backend-manager 5.0.122 → 5.0.124

package/src/manager/helpers/usage.js

@@ -114,18 +114,18 @@ Usage.prototype.validate = function (name, options) {
     options._forceReject = typeof options._forceReject === 'undefined' ? false : options._forceReject;
 
     // Check for required options
-    const period = self.getUsage(name);
+    const monthly = self.getUsage(name);
     const allowed = self.getLimit(name);
 
     // Log (independent of options.log because this is important)
     if (options.log) {
-      assistant.log(`Usage.validate(): Checking ${period}/${allowed} for ${name} (${self.key})...`);
+      assistant.log(`Usage.validate(): Checking ${monthly}/${allowed} for ${name} (${self.key})...`);
     }
 
     // Reject function
     function _reject() {
       reject(
-        assistant.errorify(`You have exceeded your ${name} usage limit of ${period}/${allowed}.`, {code: 429})
+        assistant.errorify(`You have exceeded your ${name} usage limit of ${monthly}/${allowed}.`, {code: 429})
       );
     }
 
@@ -142,22 +142,38 @@ Usage.prototype.validate = function (name, options) {
       return resolve(true);
     }
 
-    // Check proportional daily allowance (for products with rateLimit: 'daily')
+    // Check daily caps (for products with rateLimit: 'daily', which is the default)
     const dailyAllowance = self.getDailyAllowance(name);
     if (dailyAllowance !== null) {
+      // Flat daily cap: ceil(monthlyLimit / daysInMonth)
+      const now = new Date();
+      const daysInMonth = new Date(now.getFullYear(), now.getMonth() + 1, 0).getDate();
+      const flatDailyCap = Math.ceil(allowed / daysInMonth);
+
+      // Get today's usage from the daily counter
+      const daily = _.get(self.user, `usage.${name}.daily`, 0);
+
       if (options.log) {
-        assistant.log(`Usage.validate(): Daily allowance check: ${period}/${dailyAllowance} (monthly: ${allowed}) for ${name} (${self.key})`);
+        assistant.log(`Usage.validate(): Daily cap check: ${daily}/${flatDailyCap} today, ${monthly}/${dailyAllowance} proportional (monthly: ${allowed}) for ${name} (${self.key})`);
       }
 
-      if (period >= dailyAllowance) {
+      // Check flat daily cap (can't exceed ceil(limit/daysInMonth) in a single day)
+      if (daily >= flatDailyCap) {
         return reject(
-          assistant.errorify(`You have reached your daily usage limit for ${name} (${period}/${dailyAllowance}). Your monthly limit is ${allowed}.`, {code: 429})
+          assistant.errorify(`You have reached your daily usage limit for ${name} (${daily}/${flatDailyCap}). Your monthly limit is ${allowed}.`, {code: 429})
+        );
+      }
+
+      // Check proportional monthly cap (can't accumulate too fast)
+      if (monthly >= dailyAllowance) {
+        return reject(
+          assistant.errorify(`You have reached your usage limit for ${name} (${monthly}/${dailyAllowance}). Your monthly limit is ${allowed}.`, {code: 429})
         );
       }
     }
 
     // If they are under the monthly limit, resolve
-    if (period < allowed) {
+    if (monthly < allowed) {
       self.log(`Usage.validate(): Valid for ${name}`);
 
       return resolve(true);
@@ -200,8 +216,8 @@ Usage.prototype.increment = function (name, value, options) {
   options = options || {};
   options.id = options.id || null;
 
-  // Update total and period
-  ['total', 'period', 'last'].forEach((key) => {
+  // Update total, monthly, daily, and last
+  ['total', 'monthly', 'daily', 'last'].forEach((key) => {
     const resolved = `usage.${name}.${key}`;
     const existing = _.get(self.user, resolved, 0);
 
@@ -237,8 +253,8 @@ Usage.prototype.set = function (name, value) {
   // Set value
   value = typeof value === 'undefined' ? 0 : value;
 
