backend-manager 5.0.173 → 5.0.175

package/CHANGELOG.md

@@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+# [5.0.174] - 2026-03-27
+### Fixed
+- Payments-orders `metadata.created` timestamp no longer overwritten on subsequent webhook events (renewals, cancellations, payment failures)
+
 # [5.0.168] - 2026-03-21
 ### Fixed
 - Immediately suspend subscription on payment denial (PAYMENT.SALE.DENIED, invoice.payment_failed) instead of waiting for the processor to give up retrying — recovery via PAYMENT.SALE.COMPLETED restores active status

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.173",
+  "version": "5.0.175",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/manager/events/firestore/payments-webhooks/on-write.js

@@ -314,12 +314,15 @@ async function processPaymentEvent({ category, library, resource, resourceType,
     const orderRef = admin.firestore().doc(`payments-orders/${orderId}`);
     const orderSnap = await orderRef.get();
 
-    // Initialize requests on first creation only (avoid overwriting cancel/refund data set by endpoints)
     if (!orderSnap.exists) {
+      // Initialize requests on first creation only (avoid overwriting cancel/refund data set by endpoints)
       order.requests = {
         cancellation: null,
         refund: null,
       };
+    } else {
+      // Preserve original created timestamp on subsequent webhook events
+      order.metadata.created = orderSnap.data().metadata?.created || order.metadata.created;
     }
 
     await orderRef.set(order, { merge: true });

package/src/manager/libraries/email/constants.js

@@ -212,8 +212,8 @@ const SEGMENTS = {
   engagement_active_30d:      { display: 'Engaged Last 30 Days', conditions: [{ type: 'engagement', op: 'opened_or_clicked', value: '30d' }] },
   engagement_active_90d:      { display: 'Engaged Last 90 Days', conditions: [{ type: 'engagement', op: 'opened_or_clicked', value: '90d' }] },
   engagement_inactive_90d:    { display: 'Inactive 90+ Days', conditions: [{ type: 'engagement', op: 'not_opened', value: '90d' }] },
-  engagement_inactive_5m:     { display: 'Inactive 5+ Months', conditions: [{ type: 'engagement', op: 'not_opened', value: '150d' }] },
-  engagement_inactive_6m:     { display: 'Inactive 6+ Months', conditions: [{ type: 'engagement', op: 'not_opened', value: '180d' }] },
+  engagement_inactive_5m:     { display: 'Inactive 5+ Months', conditions: [{ type: 'engagement', op: 'not_opened', value: '150d' }, { field: 'user_metadata_signup_date', op: 'not_within', value: '150d' }] },
+  engagement_inactive_6m:     { display: 'Inactive 6+ Months', conditions: [{ type: 'engagement', op: 'not_opened', value: '180d' }, { field: 'user_metadata_signup_date', op: 'not_within', value: '180d' }] },
 
   // Test
   test_admin:                 { display: 'Test Admin', conditions: [{ type: 'contact', op: 'email_is', value: 'hello@itwcreativeworks.com' }] },

package/src/manager/routes/payments/intent/post.js

@@ -55,10 +55,12 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
       return assistant.respond('Frequency is required for subscription products', { code: 400 });
     }
 
-    // Check if user already has an active non-basic subscription
-    if (user.subscription?.status === 'active' && user.subscription?.product?.id !== 'basic') {
-      assistant.log(`User ${uid} already has active subscription: product=${user.subscription.product.id}, status=${user.subscription.status}, resourceId=${user.subscription.payment?.resourceId}`);
-      return assistant.respond('User already has an active subscription', { code: 400 });
+    // Block checkout unless user has no subscription or is fully cancelled
+    const subProductId = user.subscription?.product?.id || 'basic';
+    const subStatus = user.subscription?.status;
+    if (subProductId !== 'basic' && subStatus !== 'cancelled') {
+      assistant.log(`User ${uid} has existing subscription: product=${subProductId}, status=${subStatus}, resourceId=${user.subscription.payment?.resourceId}`);
+      return assistant.respond('You already have a subscription. Please cancel your existing subscription before purchasing a new one.', { code: 400 });
     }
 
