backend-manager 5.0.122 → 5.0.124

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/CHANGELOG.md +48 -0
  2. package/CLAUDE.md +18 -19
  3. package/README.md +7 -7
  4. package/package.json +1 -1
  5. package/src/manager/cron/daily/reset-usage.js +79 -73
  6. package/src/manager/cron/daily.js +2 -53
  7. package/src/manager/cron/frequent/abandoned-carts.js +148 -0
  8. package/src/manager/cron/frequent.js +3 -0
  9. package/src/manager/cron/runner.js +60 -0
  10. package/src/manager/events/firestore/payments-disputes/on-write.js +358 -0
  11. package/src/manager/events/firestore/payments-webhooks/analytics.js +245 -121
  12. package/src/manager/events/firestore/payments-webhooks/on-write.js +32 -2
  13. package/src/manager/functions/core/actions/api/general/add-marketing-contact.js +11 -34
  14. package/src/manager/helpers/analytics.js +2 -2
  15. package/src/manager/helpers/usage.js +44 -20
  16. package/src/manager/helpers/user.js +2 -1
  17. package/src/manager/index.js +10 -0
  18. package/src/manager/libraries/abandoned-cart-config.js +12 -0
  19. package/src/manager/libraries/email.js +5 -5
  20. package/src/manager/libraries/openai.js +76 -7
  21. package/src/manager/libraries/payment/discount-codes.js +40 -0
  22. package/src/manager/libraries/recaptcha.js +36 -0
  23. package/src/manager/routes/app/get.js +1 -1
  24. package/src/manager/routes/marketing/contact/post.js +11 -29
  25. package/src/manager/routes/payments/discount/get.js +22 -0
  26. package/src/manager/routes/payments/dispute-alert/post.js +93 -0
  27. package/src/manager/routes/payments/dispute-alert/processors/chargeblast.js +43 -0
  28. package/src/manager/routes/payments/intent/post.js +29 -0
  29. package/src/manager/routes/payments/intent/processors/chargebee.js +59 -7
  30. package/src/manager/routes/payments/intent/processors/stripe.js +55 -7
  31. package/src/manager/routes/test/usage/post.js +10 -6
  32. package/src/manager/schemas/payments/discount/get.js +9 -0
  33. package/src/manager/schemas/payments/dispute-alert/post.js +6 -0
  34. package/src/manager/schemas/payments/intent/post.js +16 -0
  35. package/src/test/runner.js +14 -4
  36. package/src/test/test-accounts.js +18 -0
  37. package/templates/backend-manager-config.json +7 -1
  38. package/templates/firestore.rules +9 -1
  39. package/test/_legacy/usage.js +5 -5
  40. package/test/routes/marketing/contact.js +3 -2
  41. package/test/routes/payments/discount.js +80 -0
  42. package/test/routes/payments/dispute-alert.js +271 -0
  43. package/test/routes/payments/intent.js +60 -0
  44. package/test/routes/test/usage.js +134 -30
  45. package/test/rules/payments-carts.js +371 -0
package/test/rules/payments-carts.js ADDED
@@ -0,0 +1,371 @@
1
+ /**
2
+ * Test: Firestore Security Rules - Payments Cart Documents
3
+ * Tests that security rules correctly protect abandoned cart data
4
+ *
5
+ * Rules being tested:
6
+ * - Authenticated user can create their own cart doc with status: 'pending'
7
+ * - Authenticated user can update their own cart doc with status: 'pending'
8
+ * - User cannot write to another user's cart doc
9
+ * - User cannot set status to anything other than 'pending'
10
+ * - User can read their own cart doc
11
+ * - User cannot read another user's cart doc
12
+ * - Anonymous cannot create/read/update cart docs
13
+ * - Admin can read/write any cart doc
14
+ *
15
+ * @see templates/firestore.rules
16
+ */
17
+ module.exports = {
18
+ description: 'Firestore security rules for payments-carts documents',
19
+ type: 'group',
20
+ timeout: 30000,
21
+
22
+ tests: [
23
+ // Test 1: Authenticated user can create their own cart
24
+ {
25
+ name: 'user-can-create-own-cart',
26
+ auth: 'none',
27
+
28
+ async run({ rules, accounts }) {
29
+ const uid = accounts.basic.uid;
30
+ const db = rules.asAccount('basic');
31
+
32
+ await rules.expectSuccess(
33
+ db.doc(`payments-carts/${uid}`).set({
34
+ id: uid,
35
+ owner: uid,
36
+ status: 'pending',
37
+ productId: 'premium',
38
+ type: 'subscription',
39
+ frequency: 'monthly',
40
+ reminderIndex: 0,
41
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
42
+ metadata: {
43
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
44