-  // Update total and period
-  const resolved = `usage.${name}.period`;
+  // Update monthly
+  const resolved = `usage.${name}.monthly`;
 
   // Set the value
   _.set(self.user, resolved, value);
@@ -256,7 +272,7 @@ Usage.prototype.getUsage = function (name) {
 
   // Get usage
   if (name) {
-    return _.get(self.user, `usage.${name}.period`, 0);
+    return _.get(self.user, `usage.${name}.monthly`, 0);
   } else {
     return self.user.usage;
   }
@@ -290,20 +306,27 @@ Usage.prototype.getLimit = function (name) {
 };
 
 /**
- * Get the proportional daily allowance for a metric
- * Based on how far into the month we are: ceil(monthlyLimit * dayOfMonth / daysInMonth)
+ * Get the daily allowance cap for a metric
+ * Prevents users from burning their entire monthly quota in a single day
+ *
+ * Uses two checks:
+ * 1. Flat daily cap: ceil(monthlyLimit / daysInMonth) — max uses per day
+ *    e.g. 100/month in March (31 days) = ceil(100/31) = 4/day
+ *    e.g. 10/month in March (31 days) = ceil(10/31) = 1/day
+ * 2. Proportional monthly cap: ceil(monthlyLimit * dayOfMonth / daysInMonth) — running total
+ *    Ensures users can't accumulate too much too fast even within daily limits
  *
- * Returns null if the product uses monthly rate limiting (no daily cap)
- * Products can set rateLimit: 'daily' | 'monthly' (default: 'monthly')
+ * Returns null if the product opts out with rateLimit: 'monthly'
+ * Products can set rateLimit: 'daily' (default) | 'monthly'
  */
 Usage.prototype.getDailyAllowance = function (name) {
   const self = this;
 
   // Get the product config
   const product = self.getProduct();
-  const rateLimit = product.rateLimit || 'monthly';
+  const rateLimit = product.rateLimit || 'daily';
 
-  // If monthly rate limiting, no daily cap
+  // If explicitly set to monthly, no daily cap
   if (rateLimit !== 'daily') {
     return null;
   }
@@ -314,11 +337,12 @@ Usage.prototype.getDailyAllowance = function (name) {
     return null;
   }
 
-  // Calculate proportional allowance based on day of month
+  // Calculate caps
   const now = new Date();
   const dayOfMonth = now.getDate();
   const daysInMonth = new Date(now.getFullYear(), now.getMonth() + 1, 0).getDate();
 
+  // Proportional monthly cap — how much should be used by this day at most
   // ceil ensures at least 1 usage per day even with very low limits
   return Math.ceil(monthlyLimit * (dayOfMonth / daysInMonth));
 };

package/src/manager/helpers/user.js

@@ -97,7 +97,8 @@ const SCHEMA = {
   usage: {
     $passthrough: true,
     $template: {
-      period: { type: 'number', default: 0 },
+      monthly: { type: 'number', default: 0 },
+      daily: { type: 'number', default: 0 },
       total: { type: 'number', default: 0 },
       last: {
         id: { type: 'string', default: null, nullable: true },

package/src/manager/index.js

@@ -946,11 +946,21 @@ Manager.prototype.setupFunctions = function (exporter, options) {
   .firestore.document('payments-webhooks/{eventId}')
   .onWrite((change, context) => self.EventMiddleware({ change, context }).run(`${events}/firestore/payments-webhooks/on-write.js`));
 
+  exporter.bm_paymentsDisputeOnWrite =
+  fn({memory: '256MB', timeoutSeconds: 60})
+  .firestore.document('payments-disputes/{alertId}')
+  .onWrite((change, context) => self.EventMiddleware({ change, context }).run(`${events}/firestore/payments-disputes/on-write.js`));
+
   // Setup cron jobs
   exporter.bm_cronDaily =
   fn({memory: '256MB', timeoutSeconds: 60 * 5})
   .pubsub.schedule('0 0 * * *')
   .onRun((context) => self.EventMiddleware({ context }).run(`${cron}/daily.js`));
+
+  exporter.bm_cronFrequent =
+  fn({memory: '256MB', timeoutSeconds: 60 * 5})
+  .pubsub.schedule('*/10 * * * *')
+  .onRun((context) => self.EventMiddleware({ context }).run(`${cron}/frequent.js`));
 };
 
