backend-manager 5.0.173 → 5.0.176

package/src/test/test-accounts.js

@@ -1,5 +1,17 @@
 const uuid = require('uuid');
 
+/**
+ * Resolve the first paid subscription product from config
+ * Falls back to 'premium' if no config or no paid products found
+ */
+function getFirstPaidProduct(config) {
+  const products = config?.payment?.products || [];
+  const paid = products.find(p => p.type === 'subscription' && p.id !== 'basic');
+  return paid
+    ? { id: paid.id, name: paid.name }
+    : { id: 'premium', name: 'Premium' };
+}
+
 /**
  * Helper to create a future expiration date for premium subscriptions
  * User() checks subscription.expires to determine if subscription is active
@@ -77,6 +89,24 @@ const STATIC_ACCOUNTS = {
       subscription: { product: { id: 'premium' }, status: 'cancelled', expires: getPastExpires() },
     },
   },
+  'premium-suspended': {
+    id: 'premium-suspended',
+    uid: '_test-premium-suspended',
+    email: '_test.premium-suspended@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'suspended', expires: getFutureExpires() },
+    },
+  },
+  'premium-cancelling': {
+    id: 'premium-cancelling',
+    uid: '_test-premium-cancelling',
+    email: '_test.premium-cancelling@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'active', expires: getFutureExpires(), cancellation: { pending: true } },
+    },
+  },
   delete: {
     id: 'delete',
     uid: '_test-delete',
@@ -397,6 +427,25 @@ const JOURNEY_ACCOUNTS = {
       subscription: { product: { id: 'basic' }, status: 'active' },
     },
   },
+  // Dedicated accounts for user resolve tests — must not be reused by other tests
+  'resolve-premium-active': {
+    id: 'resolve-premium-active',
+    uid: '_test-resolve-premium-active',
+    email: '_test.resolve-premium-active@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'active', expires: getFutureExpires() },
+    },
+  },
+  'resolve-premium-expired': {
+    id: 'resolve-premium-expired',
+    uid: '_test-resolve-premium-expired',
+    email: '_test.resolve-premium-expired@{domain}',
+    properties: {
+      roles: {},
+      subscription: { product: { id: 'premium' }, status: 'cancelled', expires: getPastExpires() },
+    },
+  },
 };
 
 /**
@@ -408,19 +457,29 @@ const TEST_ACCOUNTS = {
 };
 
 /**
- * Get all test account definitions with resolved emails
+ * Get all test account definitions with resolved emails and dynamic product IDs
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {object} Account definitions with resolved emails
  */
-function getAccountDefinitions(domain) {
+function getAccountDefinitions(domain, config) {
+  const paidProduct = getFirstPaidProduct(config);
   const accounts = {};
 
   for (const [key, account] of Object.entries(TEST_ACCOUNTS)) {
+    const properties = JSON.parse(JSON.stringify(account.properties));
+
+    // Replace hardcoded 'premium' product with the actual first paid product from config
+    if (properties.subscription?.product?.id === 'premium') {
+      properties.subscription.product.id = paidProduct.id;
+      properties.subscription.product.name = paidProduct.name;
+    }
+
     accounts[key] = {
       id: account.id,
       uid: account.uid,
       email: account.email.replace('{domain}', domain),
-      properties: account.properties,
+      properties,
     };
   }
 
@@ -431,10 +490,11 @@ function getAccountDefinitions(domain) {
  * Fetch privateKeys for test accounts from Firestore
  * @param {object} admin - Firebase admin instance
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {Promise<object>} Account credentials with privateKeys
  */
-async function fetchPrivateKeys(admin, domain) {
-  const definitions = getAccountDefinitions(domain);
+async function fetchPrivateKeys(admin, domain, config) {
+  const definitions = getAccountDefinitions(domain, config);
   const accounts = {};
 
   // Fetch all in parallel
@@ -617,10 +677,11 @@ async function deleteTestUsers(admin) {
  * Assumes deleteTestUsers() was called first to ensure clean state
  * @param {object} admin - Firebase admin instance
  * @param {string} domain - Domain for email addresses (e.g., 'itwcreativeworks.com')
+ * @param {object} [config] - BEM config (used to resolve first paid product)
  * @returns {Promise<object>} Result with created/failed counts
  */
-async function createTestAccounts(admin, domain) {
-  const definitions = getAccountDefinitions(domain);
+async function createTestAccounts(admin, domain, config) {
+  const definitions = getAccountDefinitions(domain, config);
   const results = { created: [], failed: [] };
 
