backend-manager 5.0.148 → 5.0.149

package/src/manager/routes/marketing/contact/delete.js

@@ -2,7 +2,6 @@
  * DELETE /marketing/contact - Remove marketing contact
  * Admin-only endpoint to unsubscribe from newsletter
  */
-const fetch = require('wonderful-fetch');
 
 module.exports = async ({ assistant, Manager, settings, analytics }) => {
 
@@ -26,21 +25,9 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
     return assistant.respond('Email is required', { code: 400 });
   }
 
-  // Get brand name from Manager config
-  const brandName = Manager.config.brand?.name;
-
   // Remove from providers
-  const providerResults = {};
-
-  // SendGrid
-  if (providers.includes('sendgrid') && process.env.SENDGRID_API_KEY) {
-    providerResults.sendgrid = await removeFromSendGrid(email);
-  }
-
-  // Beehiiv
-  if (providers.includes('beehiiv') && process.env.BEEHIIV_API_KEY) {
-    providerResults.beehiiv = await removeFromBeehiiv(email, brandName);
-  }
+  const mailer = Manager.Email(assistant);
+  const providerResults = await mailer.remove(email, { providers });
 
   // Log result
   assistant.log('marketing/contact delete result:', {
@@ -56,152 +43,3 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
     providers: providerResults,
   });
 };
-
-// Helper: Remove contact from SendGrid
-async function removeFromSendGrid(email) {
-  try {
-    // Step 1: Get contact ID by email
-    const searchData = await fetch('https://api.sendgrid.com/v3/marketing/contacts/search/emails', {
-      method: 'post',
-      response: 'json',
-      headers: {
-        'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}`,
-      },
-      timeout: 10000,
-      body: { emails: [email] },
-    });
-
-    if (!searchData.result?.[email]?.contact?.id) {
-      return { success: true, skipped: true, reason: 'Contact not found' };
-    }
-
-    const contactId = searchData.result[email].contact.id;
-
-    // Step 2: Delete contact by ID
-    const deleteData = await fetch(`https://api.sendgrid.com/v3/marketing/contacts?ids=${contactId}`, {
-      method: 'delete',
-      response: 'json',
-      headers: {
-        'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}`,
-      },
-      timeout: 10000,
-    });
-
-    if (deleteData.job_id) {
-      return { success: true, jobId: deleteData.job_id };
-    }
-
-    return { success: false, error: deleteData.errors?.[0]?.message || 'Delete failed' };
-  } catch (e) {
-    console.error('SendGrid remove error:', e);
-    return { success: false, error: e.message };
-  }
-}
-
-// Helper: Get Beehiiv publication ID by brand name
-async function getBeehiivPublicationId(brandName) {
-  if (!brandName) {
-    console.error('Beehiiv: Brand name is required to find publication');
-    return null;
-  }
-
-  const brandNameLower = brandName.toLowerCase();
-  const allPublications = [];
-  let page = 1;
-  const limit = 100;
-
-  try {
-    while (true) {
-      const data = await fetch(`https://api.beehiiv.com/v2/publications?limit=${limit}&page=${page}`, {
-        response: 'json',
-        headers: {
-          'Authorization': `Bearer ${process.env.BEEHIIV_API_KEY}`,
-        },
-        timeout: 10000,
-      });
-
-      if (!data.data || data.data.length === 0) {
-        break;
-      }
-
-      const matchedPub = data.data.find(pub =>
-        pub.name.toLowerCase() === brandNameLower
-        || pub.name.toLowerCase().includes(brandNameLower)
-        || brandNameLower.includes(pub.name.toLowerCase())
-      );
-
-      if (matchedPub) {
-        return matchedPub.id;
-      }
-
-      allPublications.push(...data.data);
-
-      if (data.data.length < limit) {
-        break;
-      }
-
-      page++;
-    }
-
-    console.error(`Beehiiv: No publication matched brand "${brandName}". Available: ${allPublications.map(p => p.name).join(', ')}`);
-  } catch (e) {
-    console.error('Beehiiv publication lookup error:', e);
-  }
-
-  return null;
-}
-
-// Helper: Remove contact from Beehiiv
-async function removeFromBeehiiv(email, brandName) {
-  try {
-    const pubId = await getBeehiivPublicationId(brandName);
-    if (!pubId) {
-      return { success: false, error: `Publication not found for brand "${brandName}"` };
-    }
-
-    // Step 1: Get subscription by email
-    const encodedEmail = encodeURIComponent(email);
-
-    let searchData;
-    try {
-      searchData = await fetch(
-        `https://api.beehiiv.com/v2/publications/${pubId}/subscriptions/by_email/${encodedEmail}`,
-        {
-          response: 'json',
-          headers: {
-            'Authorization': `Bearer ${process.env.BEEHIIV_API_KEY}`,
-          },
-          timeout: 10000,
-        }
-      );
-    } catch (e) {
-      if (e.status === 404) {
-        return { success: true, skipped: true, reason: 'Subscriber not found' };
-      }
-      throw e;
-    }
-
-    if (!searchData.data?.id) {
-      return { success: true, skipped: true, reason: 'Subscription not found' };
-    }
-
-    const subscriptionId = searchData.data.id;
-
-    // Step 2: Permanently DELETE the subscription
-    await fetch(
-      `https://api.beehiiv.com/v2/publications/${pubId}/subscriptions/${subscriptionId}`,
-      {
-        method: 'delete',
-        headers: {
-          'Authorization': `Bearer ${process.env.BEEHIIV_API_KEY}`,
-        },
-        timeout: 10000,
-      }
-    );
-
-    return { success: true, deleted: true, subscriptionId };
-  } catch (e) {
-    console.error('Beehiiv remove error:', e);
-    return { success: false, error: e.message };
-  }
-}