 // Setup Custom Server

package/src/manager/libraries/abandoned-cart-config.js

@@ -0,0 +1,12 @@
+/**
+ * Abandoned cart reminder configuration (SSOT)
+ *
+ * Used by:
+ * - cron/frequent/abandoned-carts.js (processing reminders)
+ * - Client-side checkout page (creating cart doc with first delay)
+ */
+module.exports = {
+  // Delays in seconds between reminders: 15m, 3h, 24h, 48h, 72h
+  REMINDER_DELAYS: [900, 10800, 86400, 172800, 259200],
+  COLLECTION: 'payments-carts',
+};

package/src/manager/libraries/email.js

@@ -26,12 +26,10 @@ const SEND_AT_LIMIT = 71;
 // Template shortcut map — callers use readable paths instead of SendGrid IDs
 // Paths mirror the email website structure: {category}/{subcategory}/{name}
 const TEMPLATES = {
-  // v1 templates
-  'main/basic/card': 'd-b7f8da3c98ad49a2ad1e187f3a67b546',
-  'main/engagement/feedback': 'd-c1522214c67b47058669acc5a81ed663',
-  'main/misc/app-download-link': 'd-1d730ac8cc544b7cbccc8fa4a4b3f9ce',
-
   // v2 templates
+  'main/basic/card': 'd-1cd2eee44b6340268c964cd7971d49b9',
+  'main/engagement/feedback': 'd-319ab5c9d5074b21926a93562d6f41f6',
+  'main/misc/app-download-link': 'd-fc8b4834d7e1472896fe7e46152029f4',
   'main/order/confirmation': 'd-5371ac2b4e3b490bbce51bfc2922ece8',
   'main/order/payment-failed': 'd-e56af0ac62364bfb9e50af02854e2cd3',
   'main/order/payment-recovered': 'd-d6dbd17a260a4755b34a852ba09c2454',
@@ -39,6 +37,8 @@ const TEMPLATES = {
   'main/order/cancelled': 'd-39041132e6b24e5ebf0e95bce2d94dba',
   'main/order/plan-changed': 'd-399086311bbb48b4b77bc90b20fb9d0a',
   'main/order/trial-ending': 'd-af8ab499cbfb4d56918b4118f44343b0',
+  'main/order/refunded': 'd-aa47fdbffa2b4ca9b73b6256e963e49f',
+  'main/order/abandoned-cart': 'd-d8b3fa67e2b44b398dc280d0576bf1b7',
 };
 
 // "default" resolves to the basic card template

package/src/manager/libraries/openai.js

@@ -7,13 +7,63 @@ const path = require('path');
 const mimeTypes = require('mime-types');
 
 // Constants
-const DEFAULT_MODEL = 'gpt-4o';
+const DEFAULT_MODEL = 'gpt-5-mini';
 const MODERATION_MODEL = 'omni-moderation-latest';
 
