backend-manager 5.0.122 → 5.0.124

package/src/manager/routes/payments/intent/post.js

@@ -1,6 +1,8 @@
 const path = require('path');
 const powertools = require('node-powertools');
 const OrderId = require('../../../libraries/payment/order-id.js');
+const recaptcha = require('../../../libraries/recaptcha.js');
+const discountCodes = require('../../../libraries/payment/discount-codes.js');
 
 /**
  * POST /payments/intent
@@ -15,10 +17,22 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     return assistant.respond('Authentication required', { code: 401 });
   }
 
+  // Verify reCAPTCHA (skip during automated tests)
+  if (!assistant.isTesting()) {
+    const recaptchaToken = settings.verification?.['g-recaptcha-response'];
+    const recaptchaValid = await recaptcha.verify(recaptchaToken);
+    if (!recaptchaValid) {
+      return assistant.respond('Request could not be verified', { code: 403 });
+    }
+  }
+
   const uid = user.auth.uid;
   const processor = settings.processor;
   const productId = settings.productId;
   const frequency = settings.frequency;
+  const attribution = settings.attribution;
+  const discount = settings.discount;
+  const supplemental = settings.supplemental;
   let trial = settings.trial;
 
   assistant.log(`Intent request: uid=${uid}, processor=${processor}, product=${productId}, frequency=${frequency}, trial=${trial}`);
@@ -66,6 +80,17 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     trial = false;
   }
 
+  // Validate discount code (if provided)
+  let resolvedDiscount = null;
+  if (discount) {
+    const discountResult = discountCodes.validate(discount);
+    if (!discountResult.valid) {
+      return assistant.respond(`Invalid discount code: ${discount}`, { code: 400 });
+    }
+    resolvedDiscount = discountResult;
+    assistant.log(`Discount validated: code=${resolvedDiscount.code}, percent=${resolvedDiscount.percent}, duration=${resolvedDiscount.duration}`);
+  }
+
   // Generate order ID
   const orderId = OrderId.generate();
 
@@ -93,6 +118,7 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
       productId,
       frequency,
       trial,
+      discount: resolvedDiscount,
       confirmationUrl,
       cancelUrl,
       assistant,
@@ -119,6 +145,9 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
     type: productType,
     frequency: frequency,
     trial: trial,
+    attribution: attribution,
+    discount: resolvedDiscount,
+    supplemental: supplemental,
     raw: result.raw,
     metadata: {
       created: {

package/src/manager/routes/payments/intent/processors/chargebee.js

@@ -18,19 +18,25 @@ module.exports = {
    * @param {object} options.assistant - Assistant instance for logging
    * @returns {object} { id, url, raw }
    */
-  async createIntent({ uid, orderId, product, productId, frequency, trial, confirmationUrl, cancelUrl, assistant }) {
+  async createIntent({ uid, orderId, product, productId, frequency, trial, discount, confirmationUrl, cancelUrl, assistant }) {
     const ChargebeeLib = require('../../../../libraries/payment/processors/chargebee.js');
     ChargebeeLib.init();
 
     const productType = product.type || 'subscription';
     const metaData = ChargebeeLib.buildMetaData(uid, orderId, productType === 'one-time' ? productId : undefined);
 
+    // Resolve Chargebee coupon if discount is present
+    let chargebeeCouponId = null;
+    if (discount) {
+      chargebeeCouponId = await resolveChargebeeCoupon(ChargebeeLib, discount, assistant);
+    }
+
     let hostedPage;
 
     if (productType === 'subscription') {
-      hostedPage = await createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, confirmationUrl, cancelUrl, assistant });
+      hostedPage = await createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant });
     } else {
-      hostedPage = await createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, confirmationUrl, cancelUrl, assistant });
+      hostedPage = await createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant });
     }
 
     assistant.log(`Chargebee hosted page created: id=${hostedPage.id}, type=${productType}, url=${hostedPage.url}`);
@@ -46,7 +52,7 @@ module.exports = {
 /**
  * Create a Chargebee Hosted Page for a new subscription
  */
-async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, confirmationUrl, cancelUrl, assistant }) {
+async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product, productId, frequency, trial, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant }) {
   const chargebeeItemId = product.chargebee?.itemId;
 
   if (!chargebeeItemId) {
@@ -76,7 +82,12 @@ async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product,
     params.subscription.trial_end = 0;
   }
 