package/src/manager/routes/marketing/contact/post.js

@@ -2,15 +2,10 @@
  * POST /marketing/contact - Add marketing contact
  * Public endpoint to subscribe to newsletter, with admin options
  */
-const fetch = require('wonderful-fetch');
-const path = require('path');
-const dns = require('dns').promises;
 const recaptcha = require('../../../libraries/recaptcha.js');
-
-// Load disposable domains list
-const DISPOSABLE_DOMAINS = require(path.join(__dirname, '..', '..', '..', 'libraries', 'disposable-domains.json'));
-const DISPOSABLE_SET = new Set(DISPOSABLE_DOMAINS.map(d => d.toLowerCase()));
-const { inferContact } = require(path.join(__dirname, '..', '..', '..', 'libraries', 'infer-contact.js'));
+const { validate: validateEmail, ALL_CHECKS } = require('../../../libraries/email/validation.js');
+const { inferContact } = require('../../../libraries/infer-contact.js');
+const { DEFAULT_PROVIDERS } = require('../../../libraries/email/constants.js');
 
 module.exports = async ({ assistant, Manager, settings, analytics }) => {
 
@@ -28,21 +23,44 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
 
   // Admin-only options
   const tags = isAdmin ? settings.tags : [];
-  const providers = isAdmin ? settings.providers : ['sendgrid', 'beehiiv'];
+  const providers = isAdmin ? settings.providers : DEFAULT_PROVIDERS;
   const skipValidation = isAdmin ? settings.skipValidation : false;
 
-  // Validate email is provided
-  if (!email) {
-    return assistant.respond('Email is required', { code: 400 });
-  }
+  // Email validation — run free checks before reCAPTCHA/rate limit
+  const shouldCallExternalAPIs = !assistant.isTesting() || process.env.TEST_EXTENDED_MODE;
+
+  // skipValidation (admin-only) reduces to just format + disposable
+  // Admin gets full checks including mailbox verification when external APIs are enabled
+  const checks = skipValidation
+    ? ['format']
+    : (isAdmin && shouldCallExternalAPIs ? ALL_CHECKS : undefined);
+
+  const validation = await validateEmail(email, { checks });
+
+  if (!validation.valid) {
+    // For public requests, return generic success to prevent email enumeration
+    if (!isAdmin) {
+      return assistant.respond({ success: true });
+    }
+
+    const { format, localPart, disposable } = validation.checks;
+
+    if (format && !format.valid) {
+      return assistant.respond('Invalid email format', { code: 400 });
+    }
+
+    if (localPart && !localPart.valid) {
+      return assistant.respond(`Blocked email local part: ${localPart.localPart}`, { code: 400 });
+    }
 
-  // Basic email format validation
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  if (!emailRegex.test(email)) {
-    return assistant.respond('Invalid email format', { code: 400 });
+    if (disposable && !disposable.valid) {
+      return assistant.respond(`Disposable email domain not allowed: ${disposable.domain}`, { code: 400 });
+    }
+
+    return assistant.respond('Email validation failed', { code: 400 });
   }
 
-  // Public access protection
+  // Public access protection (after validation so we don't waste reCAPTCHA on garbage)
   if (!isAdmin) {
     // Verify reCAPTCHA (skip during automated tests)
     if (!assistant.isTesting()) {
@@ -67,37 +85,6 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
     }
   }
 