     // Resolve trial eligibility: if requested but user has subscription history, silently downgrade

package/src/test/runner.js

@@ -229,7 +229,8 @@ class TestRunner {
     // Create fresh test accounts
     const result = await testAccounts.createTestAccounts(
       this.options.admin,
-      this.options.domain
+      this.options.domain,
+      this.config
     );
 
     if (!result.success) {
@@ -240,7 +241,7 @@ class TestRunner {
     console.log(chalk.green(`✓ (${result.created} created)`));
 
     // Fetch account privateKeys
-    this.accounts = await testAccounts.fetchPrivateKeys(this.options.admin, this.options.domain);
+    this.accounts = await testAccounts.fetchPrivateKeys(this.options.admin, this.options.domain, this.config);
 
     // Initialize rules testing context for security rules tests
     process.stdout.write(chalk.gray('  Initializing rules testing context... '));
@@ -663,30 +664,20 @@ class TestRunner {
     });
 
     // Set default auth
-    switch (auth) {
-      case 'admin':
-        http.setAuth('backendManagerKey', { key: this.options.backendManagerKey });
-        break;
-      case 'basic':
-      case 'user':
-        if (this.accounts?.basic?.privateKey) {
-          http.setAuth('privateKey', { privateKey: this.accounts.basic.privateKey });
-        }
-        break;
-      case 'premium-active':
-        if (this.accounts?.['premium-active']?.privateKey) {
-          http.setAuth('privateKey', { privateKey: this.accounts['premium-active'].privateKey });
-        }
-        break;
-      case 'premium-expired':
-        if (this.accounts?.['premium-expired']?.privateKey) {
-          http.setAuth('privateKey', { privateKey: this.accounts['premium-expired'].privateKey });
-        }
-        break;
-      case 'none':
-      default:
-        http.setAuth('none');
-        break;
+    if (auth === 'admin') {
+      http.setAuth('backendManagerKey', { key: this.options.backendManagerKey });
+    } else if (auth === 'none') {
+      http.setAuth('none');
+    } else if (auth === 'user') {
+      // Alias for basic
+      if (this.accounts?.basic?.privateKey) {
+        http.setAuth('privateKey', { privateKey: this.accounts.basic.privateKey });
+      }
+    } else if (this.accounts?.[auth]?.privateKey) {
+      // Dynamic lookup — any account type with a privateKey
+      http.setAuth('privateKey', { privateKey: this.accounts[auth].privateKey });
+    } else {
+      http.setAuth('none');
     }
 
     // Create firestore helper (only if admin SDK available)

package/src/test/test-accounts.js

@@ -1,5 +1,17 @@
 const uuid = require('uuid');
 
+/**
+ * Resolve the first paid subscription product from config
+ * Falls back to 'premium' if no config or no paid products found
+ */
+function getFirstPaidProduct(config) {
+  const products = config?.payment?.products || [];
+  const paid = products.find(p => p.type === 'subscription' && p.id !== 'basic');
+  return paid
+    ? { id: paid.id, name: paid.name }
+    : { id: 'premium', name: 'Premium' };
+}
+
 /**
  * Helper to create a future expiration date for premium subscriptions
  * User() checks subscription.expires to determine if subscription is active
@@ -77,6 +89,24 @@ const STATIC_ACCOUNTS = {
       subscription: { product: { id: 'premium' }, status: 'cancelled', expires: getPastExpires() },
     },
   },
+  'premium-suspended': {
+    id: 'premium-suspended',
+    uid: '_test-premium-suspended',
+    email: '_test.premium-suspended@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'suspended', expires: getFutureExpires() },
+    },
+  },
+  'premium-cancelling': {
+    id: 'premium-cancelling',
+    uid: '_test-premium-cancelling',
+    email: '_test.premium-cancelling@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'active', expires: getFutureExpires(), cancellation: { pending: true } },
+    },
+  },
   delete: {
     id: 'delete',
     uid: '_test-delete',
@@ -397,6 +427,25 @@ const JOURNEY_ACCOUNTS = {
       subscription: { product: { id: 'basic' }, status: 'active' },
     },
   },
+  // Dedicated accounts for user resolve tests — must not be reused by other tests
+  'resolve-premium-active': {
+    id: 'resolve-premium-active',
+    uid: '_test-resolve-premium-active',
+    email: '_test.resolve-premium-active@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'active', expires: getFutureExpires() },
+    },
+  },
+  'resolve-premium-expired': {
+    id: 'resolve-premium-expired',
+    uid: '_test-resolve-premium-expired',
+    email: '_test.resolve-premium-expired@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'cancelled', expires: getPastExpires() },
+    },
+  },
 };
 