-  assistant.log(`Chargebee subscription checkout: itemPriceId=${itemPriceId}, uid=${uid}, trial=${trial}`);
+  // Apply discount coupon (first payment only)
+  if (chargebeeCouponId) {
+    params.coupon_ids = [chargebeeCouponId];
+  }
+
+  assistant.log(`Chargebee subscription checkout: itemPriceId=${itemPriceId}, uid=${uid}, trial=${trial}, coupon=${chargebeeCouponId || 'none'}`);
 
   const result = await ChargebeeLib.request('/hosted_pages/checkout_new_for_items', {
     method: 'POST',
@@ -89,7 +100,7 @@ async function createSubscriptionCheckout({ ChargebeeLib, uid, orderId, product,
 /**
  * Create a Chargebee Hosted Page for a one-time charge
  */
-async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, confirmationUrl, cancelUrl, assistant }) {
+async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, productId, metaData, chargebeeCouponId, confirmationUrl, cancelUrl, assistant }) {
   const price = product.prices?.once;
 
   if (!price) {
@@ -109,7 +120,12 @@ async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, prod
     pass_thru_content: metaData,
   };
 
-  assistant.log(`Chargebee one-time checkout: amount=${amountCents}, productId=${productId}, uid=${uid}`);
+  // Apply discount coupon
+  if (chargebeeCouponId) {
+    params.coupon_ids = [chargebeeCouponId];
+  }
+
+  assistant.log(`Chargebee one-time checkout: amount=${amountCents}, productId=${productId}, uid=${uid}, coupon=${chargebeeCouponId || 'none'}`);
 
   const result = await ChargebeeLib.request('/hosted_pages/checkout_one_time_for_items', {
     method: 'POST',
@@ -118,3 +134,39 @@ async function createOneTimeCheckout({ ChargebeeLib, uid, orderId, product, prod
 
   return result.hosted_page;
 }
+
+/**
+ * Resolve or create a Chargebee coupon for a discount code
+ * Uses a deterministic ID so the same code always maps to the same coupon
+ */
+async function resolveChargebeeCoupon(ChargebeeLib, discount, assistant) {
+  const couponId = `BEM_${discount.code}_${discount.percent}OFF_ONCE`;
+
+  try {
+    // Check if coupon already exists
+    await ChargebeeLib.request(`/coupons/${couponId}`, { method: 'GET' });
+    assistant.log(`Chargebee coupon exists: ${couponId}`);
+    return couponId;
+  } catch (e) {
+    // Chargebee returns 404 for missing resources
+    if (e.status !== 404 && e.statusCode !== 404) {
+      throw e;
+    }
+  }
+
+  // Create the coupon
+  await ChargebeeLib.request('/coupons', {
+    method: 'POST',
+    body: {
+      id: couponId,
+      name: `${discount.code} (${discount.percent}% off first payment)`,
+      discount_type: 'percentage',
+      discount_percentage: discount.percent,
+      duration_type: 'one_time',
+      apply_on: 'invoice_amount',
+    },
+  });
+
+  assistant.log(`Chargebee coupon created: ${couponId}`);
+  return couponId;
+}

package/src/manager/routes/payments/intent/processors/stripe.js

@@ -16,7 +16,7 @@ module.exports = {
    * @param {string} options.cancelUrl - Cancel redirect URL
    * @returns {object} { id, url, raw }
    */
-  async createIntent({ uid, orderId, product, productId, frequency, trial, confirmationUrl, cancelUrl, assistant }) {
+  async createIntent({ uid, orderId, product, productId, frequency, trial, discount, confirmationUrl, cancelUrl, assistant }) {
     // Initialize Stripe SDK
     const StripeLib = require('../../../../libraries/payment/processors/stripe.js');
     const stripe = StripeLib.init();
@@ -30,15 +30,21 @@ module.exports = {
     const email = assistant?.getUser()?.auth?.email || null;
     const customer = await StripeLib.resolveCustomer(uid, email, assistant);
 
-    assistant.log(`Stripe checkout: type=${productType}, priceId=${priceId}, uid=${uid}, customerId=${customer.id}, trial=${trial}, trialDays=${product.trial?.days || 'none'}`);
+    // Resolve Stripe coupon if discount is present
+    let stripeCouponId = null;
+    if (discount) {
+      stripeCouponId = await resolveStripeCoupon(stripe, discount, assistant);
+    }
+
+    assistant.log(`Stripe checkout: type=${productType}, priceId=${priceId}, uid=${uid}, customerId=${customer.id}, trial=${trial}, trialDays=${product.trial?.days || 'none'}, discount=${discount?.code || 'none'}`);
 
     // Build session params based on product type
     let sessionParams;
 
     if (productType === 'subscription') {
-      sessionParams = buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, confirmationUrl, cancelUrl });
+      sessionParams = buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, stripeCouponId, confirmationUrl, cancelUrl });
     } else {
-      sessionParams = buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, confirmationUrl, cancelUrl });
+      sessionParams = buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, stripeCouponId, confirmationUrl, cancelUrl });
     }
 