-  // Email validation
-  const validation = { valid: true, checks: {} };
-
-  // Skip external API calls in test mode unless TEST_EXTENDED_MODE is set
-  const shouldCallExternalAPIs = !assistant.isTesting() || process.env.TEST_EXTENDED_MODE;
-
-  if (!skipValidation) {
-    // Check disposable domain
-    const domain = email.split('@')[1];
-    if (DISPOSABLE_SET.has(domain.toLowerCase())) {
-      validation.valid = false;
-      validation.checks.disposable = { blocked: true, domain };
-
-      // For public requests, return generic success to prevent enumeration
-      if (!isAdmin) {
-        return assistant.respond({ success: true });
-      }
-      return assistant.respond(`Disposable email domain not allowed: ${domain}`, { code: 400 });
-    }
-    validation.checks.disposable = { blocked: false };
-
-    // ZeroBounce validation (admin only, if key exists)
-    if (isAdmin && process.env.ZEROBOUNCE_API_KEY && shouldCallExternalAPIs) {
-      const zbResult = await validateWithZeroBounce(email);
-      validation.checks.zerobounce = zbResult;
-      if (!zbResult.valid) {
-        validation.valid = false;
-      }
-    }
-  }
-
   // Infer name if not provided
   let nameInferred = null;
   if (!firstName && !lastName) {
@@ -107,35 +94,19 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
   }
 
   // Add to providers
-  const providerResults = {};
+  let providerResults = {};
 
   if (!shouldCallExternalAPIs) {
     assistant.log('marketing/contact: Skipping providers (BEM_TESTING=true, TEST_EXTENDED_MODE not set)');
   } else {
-    assistant.log('marketing/contact: Adding contact to providers:', { providers });
-
-    // SendGrid Marketing Contacts
-    if (providers.includes('sendgrid') && process.env.SENDGRID_API_KEY) {
-      providerResults.sendgrid = await addToSendGrid({
-        email,
-        firstName,
-        lastName,
-        source,
-        appId: Manager.config.app.id,
-        brandName: Manager.config.brand?.name,
-      });
-    }
-
-    // Beehiiv
-    if (providers.includes('beehiiv') && process.env.BEEHIIV_API_KEY) {
-      providerResults.beehiiv = await addToBeehiiv({
-        email,
-        firstName,
-        lastName,
-        source,
-        brandName: Manager.config.brand?.name,
-      });
-    }
+    const mailer = Manager.Email(assistant);
+    providerResults = await mailer.add({
+      email,
+      firstName,
+      lastName,
+      source,
+      providers,
+    });
   }
 
