLASH20', 'Discount code should match');
+        assert.equal(intentDoc.discount.percent, 20, 'Discount percent should be 20');
+        assert.equal(intentDoc.discount.duration, 'once', 'Discount duration should be once');
+      },
+    },
+
+    {
+      name: 'saves-attribution-and-supplemental-to-intent-doc',
+      async run({ http, assert, config, firestore }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('journey-payments-intent-attribution').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+          attribution: { utm_source: 'test', utm_medium: 'unit-test' },
+          supplemental: { referral: 'friend' },
+        });
+
+        assert.isSuccess(response, 'Should succeed with attribution and supplemental');
+
+        const intentDoc = await firestore.get(`payments-intents/${response.data.orderId}`);
+        assert.equal(intentDoc.attribution.utm_source, 'test', 'Attribution utm_source should be saved');
+        assert.equal(intentDoc.supplemental.referral, 'friend', 'Supplemental should be saved');
+      },
+    },
+
     {
       name: 'succeeds-with-test-processor',
       async run({ http, assert, config, firestore, accounts, waitFor }) {