     // Create the checkout session
@@ -57,7 +63,7 @@ module.exports = {
 /**
  * Build Stripe Checkout Session params for a subscription
  */
-function buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, confirmationUrl, cancelUrl }) {
+function buildSubscriptionSession({ priceId, customer, uid, orderId, productId, frequency, trial, product, stripeCouponId, confirmationUrl, cancelUrl }) {
   const sessionParams = {
     mode: 'subscription',
     customer: customer.id,
@@ -86,14 +92,19 @@ function buildSubscriptionSession({ priceId, customer, uid, orderId, productId,
     sessionParams.subscription_data.trial_period_days = product.trial.days;
   }
 
+  // Apply discount coupon (first payment only)
+  if (stripeCouponId) {
+    sessionParams.discounts = [{ coupon: stripeCouponId }];
+  }
+
   return sessionParams;
 }
 
 /**
  * Build Stripe Checkout Session params for a one-time payment
  */
-function buildOneTimeSession({ priceId, customer, uid, orderId, productId, product, confirmationUrl, cancelUrl }) {
-  return {
+function buildOneTimeSession({ priceId, customer, uid, orderId, productId, stripeCouponId, confirmationUrl, cancelUrl }) {
+  const sessionParams = {
     mode: 'payment',
     customer: customer.id,
     line_items: [{
@@ -114,5 +125,42 @@ function buildOneTimeSession({ priceId, customer, uid, orderId, productId, produ
       productId: productId,
     },
   };
+
+  // Apply discount coupon
+  if (stripeCouponId) {
+    sessionParams.discounts = [{ coupon: stripeCouponId }];
+  }
+
+  return sessionParams;
+}
+
+/**
+ * Resolve or create a Stripe coupon for a discount code
+ * Uses a deterministic ID so the same code always maps to the same coupon
+ */
+async function resolveStripeCoupon(stripe, discount, assistant) {
+  const couponId = `BEM_${discount.code}_${discount.percent}OFF_ONCE`;
+
+  try {
+    // Check if coupon already exists
+    await stripe.coupons.retrieve(couponId);
+    assistant.log(`Stripe coupon exists: ${couponId}`);
+    return couponId;
+  } catch (e) {
+    if (e.code !== 'resource_missing') {
+      throw e;
+    }
+  }
+
+  // Create the coupon
+  await stripe.coupons.create({
+    id: couponId,
+    percent_off: discount.percent,
+    duration: 'once',
+    name: `${discount.code} (${discount.percent}% off first payment)`,
+  });
+
+  assistant.log(`Stripe coupon created: ${couponId}`);
+  return couponId;
 }
 

package/src/manager/routes/test/usage/post.js

@@ -8,8 +8,9 @@ module.exports = async ({ assistant, user, settings }) => {
   const amount = settings.amount;
 
   // Get usage before increment
-  const beforePeriod = usage.getUsage('requests');
+  const beforeMonthly = usage.getUsage('requests');
   const beforeTotal = user.usage?.requests?.total || 0;
+  const beforeDaily = user.usage?.requests?.daily || 0;
 
   // Increment usage
   usage.increment('requests', amount);
@@ -18,15 +19,16 @@ module.exports = async ({ assistant, user, settings }) => {
   await usage.update();
 
   // Get usage after increment
-  const afterPeriod = usage.getUsage('requests');
+  const afterMonthly = usage.getUsage('requests');
   const afterTotal = user.usage?.requests?.total || 0;
+  const afterDaily = user.usage?.requests?.daily || 0;
 
   // Log
   assistant.log(`test/usage: Incremented requests by ${amount}`, {
     authenticated: user.authenticated,
     key: usage.key,
-    before: { period: beforePeriod, total: beforeTotal },
-    after: { period: afterPeriod, total: afterTotal },
+    before: { monthly: beforeMonthly, daily: beforeDaily, total: beforeTotal },
+    after: { monthly: afterMonthly, daily: afterDaily, total: afterTotal },
   });
 
   return assistant.respond({
@@ -35,11 +37,13 @@ module.exports = async ({ assistant, user, settings }) => {
     authenticated: user.authenticated,
     key: usage.key,
     before: {
-      period: beforePeriod,
+      monthly: beforeMonthly,
+      daily: beforeDaily,
       total: beforeTotal,
     },
     after: {
-      period: afterPeriod,
+      monthly: afterMonthly,
+      daily: afterDaily,
       total: afterTotal,
     },
     user: {