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
45
+ },
46
+ })
47
+ );
48
+ },
49
+ },
50
+
51
+ // Test 2: User can update their own cart (e.g., revisit checkout with different product)
52
+ {
53
+ name: 'user-can-update-own-cart',
54
+ auth: 'none',
55
+
56
+ async run({ rules, accounts }) {
57
+ const uid = accounts.basic.uid;
58
+ const db = rules.asAccount('basic');
59
+ const adminDb = rules.asAccount('admin');
60
+
61
+ // Create cart as admin first
62
+ await rules.expectSuccess(
63
+ adminDb.doc(`payments-carts/${uid}`).set({
64
+ id: uid,
65
+ owner: uid,
66
+ status: 'pending',
67
+ productId: 'premium',
68
+ type: 'subscription',
69
+ frequency: 'monthly',
70
+ reminderIndex: 0,
71
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
72
+ metadata: {
73
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
74
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
75
+ },
76
+ })
77
+ );
78
+
79
+ // User overwrites with new product (full .set() to reset timer)
80
+ await rules.expectSuccess(
81
+ db.doc(`payments-carts/${uid}`).set({
82
+ id: uid,
83
+ owner: uid,
84
+ status: 'pending',
85
+ productId: 'pro',
86
+ type: 'subscription',
87
+ frequency: 'annually',
88
+ reminderIndex: 0,
89
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
90
+ metadata: {
91
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
92
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
93
+ },
94
+ })
95
+ );
96
+ },
97
+ },
98
+
99
+ // Test 3: User cannot create cart for another user
100
+ {
101
+ name: 'user-cannot-create-other-users-cart',
102
+ auth: 'none',
103
+
104
+ async run({ rules, accounts }) {
105
+ const otherUid = accounts.admin.uid;
106
+ const db = rules.asAccount('basic');
107
+
108
+ await rules.expectFailure(
109
+ db.doc(`payments-carts/${otherUid}`).set({
110
+ id: otherUid,
111
+ owner: otherUid,
112
+ status: 'pending',
113
+ productId: 'premium',
114
+ type: 'subscription',
115
+ frequency: 'monthly',
116
+ reminderIndex: 0,
117
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
118
+ metadata: {
119
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
120
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
121
+ },
122
+ })
123
+ );
124
+ },
125
+ },
126
+
127
+ // Test 4: User cannot set owner to a different UID
128
+ {
129
+ name: 'user-cannot-set-wrong-owner',
130
+ auth: 'none',
131
+
132
+ async run({ rules, accounts }) {
133
+ const uid = accounts.basic.uid;
134
+ const db = rules.asAccount('basic');
135
+
136
+ await rules.expectFailure(
137
+ db.doc(`payments-carts/${uid}`).set({
138
+ id: uid,
139
+ owner: 'someone-else',
140
+ status: 'pending',
141
+ productId: 'premium',
142
+ type: 'subscription',
143
+ frequency: 'monthly',
144
+ reminderIndex: 0,
145
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
146
+ metadata: {
147
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
148
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
149
+ },
150
+ })
151
+ );
152
+ },
153
+ },
154
+
155
+ // Test 5: User cannot set status to 'completed'
156
+ {
157
+ name: 'user-cannot-set-status-completed',
158
+ auth: 'none',
159
+
160
+ async run({ rules, accounts }) {
161
+ const uid = accounts.basic.uid;
162
+ const db = rules.asAccount('basic');
163
+
164
+ await rules.expectFailure(
165
+ db.doc(`payments-carts/${uid}`).set({
166
+ id: uid,
167
+ owner: uid,
168
+ status: 'completed',
169
+ productId: 'premium',
170
+ type: 'subscription',
171
+ frequency: 'monthly',
172
+ reminderIndex: 0,
173
+ nextReminderAt: Math.floor(Date.now() / 1000) + 900,
174
+ metadata: {
175
+ created: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
176
+ updated: { timestamp: new Date().toISOString(), timestampUNIX: Math.floor(Date.now() / 1000) },
177
+ },
178
+ })
179
+ );
180
+ },
181
+ },
182
+
183
+ // Test 6: User can read their own cart
184
+ {
185
+ name: 'user-can-read-own-cart',
186
+ auth: 'none',
187
+
188
+ async run({ rules, accounts }) {
189
+ const uid = accounts.basic.uid;
190
+ const db = rules.asAccount('basic');
191
+ const adminDb = rules.asAccount('admin');
192
+
193
+ // Create cart as admin
194
+ await rules.expectSuccess(
195
+ adminDb.doc(`payments-carts/${uid}`).set({
196
+ id: uid,
197
+ owner: uid,
198