   // Create all accounts in parallel
@@ -716,6 +777,7 @@ module.exports = {
   JOURNEY_ACCOUNTS,
   TEST_ACCOUNTS,
   TEST_DATA,
+  getFirstPaidProduct,
   getAccountDefinitions,
   fetchPrivateKeys,
   deleteTestUsers,

package/src/test/utils/firestore-rules-client.js

@@ -162,22 +162,20 @@ async function seedTestAccounts(accounts) {
     throw new Error('Test environment not initialized. Call initRulesTestEnv() first.');
   }
 
-  // Get static account definitions for roles/subscription data
-  const { TEST_ACCOUNTS } = require('../test-accounts.js');
-
-  // Use withSecurityRulesDisabled to write test data
+  // Use withSecurityRulesDisabled to write ONLY roles (for isAdmin() rules checks)
+  // Do NOT write subscription — that's already set by createAccount with config-resolved product IDs
   await testEnv.withSecurityRulesDisabled(async (context) => {
     const db = context.firestore();
+    const { TEST_ACCOUNTS } = require('../test-accounts.js');
 
     for (const [accountType, account] of Object.entries(accounts)) {
       if (!account.uid) {
         continue;
       }
 
-      // Get the static definition for this account type (has roles, subscription)
       const staticDef = TEST_ACCOUNTS[accountType];
 
-      // Build user document with roles for isAdmin() check
+      // Only write auth + roles for rules testing — subscription is already correct in the doc
       const userData = {
         auth: {
           uid: account.uid,
@@ -186,11 +184,6 @@ async function seedTestAccounts(accounts) {
         roles: staticDef?.properties?.roles || {},
       };
 
-      // Add subscription if present in static definition
-      if (staticDef?.properties?.subscription) {
-        userData.subscription = staticDef.properties.subscription;
-      }
-
       await db.doc(`users/${account.uid}`).set(userData, { merge: true });
     }
   });

package/test/helpers/email-validation.js

@@ -101,14 +101,14 @@ module.exports = {
     },
 
     {
-      name: 'localpart-admin-blocked',
+      name: 'localpart-admin-allowed',
       timeout: 5000,
 
       async run({ assert }) {
         const result = await validate('admin@company.com');
 
-        assert.equal(result.valid, false, '"admin" local part should be blocked');
-        assert.propertyEquals(result, 'checks.localPart.blocked', true, 'Should be flagged as blocked');
+        assert.equal(result.valid, true, '"admin" local part should be allowed (team/role address)');
+        assert.propertyEquals(result, 'checks.localPart.valid', true, 'localPart check should pass');
       },
     },
 

package/test/helpers/infer-contact.js

@@ -252,24 +252,16 @@ module.exports = {
 
     {
       name: 'infer-contact-regex-fallback',
-      async run({ assert }) {
-        // Temporarily clear OPENAI_API_KEY to force regex path
-        const originalKey = process.env.OPENAI_API_KEY;
-        delete process.env.OPENAI_API_KEY;
-
-        try {
-          const result = await inferContact('alice.wonderland@example.com');
-
-          assert.equal(result.firstName, 'Alice', 'Regex fallback first name');
-          assert.equal(result.lastName, 'Wonderland', 'Regex fallback last name');
-          assert.equal(result.company, 'Example', 'Regex fallback company');
-          assert.equal(result.method, 'regex', 'Should use regex when no API key');
-        } finally {
-          // Restore
-          if (originalKey) {
-            process.env.OPENAI_API_KEY = originalKey;
-          }
+      async run({ assert, skip }) {
+        if (!process.env.TEST_EXTENDED_MODE || !process.env.BACKEND_MANAGER_OPENAI_API_KEY) {
+          skip('TEST_EXTENDED_MODE or BACKEND_MANAGER_OPENAI_API_KEY not set');
         }
+
+        const result = await inferContact('alice.wonderland@example.com');
+
+        assert.equal(result.firstName, 'Alice', 'AI inferred first name');
+        assert.equal(result.lastName, 'Wonderland', 'AI inferred last name');
+        assert.ok(result.method === 'ai', 'Should use AI');
       },
     },
 

package/test/helpers/user.js

@@ -72,10 +72,7 @@ module.exports = {
         assert.ok(user.api.privateKey.length > 0, 'api.privateKey should not be empty');
 