-// OpenAI model pricing table
+// OpenAI model pricing table (per 1M tokens)
 // https://platform.openai.com/docs/pricing
 const MODEL_TABLE = {
-  // Jul 11, 2025
+  // Mar 9, 2026
+  // GPT-5 family
+  'gpt-5.4': {
+    input: 2.50,
+    output: 15.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5.2': {
+    input: 1.75,
+    output: 14.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5.1': {
+    input: 1.25,
+    output: 10.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5': {
+    input: 1.25,
+    output: 10.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5-mini': {
+    input: 0.25,
+    output: 2.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'gpt-5-nano': {
+    input: 0.05,
+    output: 0.40,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  // GPT-4.5
   'gpt-4.5-preview': {
     input: 75.00,
     output: 150.00,
@@ -22,6 +72,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  // GPT-4.1 family
   'gpt-4.1': {
     input: 2.00,
     output: 8.00,
@@ -46,6 +97,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  // GPT-4o family
   'gpt-4o': {
     input: 2.50,
     output: 10.00,
@@ -62,9 +114,10 @@ const MODEL_TABLE = {
       json: true,
     },
   },
-  'o1-pro': {
-    input: 150.00,
-    output: 600.00,
+  // Reasoning models
+  'o4-mini': {
+    input: 1.10,
+    output: 4.40,
     provider: 'openai',
     features: {
       json: true,
@@ -86,7 +139,7 @@ const MODEL_TABLE = {
       json: true,
     },
   },
-  'o4-mini': {
+  'o3-mini': {
     input: 1.10,
     output: 4.40,
     provider: 'openai',
@@ -94,6 +147,22 @@ const MODEL_TABLE = {
       json: true,
     },
   },
+  'o1-pro': {
+    input: 150.00,
+    output: 600.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
+  'o1': {
+    input: 15.00,
+    output: 60.00,
+    provider: 'openai',
+    features: {
+      json: true,
+    },
+  },
   'o1-preview': {
     input: 15.00,
     output: 60.00,

package/src/manager/libraries/payment/discount-codes.js

@@ -0,0 +1,40 @@
+/**
+ * Discount codes — hardcoded for now, move to Firestore/config later
+ *
+ * Each code maps to a discount definition:
+ *   - percent: Percentage off (1-100)
+ *   - duration: 'once' (first payment only)
+ */
+const DISCOUNT_CODES = {
+  'FLASH20': { percent: 20, duration: 'once' },
+  'SAVE10': { percent: 10, duration: 'once' },
+  'WELCOME15': { percent: 15, duration: 'once' },
+};
+
+/**
+ * Validate a discount code
+ * @param {string} code - The discount code (case-insensitive)
+ * @returns {{ valid: boolean, code: string, percent: number, duration: string } | { valid: boolean, code: string }}
+ */
+function validate(code) {
+  const normalized = (code || '').trim().toUpperCase();
+
+  if (!normalized) {
+    return { valid: false, code: normalized };
+  }
+
+  const entry = DISCOUNT_CODES[normalized];
+
+  if (!entry) {
+    return { valid: false, code: normalized };
+  }
+
+  return {
+    valid: true,
+    code: normalized,
+    percent: entry.percent,
+    duration: entry.duration,
+  };
+}
+
+module.exports = { validate, DISCOUNT_CODES };

package/src/manager/libraries/recaptcha.js

@@ -0,0 +1,36 @@
+const fetch = require('wonderful-fetch');
+
+/**
+ * Verify a Google reCAPTCHA token
+ * @param {string} token - The reCAPTCHA response token
+ * @param {object} [options] - Options
+ * @param {number} [options.minScore=0.5] - Minimum score threshold (v3)
+ * @returns {Promise<boolean>} Whether the token is valid
+ */
+async function verify(token, options) {
+  const minScore = options?.minScore || 0.5;
+
+  if (!process.env.RECAPTCHA_SECRET_KEY) {
+    return true;
+  }
+
+  if (!token) {
+    return false;
+  }
+
+  try {
+    const data = await fetch('https://www.google.com/recaptcha/api/siteverify', {
+      method: 'post',
+      response: 'json',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`,
+    });
+
+    return data.success && (data.score === undefined || data.score >= minScore);
+  } catch (e) {
+    console.error('reCAPTCHA verification error:', e);
+    return false;
+  }
+}
+
+module.exports = { verify };

package/src/manager/routes/app/get.js

@@ -10,7 +10,7 @@ module.exports = async ({ assistant, Manager }) => {
 
 /**
  * Build a public-safe config object from Manager.config
- * Excludes sensitive fields: sentry, google_analytics, ghostii, etc.
+ * Excludes sensitive fields: sentry, googleAnalytics, ghostii, etc.
  */
 function buildPublicConfig(config) {
   return {

package/src/manager/routes/marketing/contact/post.js

@@ -5,6 +5,7 @@
 const fetch = require('wonderful-fetch');
 const path = require('path');
 const dns = require('dns').promises;
+const recaptcha = require('../../../libraries/recaptcha.js');
 