+ status: 'pending',
199
+ productId: 'premium',
200
+ type: 'subscription',
201
+ })
202
+ );
203
+
204
+ // User can read their own
205
+ await rules.expectSuccess(
206
+ db.doc(`payments-carts/${uid}`).get()
207
+ );
208
+ },
209
+ },
210
+
211
+ // Test 7: User cannot read another user's cart
212
+ {
213
+ name: 'user-cannot-read-other-users-cart',
214
+ auth: 'none',
215
+
216
+ async run({ rules, accounts }) {
217
+ const otherUid = accounts.admin.uid;
218
+ const db = rules.asAccount('basic');
219
+ const adminDb = rules.asAccount('admin');
220
+
221
+ // Create cart for admin user
222
+ await rules.expectSuccess(
223
+ adminDb.doc(`payments-carts/${otherUid}`).set({
224
+ id: otherUid,
225
+ owner: otherUid,
226
+ status: 'pending',
227
+ productId: 'premium',
228
+ type: 'subscription',
229
+ })
230
+ );
231
+
232
+ // Basic user cannot read admin's cart
233
+ await rules.expectFailure(
234
+ db.doc(`payments-carts/${otherUid}`).get()
235
+ );
236
+ },
237
+ },
238
+
239
+ // Test 8: Anonymous cannot create a cart
240
+ {
241
+ name: 'anonymous-cannot-create-cart',
242
+ auth: 'none',
243
+
244
+ async run({ rules }) {
245
+ const db = rules.asAnonymous();
246
+
247
+ await rules.expectFailure(
248
+ db.doc(`payments-carts/anonymous-user`).set({
249
+ id: 'anonymous-user',
250
+ owner: 'anonymous-user',
251
+ status: 'pending',
252
+ productId: 'premium',
253
+ type: 'subscription',
254
+ })
255
+ );
256
+ },
257
+ },
258
+
259
+ // Test 9: Anonymous cannot read a cart
260
+ {
261
+ name: 'anonymous-cannot-read-cart',
262
+ auth: 'none',
263
+
264
+ async run({ rules, accounts }) {
265
+ const uid = accounts.basic.uid;
266
+ const adminDb = rules.asAccount('admin');
267
+ const db = rules.asAnonymous();
268
+
269
+ // Create cart as admin
270
+ await rules.expectSuccess(
271
+ adminDb.doc(`payments-carts/${uid}`).set({
272
+ id: uid,
273
+ owner: uid,
274
+ status: 'pending',
275
+ productId: 'premium',
276
+ type: 'subscription',
277
+ })
278
+ );
279
+
280
+ // Anonymous cannot read
281
+ await rules.expectFailure(
282
+ db.doc(`payments-carts/${uid}`).get()
283
+ );
284
+ },
285
+ },
286
+
287
+ // Test 10: User cannot delete their own cart
288
+ {
289
+ name: 'user-cannot-delete-cart',
290
+ auth: 'none',
291
+
292
+ async run({ rules, accounts }) {
293
+ const uid = accounts.basic.uid;
294
+ const db = rules.asAccount('basic');
295
+ const adminDb = rules.asAccount('admin');
296
+
297
+ // Create cart as admin
298
+ await rules.expectSuccess(
299
+ adminDb.doc(`payments-carts/${uid}`).set({
300
+ id: uid,
301
+ owner: uid,
302
+ status: 'pending',
303
+ productId: 'premium',
304
+ type: 'subscription',
305
+ })
306
+ );
307
+
308
+ // User cannot delete (no delete rule)
309
+ await rules.expectFailure(
310
+ db.doc(`payments-carts/${uid}`).delete()
311
+ );
312
+ },
313
+ },
314
+
315
+ // Test 11: Admin can read any cart
316
+ {
317
+ name: 'admin-can-read-any-cart',
318
+ auth: 'none',
319
+
320
+ async run({ rules, accounts }) {
321
+ const uid = accounts.basic.uid;
322
+ const adminDb = rules.asAccount('admin');
323
+
324
+ // Create cart for basic user
325
+ await rules.expectSuccess(
326
+ adminDb.doc(`payments-carts/${uid}`).set({
327
+ id: uid,
328
+ owner: uid,
329
+ status: 'pending',
330
+ productId: 'premium',
331
+ type: 'subscription',
332
+ })
333
+ );
334
+
335
+ // Admin can read it
336
+ await rules.expectSuccess(
337
+ adminDb.doc(`payments-carts/${uid}`).get()
338
+ );
339
+ },
340
+ },
341
+
342
+ // Test 12: Admin can set status to completed (server-side completion)
343
+ {
344
+ name: 'admin-can-set-status-completed',
345
+ auth: 'none',
346
+
347
+ async run({ rules, accounts }) {
348
+ const uid = accounts.basic.uid;
349
+ const adminDb = rules.asAccount('admin');
350
+
351
+ // Create cart
352
+ await rules.expectSuccess(
353
+ adminDb.doc(`payments-carts/${uid}`).set({
354
+ id: uid,
355
+ owner: uid,
356
+ status: 'pending',
357
+ productId: 'premium',
358
+ type: 'subscription',
359
+ })
360
+ );
361
+
362
+ // Admin can update to completed
363
+ await rules.expectSuccess(
364
+ adminDb.doc(`payments-carts/${uid}`).update({
365
+ status: 'completed',
366
+ })
367
+ );
368
+ },
369
+ },
370
+ ],
371
+ };