 /**
@@ -408,19 +457,29 @@ const TEST_ACCOUNTS = {
 };
 
 /**
- * Get all test account definitions with resolved emails
+ * Get all test account definitions with resolved emails and dynamic product IDs
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {object} Account definitions with resolved emails
  */
-function getAccountDefinitions(domain) {
+function getAccountDefinitions(domain, config) {
+  const paidProduct = getFirstPaidProduct(config);
   const accounts = {};
 
   for (const [key, account] of Object.entries(TEST_ACCOUNTS)) {
+    const properties = JSON.parse(JSON.stringify(account.properties));
+
+    // Replace hardcoded 'premium' product with the actual first paid product from config
+    if (properties.subscription?.product?.id === 'premium') {
+      properties.subscription.product.id = paidProduct.id;
+      properties.subscription.product.name = paidProduct.name;
+    }
+
     accounts[key] = {
       id: account.id,
       uid: account.uid,
       email: account.email.replace('{domain}', domain),
-      properties: account.properties,
+      properties,
     };
   }
 
@@ -431,10 +490,11 @@ function getAccountDefinitions(domain) {
  * Fetch privateKeys for test accounts from Firestore
  * @param {object} admin - Firebase admin instance
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {Promise<object>} Account credentials with privateKeys
  */
-async function fetchPrivateKeys(admin, domain) {
-  const definitions = getAccountDefinitions(domain);
+async function fetchPrivateKeys(admin, domain, config) {
+  const definitions = getAccountDefinitions(domain, config);
   const accounts = {};
 
   // Fetch all in parallel
@@ -617,10 +677,11 @@ async function deleteTestUsers(admin) {
  * Assumes deleteTestUsers() was called first to ensure clean state
  * @param {object} admin - Firebase admin instance
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {Promise<object>} Result with created/failed counts
  */
-async function createTestAccounts(admin, domain) {
-  const definitions = getAccountDefinitions(domain);
+async function createTestAccounts(admin, domain, config) {
+  const definitions = getAccountDefinitions(domain, config);
   const results = { created: [], failed: [] };
 
   // Create all accounts in parallel
@@ -716,6 +777,7 @@ module.exports = {
   JOURNEY_ACCOUNTS,
   TEST_ACCOUNTS,
   TEST_DATA,
+  getFirstPaidProduct,
   getAccountDefinitions,
   fetchPrivateKeys,
   deleteTestUsers,

package/src/test/utils/firestore-rules-client.js

@@ -162,22 +162,20 @@ async function seedTestAccounts(accounts) {
     throw new Error('Test environment not initialized. Call initRulesTestEnv() first.');
   }
 
-  // Get static account definitions for roles/subscription data
-  const { TEST_ACCOUNTS } = require('../test-accounts.js');
-
-  // Use withSecurityRulesDisabled to write test data
+  // Use withSecurityRulesDisabled to write ONLY roles (for isAdmin() rules checks)
+  // Do NOT write subscription — that's already set by createAccount with config-resolved product IDs
   await testEnv.withSecurityRulesDisabled(async (context) => {
     const db = context.firestore();
+    const { TEST_ACCOUNTS } = require('../test-accounts.js');
 
     for (const [accountType, account] of Object.entries(accounts)) {
       if (!account.uid) {
         continue;
       }
 
-      // Get the static definition for this account type (has roles, subscription)
       const staticDef = TEST_ACCOUNTS[accountType];
 
-      // Build user document with roles for isAdmin() check
+      // Only write auth + roles for rules testing — subscription is already correct in the doc
       const userData = {
         auth: {
           uid: account.uid,
@@ -186,11 +184,6 @@ async function seedTestAccounts(accounts) {
         roles: staticDef?.properties?.roles || {},
       };
 
-      // Add subscription if present in static definition
-      if (staticDef?.properties?.subscription) {
-        userData.subscription = staticDef.properties.subscription;
-      }
-
       await db.doc(`users/${account.uid}`).set(userData, { merge: true });
     }
   });

package/test/helpers/email-validation.js

@@ -101,14 +101,14 @@ module.exports = {
     },
 
     {
-      name: 'localpart-admin-blocked',
+      name: 'localpart-admin-allowed',
       timeout: 5000,
 
       async run({ assert }) {
         const result = await validate('admin@company.com');
 