package/src/manager/schemas/payments/discount/get.js

@@ -0,0 +1,9 @@
+/**
+ * Schema: GET /payments/discount
+ */
+module.exports = () => ({
+  code: {
+    types: ['string'],
+    required: true,
+  },
+});

package/src/manager/schemas/payments/dispute-alert/post.js

@@ -0,0 +1,6 @@
+/**
+ * Schema: POST /payments/dispute-alert
+ * Minimal schema - dispute alert payloads are validated by the processor, not the schema
+ * The key comes from query params, not the body
+ */
+module.exports = () => ({});

package/src/manager/schemas/payments/intent/post.js

@@ -19,4 +19,20 @@ module.exports = () => ({
     types: ['boolean'],
     default: false,
   },
+  verification: {
+    types: ['object'],
+    default: {},
+  },
+  attribution: {
+    types: ['object'],
+    default: {},
+  },
+  discount: {
+    types: ['string'],
+    default: null,
+  },
+  supplemental: {
+    types: ['object'],
+    default: {},
+  },
 });

package/src/test/runner.js

@@ -372,15 +372,25 @@ class TestRunner {
     try {
       const searchPaths = [
         path.join(this.options.projectDir, 'functions'),
+        path.join(this.options.projectDir, 'functions', 'node_modules'),
         path.resolve(__dirname, '../../'),
       ];
       const origResolve = Module._resolveFilename.bind(Module);
       Module._resolveFilename = function (request, parent, isMain, options) {
-        if (!request.startsWith('.') && !path.isAbsolute(request)) {
-          const extra = (options && options.paths) ? options.paths : [];
-          options = { ...options, paths: [...extra, ...searchPaths] };
+        // Try normal resolution first (preserves nested node_modules traversal)
+        try {
+          return origResolve(request, parent, isMain, options);
+        } catch (err) {
+          // Fallback: try resolving from project's search paths
+          if (!request.startsWith('.') && !path.isAbsolute(request)) {
+            const extra = (options && options.paths) ? options.paths : [];
+            return origResolve(request, parent, isMain, {
+              ...options,
+              paths: [...extra, ...searchPaths],
+            });
+          }
+          throw err;
         }
-        return origResolve(request, parent, isMain, options);
       };
       try {
         testModule = require(testFile);

package/src/test/test-accounts.js

@@ -238,6 +238,24 @@ const JOURNEY_ACCOUNTS = {
       subscription: { product: { id: 'basic' }, status: 'active' },
     },
   },
+  'journey-payments-intent-discount': {
+    id: 'journey-payments-intent-discount',
+    uid: '_test-journey-payments-intent-discount',
+    email: '_test.journey-payments-intent-discount@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'basic' }, status: 'active' },
+    },
+  },
+  'journey-payments-intent-attribution': {
+    id: 'journey-payments-intent-attribution',
+    uid: '_test-journey-payments-intent-attribution',
+    email: '_test.journey-payments-intent-attribution@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'basic' }, status: 'active' },
+    },
+  },
   'journey-payments-intent-trial': {
     id: 'journey-payments-intent-trial',
     uid: '_test-journey-payments-intent-trial',

package/templates/backend-manager-config.json

@@ -20,10 +20,16 @@
   sentry: {
     dsn: 'https://d965557418748jd749d837asf00552f@o777489.ingest.sentry.io/8789941',
   },
-  google_analytics: {
+  googleAnalytics: {
     id: 'UA-123456789-1',
     secret: 'ABCx1234567890ABCDEFGH',
   },
+  meta: {
+    pixelId: null,
+  },
+  tiktok: {
+    pixelCode: null,
+  },
   oauth2: {},
   payment: {
     processors: {

package/templates/firestore.rules

@@ -24,6 +24,14 @@ service cloud.firestore {
       allow create: if true;
     }
 
+    // Protect abandoned cart data
+    match /payments-carts/{uid} {
+      allow create, update: if belongsTo(uid)
+        && incomingData().owner == uid
+        && incomingData().status == 'pending';
+      allow read: if belongsTo(uid);
+    }
+
     // Auth functions
     function authEmail() {
       return request.auth.token.email;
@@ -56,7 +64,7 @@ service cloud.firestore {
       return isWritingField('auth')
         || isWritingField('roles')
         || isWritingField('flags')
-        || isWritingField('plan') // REMOVE THIS WHEN ALL PROJECTS UPDATED
+        || isWritingField('plan') // TODO: REMOVE THIS WHEN ALL PROJECTS UPDATED
         || isWritingField('subscription')
         || isWritingField('affiliate')
         || isWritingField('api')