         // Usage
-        assert.equal(user.usage.requests.monthly, 0, 'usage.requests.monthly should be 0');
-        assert.equal(user.usage.requests.daily, 0, 'usage.requests.daily should be 0');
-        assert.equal(user.usage.requests.total, 0, 'usage.requests.total should be 0');
-        assert.equal(user.usage.requests.last.id, null, 'usage.requests.last.id should be null');
+        assert.deepEqual(user.usage, {}, 'usage should be empty object by default');
 
         // Personal
         assert.equal(user.personal.name.first, null, 'personal.name.first should be null');
@@ -231,12 +228,11 @@ module.exports = {
     },
 
     {
-      name: 'usage-only-requests-when-no-extra-keys',
+      name: 'usage-empty-when-no-keys-provided',
       async run({ assert }) {
         const user = createUser({});
 
-        assert.ok(user.usage.requests, 'usage.requests should exist');
-        assert.equal(Object.keys(user.usage).length, 1, 'usage should only have requests key');
+        assert.deepEqual(user.usage, {}, 'usage should be empty object when no keys provided');
       },
     },
 

package/test/routes/admin/infer-contact.js

@@ -44,6 +44,9 @@ module.exports = {
       name: 'single-email-returns-result',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -89,12 +92,15 @@ module.exports = {
       },
     },
 
-    // ─── Name parsing (regex) ───
+    // ─── Name parsing (requires AI) ───
 
     {
       name: 'regex-parses-dot-separated-names',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -104,7 +110,6 @@ module.exports = {
         assert.isSuccess(response);
         const result = response.data.results[0];
 
-        // AI or regex — either way should get the name right
         assert.equal(result.firstName, 'Alice', 'Should parse first name');
         assert.equal(result.lastName, 'Wonderland', 'Should parse last name');
       },
@@ -114,6 +119,9 @@ module.exports = {
       name: 'infers-company-from-custom-domain',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {
@@ -130,6 +138,9 @@ module.exports = {
       name: 'no-company-from-generic-domain',
       auth: 'admin',
       timeout: 30000,
+      skip: !process.env.TEST_EXTENDED_MODE
+        ? 'TEST_EXTENDED_MODE not set (skipping inference test)'
+        : false,
 
       async run({ http, assert }) {
         const response = await http.post('admin/infer-contact', {

package/test/routes/payments/dispute-alert.js

@@ -32,7 +32,7 @@ module.exports = {
       name: 'rejects-unknown-provider',
       auth: 'none',
       async run({ http, assert }) {
-        const response = await http.as('none').post(`payments/dispute-alert?alerts=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
+        const response = await http.as('none').post(`payments/dispute-alert?provider=unknown&key=${process.env.BACKEND_MANAGER_KEY}`, {
           id: '_test-dispute-unknown-provider',
           card: '4242',
           amount: 9.99,
@@ -115,6 +115,14 @@ module.exports = {
           amount: 29.99,
           transactionDate: '2026-03-07 14:30:00',
           processor: 'stripe',
+          alertType: 'FRAUD',
+          customerEmail: 'test@example.com',
+          externalOrder: 'ch_test123',
+          metadata: 'pi_test456',
+          externalUrl: 'https://dashboard.stripe.com/charges/ch_test123',
+          reasonCode: 'WIP',
+          subprovider: 'Ethoca',
+          isRefunded: false,
         });
 
         assert.isSuccess(response, 'Should accept valid Chargeblast alert');
@@ -129,13 +137,23 @@ module.exports = {
           'Status should be pending or processing',
         );
 
-        // Verify normalized alert data
+        // Verify core normalized alert data
         assert.equal(doc.alert.card.last4, '4242', 'Should extract last4 from full card number');
         assert.equal(doc.alert.card.brand, 'visa', 'Should lowercase card brand');
         assert.equal(doc.alert.amount, 29.99, 'Amount should be preserved');
         assert.equal(doc.alert.transactionDate, '2026-03-07', 'Should extract date without time');
         assert.equal(doc.alert.processor, 'stripe', 'Processor should be stripe');
 