-        assert.equal(result.valid, false, '"admin" local part should be blocked');
-        assert.propertyEquals(result, 'checks.localPart.blocked', true, 'Should be flagged as blocked');
+        assert.equal(result.valid, true, '"admin" local part should be allowed (team/role address)');
+        assert.propertyEquals(result, 'checks.localPart.valid', true, 'localPart check should pass');
       },
     },
 

package/test/helpers/infer-contact.js

@@ -252,24 +252,16 @@ module.exports = {
 
     {
       name: 'infer-contact-regex-fallback',
-      async run({ assert }) {
-        // Temporarily clear OPENAI_API_KEY to force regex path
-        const originalKey = process.env.OPENAI_API_KEY;
-        delete process.env.OPENAI_API_KEY;
-
-        try {
-          const result = await inferContact('alice.wonderland@example.com');
-
-          assert.equal(result.firstName, 'Alice', 'Regex fallback first name');
-          assert.equal(result.lastName, 'Wonderland', 'Regex fallback last name');
-          assert.equal(result.company, 'Example', 'Regex fallback company');
-          assert.equal(result.method, 'regex', 'Should use regex when no API key');
-        } finally {
-          // Restore
-          if (originalKey) {
-            process.env.OPENAI_API_KEY = originalKey;
-          }
+      async run({ assert, skip }) {
+        if (!process.env.TEST_EXTENDED_MODE || !process.env.BACKEND_MANAGER_OPENAI_API_KEY) {
+          skip('TEST_EXTENDED_MODE or BACKEND_MANAGER_OPENAI_API_KEY not set');
         }
+
+        const result = await inferContact('alice.wonderland@example.com');
+
+        assert.equal(result.firstName, 'Alice', 'AI inferred first name');
+        assert.equal(result.lastName, 'Wonderland', 'AI inferred last name');
+        assert.ok(result.method === 'ai', 'Should use AI');
       },
     },
 

package/test/helpers/user.js

@@ -72,10 +72,7 @@ module.exports = {
         assert.ok(user.api.privateKey.length > 0, 'api.privateKey should not be empty');
 
         // Usage
-        assert.equal(user.usage.requests.monthly, 0, 'usage.requests.monthly should be 0');
-        assert.equal(user.usage.requests.daily, 0, 'usage.requests.daily should be 0');
-        assert.equal(user.usage.requests.total, 0, 'usage.requests.total should be 0');
-        assert.equal(user.usage.requests.last.id, null, 'usage.requests.last.id should be null');
+        assert.deepEqual(user.usage, {}, 'usage should be empty object by default');
 
         // Personal
         assert.equal(user.personal.name.first, null, 'personal.name.first should be null');
@@ -231,12 +228,11 @@ module.exports = {
     },
 
     {
-      name: 'usage-only-requests-when-no-extra-keys',
+      name: 'usage-empty-when-no-keys-provided',
       async run({ assert }) {
         const user = createUser({});
 
-        assert.ok(user.usage.requests, 'usage.requests should exist');
-        assert.equal(Object.keys(user.usage).length, 1, 'usage should only have requests key');
+        assert.deepEqual(user.usage, {}, 'usage should be empty object when no keys provided');
       },
     },
 

package/test/routes/admin/infer-contact.js

@@ -44,6 +44,9 @@ module.exports = {
       name: 'single-email-returns-result',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -89,12 +92,15 @@ module.exports = {
       },
     },
 
-    // ─── Name parsing (regex) ───
+    // ─── Name parsing (requires AI) ───
 
     {
       name: 'regex-parses-dot-separated-names',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -104,7 +110,6 @@ module.exports = {
         assert.isSuccess(response);
         const result = response.data.results[0];
 