   // Log result
@@ -162,227 +133,3 @@ module.exports = async ({ assistant, Manager, settings, analytics }) => {
   // Public: generic response
   return assistant.respond({ success: true });
 };
-
-// Helper: Validate email with ZeroBounce API
-async function validateWithZeroBounce(email) {
-  try {
-    const data = await fetch(
-      `https://api.zerobounce.net/v2/validate?api_key=${process.env.ZEROBOUNCE_API_KEY}&email=${encodeURIComponent(email)}`,
-      { response: 'json', timeout: 10000 }
-    );
-
-    if (data.error) {
-      console.error('ZeroBounce API error:', data.error);
-      return { valid: true, error: data.error };
-    }
-
-    if (!data.status) {
-      console.error('ZeroBounce unexpected response:', data);
-      return { valid: true, error: 'Unexpected response format' };
-    }
-
-    return {
-      valid: data.status === 'valid',
-      status: data.status,
-      subStatus: data.sub_status || null,
-    };
-  } catch (e) {
-    console.error('ZeroBounce validation error:', e);
-    return { valid: true, error: e.message };
-  }
-}
-
-// Helper: Add contact to SendGrid
-async function addToSendGrid({ email, firstName, lastName, source, appId, brandName }) {
-  try {
-    const listId = await getSendGridListId(brandName);
-
-    const requestBody = {
-      contacts: [
-        {
-          email,
-          first_name: firstName || undefined,
-          last_name: lastName || undefined,
-          custom_fields: {
-            e1_T: source,
-            e2_T: appId,
-          },
-        },
-      ],
-    };
-
-    if (listId) {
-      requestBody.list_ids = [listId];
-    }
-
-    const data = await fetch('https://api.sendgrid.com/v3/marketing/contacts', {
-      method: 'put',
-      response: 'json',
-      headers: {
-        'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}`,
-      },
-      timeout: 15000,
-      body: requestBody,
-    });
-
-    if (data.job_id) {
-      return { success: true, jobId: data.job_id, listId };
-    }
-
-    return { success: false, error: data.errors?.[0]?.message || 'Unknown error' };
-  } catch (e) {
-    console.error('SendGrid error:', e);
-    return { success: false, error: e.message };
-  }
-}
-
-// Helper: Get SendGrid list ID by brand name
-async function getSendGridListId(brandName) {
-  const brandNameLower = (brandName || '').toLowerCase();
-  const allLists = [];
-  let pageToken = '';
-  const pageSize = 1000;
-
-  try {
-    while (true) {
-      const url = `https://api.sendgrid.com/v3/marketing/lists?page_size=${pageSize}${pageToken ? `&page_token=${pageToken}` : ''}`;
-      const data = await fetch(url, {
-        response: 'json',
-        headers: {
-          'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}`,
-        },
-        timeout: 10000,
-      });
-
-      if (!data.result || data.result.length === 0) {
-        break;
-      }
-
-      const matchedList = data.result.find(list =>
-        list.name.toLowerCase() === brandNameLower
-        || list.name.toLowerCase().includes(brandNameLower)
-        || brandNameLower.includes(list.name.toLowerCase())
-      );
-
-      if (matchedList) {
-        return matchedList.id;
-      }
-
-      allLists.push(...data.result);
-
-      if (!data._metadata?.next) {
-        break;
-      }
-
-      const nextUrl = new URL(data._metadata.next);
-      pageToken = nextUrl.searchParams.get('page_token');
-
-      if (!pageToken) {
-        break;
-      }
-    }
-
-    if (allLists.length === 1) {
-      return allLists[0].id;
-    }
-
-    if (allLists.length > 0) {
-      console.error(`SendGrid: No list matched brand "${brandName}". Available: ${allLists.map(l => l.name).join(', ')}`);
-    }
-  } catch (e) {
-    console.error('SendGrid list lookup error:', e);
-  }
-
-  return null;
-}
-
-// Helper: Add contact to Beehiiv
-async function addToBeehiiv({ email, firstName, lastName, source, brandName }) {
-  try {
-    const pubId = await getBeehiivPublicationId(brandName);
-    if (!pubId) {
-      return { success: false, error: 'Could not find matching publication' };
-    }
-
-    const data = await fetch(`https://api.beehiiv.com/v2/publications/${pubId}/subscriptions`, {
-      method: 'post',
-      response: 'json',
-      headers: {
-        'Authorization': `Bearer ${process.env.BEEHIIV_API_KEY}`,
-      },
-      timeout: 15000,
-      body: {
-        email,
-        reactivate_existing: true,
-        send_welcome_email: true,
-        utm_source: source,
-        custom_fields: [
-          firstName ? { name: 'first_name', value: firstName } : null,
-          lastName ? { name: 'last_name', value: lastName } : null,
-        ].filter(Boolean),
-      },
-    });
-
-    if (data.data?.id) {
-      return { success: true, id: data.data.id };
-    }
-
-    return { success: false, error: data.message || 'Unknown error' };
-  } catch (e) {
-    console.error('Beehiiv error:', e);
-    return { success: false, error: e.message };
-  }
-}
-
-// Helper: Get Beehiiv publication ID by brand name
-async function getBeehiivPublicationId(brandName) {
-  if (!brandName) {
-    console.error('Beehiiv: Brand name is required to find publication');
-    return null;
-  }
-
-  const brandNameLower = brandName.toLowerCase();
-  const allPublications = [];
-  let page = 1;
-  const limit = 100;
-
-  try {
-    while (true) {
-      const data = await fetch(`https://api.beehiiv.com/v2/publications?limit=${limit}&page=${page}`, {
-        response: 'json',
-        headers: {
-          'Authorization': `Bearer ${process.env.BEEHIIV_API_KEY}`,
-        },
-        timeout: 10000,
-      });
-
-      if (!data.data || data.data.length === 0) {
-        break;
-      }
-
-      const matchedPub = data.data.find(pub =>
-        pub.name.toLowerCase() === brandNameLower
-        || pub.name.toLowerCase().includes(brandNameLower)
-        || brandNameLower.includes(pub.name.toLowerCase())
-      );
-
-      if (matchedPub) {
-        return matchedPub.id;
-      }
-
-      allPublications.push(...data.data);
-
-      if (data.data.length < limit) {
-        break;
-      }
-
-      page++;
-    }
-
-    console.error(`Beehiiv: No publication matched brand "${brandName}". Available: ${allPublications.map(p => p.name).join(', ')}`);
-  } catch (e) {
-    console.error('Beehiiv publication lookup error:', e);
-  }
-
-  return null;
-}