package/test/_legacy/usage.js

@@ -54,7 +54,7 @@ describe(`${package.name}`, () => {
         return assert.deepStrictEqual({
           requests: {
             total: 0,
-            period: 0,
+            monthly: 0,
             last: {
               id: '',
               timestamp: '1970-01-01T00:00:00.000Z',
@@ -72,7 +72,7 @@ describe(`${package.name}`, () => {
         return assert.deepStrictEqual({
           requests: {
             total: 1,
-            period: 1,
+            monthly: 1,
             last: {
               id: 'increment',
               timestamp: '2024-01-01T01:00:00.000Z',
@@ -90,7 +90,7 @@ describe(`${package.name}`, () => {
         return assert.deepStrictEqual({
           requests: {
             total: -1,
-            period: -1,
+            monthly: -1,
             last: {
               id: 'decrement',
               timestamp: '2024-01-01T01:00:00.000Z',
@@ -132,7 +132,7 @@ describe(`${package.name}`, () => {
         return assert.deepStrictEqual({
           requests: {
             total: 1,
-            period: 1,
+            monthly: 1,
             last: {
               id: 'update',
               timestamp: '2024-01-01T01:00:00.000Z',
@@ -154,7 +154,7 @@ describe(`${package.name}`, () => {
         return assert.deepStrictEqual({
           signups: {
             total: 1,
-            period: 1,
+            monthly: 1,
             last: {
               id: 'singups',
               timestamp: '2024-01-01T01:00:00.000Z',

package/test/routes/marketing/contact.js

@@ -338,6 +338,7 @@ module.exports = {
       name: 'add-unauthenticated-requires-recaptcha',
       auth: 'none',
       timeout: 15000,
+      skip: !process.env.TEST_EXTENDED_MODE && 'reCAPTCHA is skipped in test mode (TEST_EXTENDED_MODE not set)',
 
       async run({ http, assert, config }) {
         // Public request without reCAPTCHA should fail
@@ -346,8 +347,8 @@ module.exports = {
           source: 'bem-test',
         });
 
-        // Should fail with 400 because no reCAPTCHA token
-        assert.isError(response, 400, 'Public request without reCAPTCHA should fail');
+        // Should fail with 403 because no reCAPTCHA token
+        assert.isError(response, 403, 'Public request without reCAPTCHA should fail');
       },
     },
 

package/test/routes/payments/discount.js

@@ -0,0 +1,80 @@
+/**
+ * Test: GET /payments/discount
+ * Tests discount code validation endpoint
+ */
+module.exports = {
+  description: 'Discount code validation',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'rejects-missing-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount');
+
+        assert.isError(response, 400, 'Should reject missing code');
+      },
+    },
+
+    {
+      name: 'returns-valid-for-known-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'FLASH20',
+        });
+
+        assert.isSuccess(response, 'Should succeed for valid code');
+        assert.equal(response.data.valid, true, 'Should be valid');
+        assert.equal(response.data.code, 'FLASH20', 'Should return normalized code');
+        assert.equal(response.data.percent, 20, 'Should return correct percent');
+        assert.equal(response.data.duration, 'once', 'Should return duration');
+      },
+    },
+
+    {
+      name: 'returns-valid-case-insensitive',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'flash20',
+        });
+
+        assert.isSuccess(response, 'Should succeed for lowercase code');
+        assert.equal(response.data.valid, true, 'Should be valid (case-insensitive)');
+        assert.equal(response.data.code, 'FLASH20', 'Should return uppercase code');
+      },
+    },
+
+    {
+      name: 'returns-invalid-for-unknown-code',
+      async run({ http, assert }) {
+        const response = await http.as('none').get('payments/discount', {
+          code: 'NOTAREALCODE',
+        });
+
+        assert.isSuccess(response, 'Should return 200 even for invalid code');
+        assert.equal(response.data.valid, false, 'Should be invalid');
+      },
+    },
+
+    {
+      name: 'validates-all-known-codes',
+      async run({ http, assert }) {
+        const codes = [
+          { code: 'FLASH20', percent: 20 },
+          { code: 'SAVE10', percent: 10 },
+          { code: 'WELCOME15', percent: 15 },
+        ];
+
+        for (const { code, percent } of codes) {
+          const response = await http.as('none').get('payments/discount', { code });
+
+          assert.isSuccess(response, `Should succeed for ${code}`);
+          assert.equal(response.data.valid, true, `${code} should be valid`);
+          assert.equal(response.data.percent, percent, `${code} should be ${percent}%`);
+          assert.equal(response.data.duration, 'once', `${code} should be once`);
+        }
+      },
+    },
+  ],
+};