+        // Verify new normalized fields
+        assert.equal(doc.alert.alertType, 'FRAUD', 'Alert type should be preserved');
+        assert.equal(doc.alert.customerEmail, 'test@example.com', 'Customer email should be preserved');
+        assert.equal(doc.alert.chargeId, 'ch_test123', 'Charge ID should be extracted from externalOrder');
+        assert.equal(doc.alert.paymentIntentId, 'pi_test456', 'Payment intent ID should be extracted from metadata');
+        assert.equal(doc.alert.stripeUrl, 'https://dashboard.stripe.com/charges/ch_test123', 'Stripe URL should be preserved');
+        assert.equal(doc.alert.reasonCode, 'WIP', 'Reason code should be preserved');
+        assert.equal(doc.alert.subprovider, 'Ethoca', 'Subprovider should be preserved');
+        assert.equal(doc.alert.isRefunded, false, 'isRefunded should be preserved');
+
         // Verify raw payload is preserved
         assert.ok(doc.raw, 'Raw payload should be preserved');
         assert.equal(doc.raw.id, alertId, 'Raw id should match');
@@ -145,6 +163,73 @@ module.exports = {
       },
     },
 
+    {
+      name: 'accepts-alert-with-alertId-field',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-alertid-field';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        // Chargeblast alert.created events use alertId instead of id
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          alertId: alertId,
+          card: '546616******5805',
+          cardBrand: 'Mastercard',
+          amount: 8,
+          transactionDate: '2026-03-19 00:00:00.000000Z',
+        });
+
+        assert.isSuccess(response, 'Should accept alert using alertId field');
+
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.ok(doc, 'Dispute doc should exist in Firestore');
+        assert.equal(doc.id, alertId, 'Doc ID should match alertId');
+        assert.equal(doc.alert.id, alertId, 'Alert id should be set from alertId');
+        assert.equal(doc.alert.card.last4, '5805', 'Should extract last4 from masked card');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
+    {
+      name: 'accepts-alert-without-optional-fields',
+      auth: 'none',
+      async run({ http, assert, firestore }) {
+        const alertId = '_test-dispute-minimal';
+
+        // Clean up any existing doc
+        await firestore.delete(`payments-disputes/${alertId}`);
+
+        // Send minimal alert (alert.created shape — no externalOrder, metadata, etc.)
+        const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
+          id: alertId,
+          card: '9124',
+          amount: 10,
+          transactionDate: '2026-03-21 00:01:02',
+        });
+
+        assert.isSuccess(response, 'Should accept minimal alert');
+
+        const doc = await firestore.get(`payments-disputes/${alertId}`);
+        assert.equal(doc.alert.card.last4, '9124', 'Should use card as last4');
+        assert.equal(doc.alert.processor, 'stripe', 'Processor should default to stripe');
+        assert.equal(doc.alert.chargeId, null, 'Charge ID should be null when not provided');
+        assert.equal(doc.alert.paymentIntentId, null, 'Payment intent should be null when not provided');
+        assert.equal(doc.alert.customerEmail, null, 'Customer email should be null when not provided');
+        assert.equal(doc.alert.alertType, null, 'Alert type should be null when not provided');
+        assert.equal(doc.alert.stripeUrl, null, 'Stripe URL should be null when not provided');
+        assert.equal(doc.alert.reasonCode, null, 'Reason code should be null when not provided');
+        assert.equal(doc.alert.subprovider, null, 'Subprovider should be null when not provided');
+        assert.equal(doc.alert.isRefunded, false, 'isRefunded should default to false');
+
+        // Clean up
+        await firestore.delete(`payments-disputes/${alertId}`);
+      },
+    },
+
     {
       name: 'accepts-alert-with-last4-only',
       auth: 'none',
@@ -242,7 +327,7 @@ module.exports = {
     },
 
     {
-      name: 'defaults-alerts-to-chargeblast',
+      name: 'defaults-provider-to-chargeblast',
       auth: 'none',
       async run({ http, assert, firestore }) {
         const alertId = '_test-dispute-default-provider';
@@ -250,7 +335,7 @@ module.exports = {
         // Clean up any existing doc
         await firestore.delete(`payments-disputes/${alertId}`);
 
-        // Send without alerts query param
+        // Send without provider query param
         const response = await http.as('none').post(`payments/dispute-alert?key=${process.env.BACKEND_MANAGER_KEY}`, {
           id: alertId,
           card: '4242',
@@ -258,7 +343,7 @@ module.exports = {
           transactionDate: '2026-01-15',
         });
 