package/src/manager/routes/marketing/contact/put.js

@@ -0,0 +1,39 @@
+/**
+ * PUT /marketing/contact - Sync marketing contact by UID
+ * Admin-only endpoint to re-sync a user's data to marketing providers
+ */
+
+module.exports = async ({ assistant, Manager, settings, analytics }) => {
+
+  // Initialize Usage to check auth level
+  const usage = await Manager.Usage().init(assistant, {
+    unauthenticatedMode: 'firestore',
+  });
+  const isAdmin = usage.user.roles?.admin;
+
+  // Admin only endpoint
+  if (!isAdmin) {
+    return assistant.respond('Admin access required', { code: 403 });
+  }
+
+  const uid = (settings.uid || '').trim();
+
+  if (!uid) {
+    return assistant.respond('UID is required', { code: 400 });
+  }
+
+  // Sync via email library (accepts UID string, resolves user doc internally)
+  const mailer = Manager.Email(assistant);
+  const result = await mailer.sync(uid);
+
+  // Log result
+  assistant.log('marketing/contact sync result:', { uid, providers: result });
+
+  // Track analytics
+  analytics.event('marketing/contact', { action: 'sync' });
+
+  return assistant.respond({
+    success: true,
+    providers: result,
+  });
+};

package/src/manager/routes/payments/cancel/post.js

@@ -32,6 +32,17 @@ module.exports = async ({ assistant, user, settings }) => {
     return assistant.respond('No active paid subscription found', { code: 400 });
   }
 
+  // Guard: subscription younger than 24 hours
+  const startDateUNIX = subscription.payment?.startDate?.timestampUNIX;
+  if (startDateUNIX) {
+    const ageMs = Date.now() - startDateUNIX;
+    const twentyFourHoursMs = 24 * 60 * 60 * 1000;
+    if (ageMs < twentyFourHoursMs) {
+      assistant.log(`Cancel rejected: uid=${uid}, subscription is only ${Math.round(ageMs / 1000 / 60)} minutes old`);
+      return assistant.respond('Your subscription is still being set up. Please try again after 24-48 hours.', { code: 400 });
+    }
+  }
+
   // Guard: already pending cancellation
   if (subscription.cancellation?.pending === true) {
     assistant.log(`Cancel rejected: uid=${uid}, cancellation already pending`);

package/src/manager/routes/special/electron-client/post.js

@@ -3,12 +3,12 @@
  * Returns client configuration with optional auth
  */
 const path = require('path');
-const { buildPublicConfig } = require(path.join(__dirname, '..', '..', 'app', 'get.js'));
+const { buildPublicConfig } = require(path.join(__dirname, '..', '..', 'brand', 'get.js'));
 
 module.exports = async ({ assistant, Manager, settings, analytics, libraries }) => {
   const { admin } = libraries;
 
-  // appId/app fallback to Manager.config
+  // brandId/brand fallback to Manager.config
   let uid = settings.uid;
   let config = settings.config;
 
@@ -52,7 +52,7 @@ module.exports = async ({ assistant, Manager, settings, analytics, libraries })
     timestamp: new Date().toISOString(),
     ip: assistant.request.geolocation.ip,
     country: assistant.request.geolocation.country,
-    app: buildPublicConfig(Manager.config),
+    brand: buildPublicConfig(Manager.config),
     config: config,
   });
 };

package/src/manager/routes/test/health/get.js

@@ -6,6 +6,7 @@ module.exports = async ({ assistant, Manager }) => {
     environment: assistant.meta?.environment || 'unknown',
     version: Manager.package?.version || 'unknown',
     bemVersion: Manager.version || 'unknown',
+    testExtendedMode: !!process.env.TEST_EXTENDED_MODE,
   };
 
   assistant.log('Health check', response);

package/src/manager/routes/user/data-request/delete.js

@@ -50,11 +50,11 @@ function sendCancellationEmail(assistant, user, requestId) {
   const uid = user.auth.uid;
 
   mailer.send({
-    to: user.auth.email,
+    to: user,
+    sender: 'account',
     categories: ['account/data-request-cancelled'],
     subject: `Your data request has been cancelled #${requestId}`,
     template: 'default',
-    group: 'account',
     copy: true,
     data: {
       email: {

package/src/manager/routes/user/data-request/get.js

@@ -193,11 +193,11 @@ function sendDownloadEmail(assistant, user, requestId, downloads) {
   const downloadDate = assistant.meta.startTime.timestamp;
 
   mailer.send({
-    to: user.auth.email,
+    to: user,
+    sender: 'account',
     categories: ['account/data-request-download'],
     subject: `Your data has been downloaded #${requestId}`,
     template: 'default',
-    group: 'account',
     copy: true,
     data: {
       email: {