backend-manager 5.0.181 → 5.0.183

package/TODO-2.md

@@ -10,6 +10,10 @@ payments/reactivate
 payments/upgrade
   * takes a subscription id and a new plan id and upgrades the user's subscription to the new plan. this can only be done if the user has an active subscription.
 
+---
+GHOSTII REVAMP
+* better logic for generating posts. better model? claude?
+
 -------
 UPSELL
 * products in BEM can have an UPSELL where you link another product ID and it allows you to add it to your cart OR shows you after checkout?

package/_zombie-sub-guard-wip/GAP.md

@@ -0,0 +1,25 @@
+## BEM Gap: Webhook overwrites user doc with stale subscription data
+
+### Problem
+When a non-current subscription is cancelled on the provider (e.g. cancelling a zombie/duplicate PayPal sub), the provider fires a cancellation webhook. BEM processes it, finds the user by UID, and overwrites `subscription.*` on the user doc with the cancelled sub's data — even though the user has a different, active subscription.
+
+### Example
+- User has active Chargebee sub (current) + old suspended PayPal sub (zombie)
+- We cancel the PayPal sub → PayPal fires `BILLING.SUBSCRIPTION.CANCELLED`
+- BEM finds user by UID → sets `subscription.status = 'cancelled'`, `subscription.payment.resourceId = <old PayPal sub>`
+- User is now broken — their active Chargebee sub is invisible
+
+### Fix needed in `on-write.js`
+Before writing the unified subscription data to the user doc, check:
+```
+if (user.subscription.payment.resourceId !== webhook.resourceId) {
+  // This webhook is for a DIFFERENT subscription than the user's current one.
+  // Update the payments-orders doc only. Do NOT touch the user doc.
+}
+```
+
+### Affected file
+`backend-manager/src/manager/events/firestore/payments-webhooks/on-write.js` — the section that writes to `users/{uid}`
+
+### Impact
+Without this fix, any cancellation/suspension of a non-current subscription (duplicate cleanup, provider-side cancellation of old subs) will corrupt the user doc. Currently requires manual restoration after each occurrence.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.181",
+  "version": "5.0.183",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/cli/commands/setup-tests/hosting-rewrites.js

@@ -5,7 +5,7 @@ const _ = require('lodash');
 // The expected source pattern for bm_api hosting rewrite
 // Includes /backend-manager/* routes and root-level MCP OAuth paths
 // that Claude Chat sends directly (e.g. /authorize, /token, /.well-known/*)
-const BM_API_SOURCE = '{/backend-manager,/backend-manager/**,/.well-known/oauth-protected-resource,/.well-known/oauth-authorization-server}';
+const BM_API_SOURCE = '{/backend-manager,/backend-manager/**,/.well-known/oauth-protected-resource,/.well-known/oauth-authorization-server,/authorize,/token}';
 
 class HostingRewritesTest extends BaseTest {
   getName() {

package/src/manager/index.js

@@ -1218,6 +1218,15 @@ function resolveMcpRoutePath(routePath) {
     return routePath;
   }
 
+  // Root-level OAuth paths — Claude Chat sends these directly
+  // regardless of what the discovery endpoints return
+  if (routePath === 'authorize') {
+    return 'mcp/authorize';
+  }
+  if (routePath === 'token') {
+    return 'mcp/token';
+  }
+
   return null;
 }
 

package/src/mcp/handler.js

@@ -93,7 +93,7 @@ function handleAuthorize(req, res, options) {
   const Manager = options.Manager;
 
   // Auto-approve if client_id matches the BEM key
-  if (isValidKey(client_id, Manager) && redirect_uri) {
+  if (isValidKey(client_id) && redirect_uri) {
     const url = new URL(redirect_uri);
     url.searchParams.set('code', client_id);
     if (state) {
@@ -151,7 +151,7 @@ function handleAuthorize(req, res, options) {
     const redirectUri = body.redirect_uri || '';
     const postState = body.state || '';
 
-    if (!isValidKey(key, Manager)) {
+    if (!isValidKey(key)) {
       res.writeHead(403, { 'Content-Type': 'text/html' });
       res.end('<html><body style="background:#111;color:#e55;font-family:sans-serif;display:flex;align-items:center;justify-content:center;height:100vh"><h2>Invalid key. Go back and try again.</h2></body></html>');
       return;
@@ -188,7 +188,7 @@ function handleToken(req, res, options) {
   const Manager = options.Manager;
 
   // The code, client_secret, or client_id IS the backendManagerKey — validate any
-  if (!isValidKey(code, Manager)) {
+  if (!isValidKey(code)) {
     return sendJson(res, 401, {
       error: 'invalid_grant',
       error_description: 'Invalid authorization code.',
@@ -213,7 +213,7 @@ async function handleMcpProtocol(req, res, options) {
   const authHeader = req.headers.authorization || '';
   const key = authHeader.replace(/^Bearer\s+/i, '');
 
-  if (!isValidKey(key, Manager)) {
+  if (!isValidKey(key)) {
     // Return 401 with OAuth discovery hint
     const protocol = req.headers['x-forwarded-proto'] || req.protocol || 'https';
     const host = req.headers['x-forwarded-host'] || req.headers.host || '';
@@ -321,8 +321,8 @@ async function handleMcpProtocol(req, res, options) {
  * Validate a key against the configured backendManagerKey.
  * Returns false if either the key or the config key is empty/missing.
  */
-function isValidKey(key, Manager) {
-  const configKey = Manager.config?.backendManagerKey;
+function isValidKey(key) {
+  const configKey = process.env.BACKEND_MANAGER_KEY || '';
   return !!key && !!configKey && key === configKey;
 }