-        // AI or regex — either way should get the name right
         assert.equal(result.firstName, 'Alice', 'Should parse first name');
         assert.equal(result.lastName, 'Wonderland', 'Should parse last name');
       },
@@ -114,6 +119,9 @@ module.exports = {
       name: 'infers-company-from-custom-domain',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -130,6 +138,9 @@ module.exports = {
       name: 'no-company-from-generic-domain',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {

package/test/routes/payments/dispute-alert.js

@@ -32,7 +32,7 @@ module.exports = {
       name: 'rejects-unknown-provider',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?alerts=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?provider=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
           id: '_test-dispute-unknown-provider',
           card: '4242',
           amount: 9.99,

package/test/routes/payments/intent.js

@@ -85,6 +85,54 @@ module.exports = {
       },
     },
 
+    {
+      name: 'rejects-suspended-user',
+      auth: 'premium-suspended',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-suspended').post('payments/intent', {
+          processor: 'stripe',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isError(response, 400, 'Should reject user with suspended subscription');
+      },
+    },
+
+    {
+      name: 'rejects-cancelling-user',
+      auth: 'premium-cancelling',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-cancelling').post('payments/intent', {
+          processor: 'stripe',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isError(response, 400, 'Should reject user with cancelling subscription');
+      },
+    },
+
+    {
+      name: 'allows-cancelled-user',
+      auth: 'premium-expired',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-expired').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isSuccess(response, 'Should allow user with fully cancelled subscription');
+      },
+    },
+
     {
       name: 'rejects-invalid-product',
       async run({ http, assert }) {

package/test/routes/user/user.js

@@ -4,6 +4,8 @@
  * Returns user account info for authenticated users
  * Validates that User() correctly structures user data
  */
+const { getFirstPaidProduct } = require('../../../src/test/test-accounts.js');
+
 module.exports = {
   description: 'User resolve (account info)',
   type: 'group',
@@ -104,10 +106,11 @@ module.exports = {
     // Test 5: Premium active user - verify premium subscription is retained
     {
       name: 'premium-active-user-resolved-correctly',
-      auth: 'premium-active',
+      auth: 'resolve-premium-active',
       timeout: 15000,
 
-      async run({ http, assert, accounts }) {
+      async run({ http, assert, accounts, config }) {
+        const paidProduct = getFirstPaidProduct(config);
         const response = await http.get('user', {});
 
         assert.isSuccess(response, 'Resolve should succeed for premium user');
@@ -115,11 +118,10 @@ module.exports = {
         const user = response.data.user;
 
         // Verify auth properties
-        assert.equal(user.auth.uid, accounts['premium-active'].uid, 'UID should match premium test account');
-        assert.equal(user.auth.email, accounts['premium-active'].email, 'Email should match premium test account');
+        assert.equal(user.auth.uid, accounts['resolve-premium-active'].uid, 'UID should match premium test account');
 
-        // Verify subscription - premium user should retain premium subscription
-        assert.equal(user.subscription.product.id, 'premium', 'Subscription ID should be premium');
+        // Verify subscription - premium user should retain paid subscription
+        assert.equal(user.subscription.product.id, paidProduct.id, 'Subscription ID should match first paid product');
         assert.equal(user.subscription.status, 'active', 'Subscription status should be active');
 
         // Verify expires is in the future
@@ -132,10 +134,11 @@ module.exports = {
     // Test 6: Premium expired user - verify subscription retains product but shows cancelled status
     {
       name: 'premium-expired-user-cancelled',
-      auth: 'premium-expired',
+      auth: 'resolve-premium-expired',
       timeout: 15000,
 
-      async run({ http, assert, accounts }) {
+      async run({ http, assert, accounts, config }) {
+        const paidProduct = getFirstPaidProduct(config);
         const response = await http.get('user', {});
 
         assert.isSuccess(response, 'Resolve should succeed for expired premium user');
@@ -143,10 +146,10 @@ module.exports = {
         const user = response.data.user;
 
         // Verify auth properties
-        assert.equal(user.auth.uid, accounts['premium-expired'].uid, 'UID should match expired premium test account');
+        assert.equal(user.auth.uid, accounts['resolve-premium-expired'].uid, 'UID should match expired premium test account');
 
-        // Verify subscription - product.id stays premium, status reflects cancellation
-        assert.equal(user.subscription.product.id, 'premium', 'Product ID should remain premium');
+        // Verify subscription - product.id stays as paid product, status reflects cancellation
+        assert.equal(user.subscription.product.id, paidProduct.id, 'Product ID should remain paid product');
         assert.equal(user.subscription.status, 'cancelled', 'Status should be cancelled');
       },
     },