 // Load disposable domains list
 const DISPOSABLE_DOMAINS = require(path.join(__dirname, '..', '..', '..', 'libraries', 'disposable-domains.json'));
@@ -43,15 +44,17 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
 
   // Public access protection
   if (!isAdmin) {
-    // Verify reCAPTCHA
-    const recaptchaToken = settings['g-recaptcha-response'];
-    if (!recaptchaToken) {
-      return assistant.respond('reCAPTCHA token required', { code: 400 });
-    }
+    // Verify reCAPTCHA (skip during automated tests)
+    if (!assistant.isTesting()) {
+      const recaptchaToken = settings['g-recaptcha-response'];
+      if (!recaptchaToken) {
+        return assistant.respond('Request could not be verified', { code: 403 });
+      }
 
-    const recaptchaValid = await verifyRecaptcha(recaptchaToken);
-    if (!recaptchaValid) {
-      return assistant.respond('reCAPTCHA verification failed', { code: 400 });
+      const recaptchaValid = await recaptcha.verify(recaptchaToken);
+      if (!recaptchaValid) {
+        return assistant.respond('Request could not be verified', { code: 403 });
+      }
     }
 
     // Check rate limit via Usage API
@@ -160,27 +163,6 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
   return assistant.respond({ success: true });
 };
 
-// Helper: Verify Google reCAPTCHA token
-async function verifyRecaptcha(token) {
-  if (!process.env.RECAPTCHA_SECRET_KEY) {
-    return true;
-  }
-
-  try {
-    const data = await fetch('https://www.google.com/recaptcha/api/siteverify', {
-      method: 'post',
-      response: 'json',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: `secret=${process.env.RECAPTCHA_SECRET_KEY}&response=${token}`,
-    });
-
-    return data.success && (data.score === undefined || data.score >= 0.5);
-  } catch (e) {
-    console.error('reCAPTCHA verification error:', e);
-    return false;
-  }
-}
-
 // Helper: Validate email with ZeroBounce API
 async function validateWithZeroBounce(email) {
   try {

package/src/manager/routes/payments/discount/get.js

@@ -0,0 +1,22 @@
+/**
+ * GET /payments/discount?code=FLASH20
+ * Validates a discount code and returns the discount details
+ */
+const discountCodes = require('../../../libraries/payment/discount-codes.js');
+
+module.exports = async ({ assistant, settings }) => {
+  const result = discountCodes.validate(settings.code);
+
+  assistant.log(`Discount validation: code=${result.code}, valid=${result.valid}`);
+
+  if (!result.valid) {
+    return assistant.respond({ valid: false }, { code: 200 });
+  }
+
+  return assistant.respond({
+    valid: true,
+    code: result.code,
+    percent: result.percent,
+    duration: result.duration,
+  });
+};