-        assert.isSuccess(response, 'Should accept without explicit alerts param');
+        assert.isSuccess(response, 'Should accept without explicit provider param');
 
         const doc = await firestore.get(`payments-disputes/${alertId}`);
         assert.equal(doc.provider, 'chargeblast', 'Provider should default to chargeblast');

package/test/routes/payments/intent.js

@@ -85,6 +85,54 @@ module.exports = {
       },
     },
 
+    {
+      name: 'rejects-suspended-user',
+      auth: 'premium-suspended',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-suspended').post('payments/intent', {
+          processor: 'stripe',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isError(response, 400, 'Should reject user with suspended subscription');
+      },
+    },
+
+    {
+      name: 'rejects-cancelling-user',
+      auth: 'premium-cancelling',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-cancelling').post('payments/intent', {
+          processor: 'stripe',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isError(response, 400, 'Should reject user with cancelling subscription');
+      },
+    },
+
+    {
+      name: 'allows-cancelled-user',
+      auth: 'premium-expired',
+      async run({ http, assert, config }) {
+        const paidProduct = config.payment.products.find(p => p.id !== 'basic' && p.prices);
+
+        const response = await http.as('premium-expired').post('payments/intent', {
+          processor: 'test',
+          productId: paidProduct.id,
+          frequency: 'monthly',
+        });
+
+        assert.isSuccess(response, 'Should allow user with fully cancelled subscription');
+      },
+    },
+
     {
       name: 'rejects-invalid-product',
       async run({ http, assert }) {

package/test/routes/user/user.js

@@ -4,6 +4,8 @@
  * Returns user account info for authenticated users
  * Validates that User() correctly structures user data
  */
+const { getFirstPaidProduct } = require('../../../src/test/test-accounts.js');
+
 module.exports = {
   description: 'User resolve (account info)',
   type: 'group',
@@ -104,10 +106,11 @@ module.exports = {
     // Test 5: Premium active user - verify premium subscription is retained
     {
       name: 'premium-active-user-resolved-correctly',
-      auth: 'premium-active',
+      auth: 'resolve-premium-active',
       timeout: 15000,
 
-      async run({ http, assert, accounts }) {
+      async run({ http, assert, accounts, config }) {
+        const paidProduct = getFirstPaidProduct(config);
         const response = await http.get('user', {});
 
         assert.isSuccess(response, 'Resolve should succeed for premium user');
@@ -115,11 +118,10 @@ module.exports = {
         const user = response.data.user;
 
         // Verify auth properties
-        assert.equal(user.auth.uid, accounts['premium-active'].uid, 'UID should match premium test account');
-        assert.equal(user.auth.email, accounts['premium-active'].email, 'Email should match premium test account');
+        assert.equal(user.auth.uid, accounts['resolve-premium-active'].uid, 'UID should match premium test account');
 
-        // Verify subscription - premium user should retain premium subscription
-        assert.equal(user.subscription.product.id, 'premium', 'Subscription ID should be premium');
+        // Verify subscription - premium user should retain paid subscription
+        assert.equal(user.subscription.product.id, paidProduct.id, 'Subscription ID should match first paid product');
         assert.equal(user.subscription.status, 'active', 'Subscription status should be active');
 
         // Verify expires is in the future
@@ -132,10 +134,11 @@ module.exports = {
     // Test 6: Premium expired user - verify subscription retains product but shows cancelled status
     {
       name: 'premium-expired-user-cancelled',
-      auth: 'premium-expired',
+      auth: 'resolve-premium-expired',
       timeout: 15000,
 
-      async run({ http, assert, accounts }) {
+      async run({ http, assert, accounts, config }) {
+        const paidProduct = getFirstPaidProduct(config);
         const response = await http.get('user', {});
 
         assert.isSuccess(response, 'Resolve should succeed for expired premium user');
@@ -143,10 +146,10 @@ module.exports = {
         const user = response.data.user;
 
         // Verify auth properties
-        assert.equal(user.auth.uid, accounts['premium-expired'].uid, 'UID should match expired premium test account');
+        assert.equal(user.auth.uid, accounts['resolve-premium-expired'].uid, 'UID should match expired premium test account');
 
-        // Verify subscription - product.id stays premium, status reflects cancellation
-        assert.equal(user.subscription.product.id, 'premium', 'Product ID should remain premium');
+        // Verify subscription - product.id stays as paid product, status reflects cancellation
+        assert.equal(user.subscription.product.id, paidProduct.id, 'Product ID should remain paid product');
         assert.equal(user.subscription.status, 'cancelled', 'Status should be cancelled');
       },
     },