backend-manager 5.0.180 → 5.0.182

package/TODO-2.md

@@ -10,6 +10,10 @@ payments/reactivate
 payments/upgrade
   * takes a subscription id and a new plan id and upgrades the user's subscription to the new plan. this can only be done if the user has an active subscription.
 
+---
+GHOSTII REVAMP
+* better logic for generating posts. better model? claude?
+
 -------
 UPSELL
 * products in BEM can have an UPSELL where you link another product ID and it allows you to add it to your cart OR shows you after checkout?

package/_zombie-sub-guard-wip/GAP.md

@@ -0,0 +1,25 @@
+## BEM Gap: Webhook overwrites user doc with stale subscription data
+
+### Problem
+When a non-current subscription is cancelled on the provider (e.g. cancelling a zombie/duplicate PayPal sub), the provider fires a cancellation webhook. BEM processes it, finds the user by UID, and overwrites `subscription.*` on the user doc with the cancelled sub's data — even though the user has a different, active subscription.
+
+### Example
+- User has active Chargebee sub (current) + old suspended PayPal sub (zombie)
+- We cancel the PayPal sub → PayPal fires `BILLING.SUBSCRIPTION.CANCELLED`
+- BEM finds user by UID → sets `subscription.status = 'cancelled'`, `subscription.payment.resourceId = <old PayPal sub>`
+- User is now broken — their active Chargebee sub is invisible
+
+### Fix needed in `on-write.js`
+Before writing the unified subscription data to the user doc, check:
+```
+if (user.subscription.payment.resourceId !== webhook.resourceId) {
+  // This webhook is for a DIFFERENT subscription than the user's current one.
+  // Update the payments-orders doc only. Do NOT touch the user doc.
+}
+```
+
+### Affected file
+`backend-manager/src/manager/events/firestore/payments-webhooks/on-write.js` — the section that writes to `users/{uid}`
+
+### Impact
+Without this fix, any cancellation/suspension of a non-current subscription (duplicate cleanup, provider-side cancellation of old subs) will corrupt the user doc. Currently requires manual restoration after each occurrence.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.180",
+  "version": "5.0.182",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/cli/commands/setup-tests/hosting-rewrites.js

@@ -2,6 +2,11 @@ const BaseTest = require('./base-test');
 const jetpack = require('fs-jetpack');
 const _ = require('lodash');
 
+// The expected source pattern for bm_api hosting rewrite
+// Includes /backend-manager/* routes and root-level MCP OAuth paths
+// that Claude Chat sends directly (e.g. /authorize, /token, /.well-known/*)
+const BM_API_SOURCE = '{/backend-manager,/backend-manager/**,/.well-known/oauth-protected-resource,/.well-known/oauth-authorization-server,/authorize,/token}';
+
 class HostingRewritesTest extends BaseTest {
   getName() {
     return 'hosting rewrites have bm_api';
@@ -11,8 +16,8 @@ class HostingRewritesTest extends BaseTest {
     const rewrites = this.self.firebaseJSON?.hosting?.rewrites || [];
     const firstRewrite = rewrites[0];
 
-    // Check first rule is correct
-    const firstIsCorrect = firstRewrite?.source === '{/backend-manager,/backend-manager/**}' && firstRewrite?.function === 'bm_api';
+    // Check first rule is correct (matches current expected pattern)
+    const firstIsCorrect = firstRewrite?.source === BM_API_SOURCE && firstRewrite?.function === 'bm_api';
 
     // Check no duplicates exist (only one bm_api rule allowed)
     const bmApiCount = rewrites.filter(r => r.function === 'bm_api').length;
@@ -26,12 +31,12 @@ class HostingRewritesTest extends BaseTest {
     // Set default
     hosting.rewrites = hosting.rewrites || [];
 
-    // Remove any existing bm_api rewrites
+    // Remove any existing bm_api rewrites (handles legacy single-pattern rewrites too)
     hosting.rewrites = hosting.rewrites.filter(rewrite => rewrite.function !== 'bm_api');
 
-    // Add to top
+    // Add to top with full pattern including MCP OAuth paths
     hosting.rewrites.unshift({
-      source: '{/backend-manager,/backend-manager/**}',
+      source: BM_API_SOURCE,
       function: 'bm_api',
     });
 

package/src/manager/index.js

@@ -793,11 +793,9 @@ Manager.prototype.setupFunctions = function (exporter, options) {
     const route = self.BemRouter(req, res).resolve();
 
     // MCP endpoint — bypass middleware, handle protocol directly
-    if (route.routePath === 'mcp'
-      || route.routePath.startsWith('mcp/')
-      || route.routePath === '.well-known/oauth-protected-resource'
-      || route.routePath === '.well-known/oauth-authorization-server') {
-      return self._handleMcp(req, res, route.routePath);
+    const mcpRoutePath = resolveMcpRoutePath(route.routePath);
+    if (mcpRoutePath) {
+      return self._handleMcp(req, res, mcpRoutePath);
     }
 
     if (route.isLegacy) {
@@ -1201,4 +1199,35 @@ function requireJSON5(file, throwError) {
   }
 }
 
+/**
+ * Check if a routePath is an MCP-related route and normalize it.
+ * Handles /backend-manager/mcp/* paths and /.well-known/oauth-* discovery.
+ *
+ * @param {string} routePath - Resolved route path from BemRouter
+ * @returns {string|null} - Normalized MCP route path, or null if not MCP
+ */
+function resolveMcpRoutePath(routePath) {
+  // Direct MCP paths (via /backend-manager/mcp/*)
+  if (routePath === 'mcp' || routePath.startsWith('mcp/')) {
+    return routePath;
+  }
+
+  // OAuth discovery (via /.well-known/oauth-*)
+  if (routePath === '.well-known/oauth-protected-resource'
+    || routePath === '.well-known/oauth-authorization-server') {
+    return routePath;
+  }
+
+  // Root-level OAuth paths — Claude Chat sends these directly
+  // regardless of what the discovery endpoints return
+  if (routePath === 'authorize') {
+    return 'mcp/authorize';
+  }
+  if (routePath === 'token') {
+    return 'mcp/token';
+  }
+
+  return null;
+}
+
 module.exports = Manager;