package/src/manager/routes/payments/dispute-alert/post.js

@@ -0,0 +1,93 @@
+const path = require('path');
+const powertools = require('node-powertools');
+
+/**
+ * POST /payments/dispute-alert?alerts=chargeblast&key=XXX
+ * Receives dispute alert webhooks (e.g., from Chargeblast), validates them,
+ * and saves to Firestore for async processing via onWrite trigger
+ *
+ * Query params:
+ *   - alerts: alert provider name (default: 'chargeblast')
+ *   - key: must match BACKEND_MANAGER_KEY
+ */
+module.exports = async ({ assistant, Manager, libraries }) => {
+  const { admin } = libraries;
+  const body = assistant.request.body;
+  const query = assistant.request.query;
+
+  // Validate key against BACKEND_MANAGER_KEY
+  const key = query.key;
+  if (!key || key !== process.env.BACKEND_MANAGER_KEY) {
+    return assistant.respond('Invalid key', { code: 401 });
+  }
+
+  // Determine alert provider (default: chargeblast)
+  const provider = query.alerts || 'chargeblast';
+
+  // Load the processor module
+  let processorModule;
+  try {
+    processorModule = require(path.resolve(__dirname, `processors/${provider}.js`));
+  } catch (e) {
+    return assistant.respond(`Unknown alert provider: ${provider}`, { code: 400 });
+  }
+
+  // Normalize the payload using the processor
+  let alert;
+  try {
+    alert = processorModule.normalize(body);
+  } catch (e) {
+    return assistant.respond(`Failed to normalize alert: ${e.message}`, { code: 400 });
+  }
+
+  const alertId = alert.id;
+
+  assistant.log(`Parsed dispute alert: id=${alertId}, provider=${provider}, processor=${alert.processor}, amount=${alert.amount}, card=****${alert.card.last4}`);
+
+  // Check for duplicate (skip if already processing/completed)
+  const existingDoc = await admin.firestore().doc(`payments-disputes/${alertId}`).get();
+  if (existingDoc.exists) {
+    const existingStatus = existingDoc.data()?.status;
+    if (existingStatus !== 'failed') {
+      assistant.log(`Duplicate dispute alert ${alertId}, existing status=${existingStatus}, skipping`);
+      return assistant.respond({ received: true, duplicate: true });
+    }
+    assistant.log(`Retrying previously failed dispute alert ${alertId}`);
+  }
+
+  // Build timestamps
+  const now = powertools.timestamp(new Date(), { output: 'string' });
+  const nowUNIX = powertools.timestamp(now, { output: 'unix' });
+
+  // Save to Firestore with status=pending (trigger handles the rest)
+  await admin.firestore().doc(`payments-disputes/${alertId}`).set({
+    id: alertId,
+    provider: provider,
+    status: 'pending',
+    alert: alert,
+    match: null,
+    actions: {
+      refund: 'pending',
+      cancel: 'pending',
+      email: 'pending',
+    },
+    errors: [],
+    error: null,
+    metadata: {
+      created: {
+        timestamp: now,
+        timestampUNIX: nowUNIX,
+      },
+      completed: {
+        timestamp: null,
+        timestampUNIX: null,
+      },
+    },
+    raw: body,
+  });
+
+  assistant.log(`Saved payments-disputes/${alertId}: provider=${provider}, processor=${alert.processor}`);
+
+  // Return 200 immediately — async processing via Firestore trigger
+  return assistant.respond({ received: true });
+};

package/src/manager/routes/payments/dispute-alert/processors/chargeblast.js

@@ -0,0 +1,43 @@
+/**
+ * Chargeblast dispute alert processor
+ * Normalizes Chargeblast webhook payloads into a standard dispute alert shape
+ *
+ * Chargeblast sends:
+ *   id, card (full number or last4), cardBrand, amount (dollars),
+ *   transactionDate ("YYYY-MM-DD HH:MM:SS"), app, processor, alerts
+ */
+module.exports = {
+  /**
+   * Normalize a Chargeblast webhook payload
+   *
+   * @param {object} body - Raw request body from Chargeblast
+   * @returns {object} Normalized dispute alert
+   */
+  normalize(body) {
+    if (!body.id) {
+      throw new Error('Missing required field: id');
+    }
+    if (!body.card) {
+      throw new Error('Missing required field: card');
+    }
+    if (!body.amount && body.amount !== 0) {
+      throw new Error('Missing required field: amount');
+    }
+    if (!body.transactionDate) {
+      throw new Error('Missing required field: transactionDate');
+    }
+
+    const cardStr = String(body.card);
+
+    return {
+      id: String(body.id),
+      card: {
+        last4: cardStr.slice(-4),
+        brand: body.cardBrand ? String(body.cardBrand).toLowerCase() : null,
+      },
+      amount: parseFloat(body.amount),
+      transactionDate: String(body.transactionDate).split(' ')[0], // date only, no time
+      processor: body.processor ? String(body.processor).toLowerCase() : 'stripe',
+    };
+  },
+};