backend-manager 5.0.185 → 5.0.187

package/CHANGELOG.md

@@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+# [5.0.186] - 2026-04-01
+### Fixed
+- Move markdown rendering and UTM link tagging to run after `_.merge()` so caller overrides to `body.message` and `email.body` are properly processed
+
 # [5.0.185] - 2026-04-01
 ### Changed
 - Use `_.merge` for dynamic template data so callers can override any nested field (e.g. `email.preview`, `personalization.name`, `data.body.*`)

package/CLAUDE.md

@@ -207,6 +207,58 @@ require(functionsDir + '/node_modules/backend-manager')
 ### Prefer fs-jetpack
 Use `fs-jetpack` over `fs` or `fs-extra` for file operations.
 
+## Sanitization (XSS Prevention)
+
+BEM automatically sanitizes all incoming request data — stripping HTML tags and trimming whitespace from every string field. This happens in the middleware pipeline before route handlers execute, so **routes receive clean data by default**.
+
+### How It Works
+1. **Schema fields**: Sanitized per-field during the middleware pipeline. Fields can opt out with `sanitize: false` in the schema.
+2. **Non-schema fields** (when `setupSettings: false` or `includeNonSchemaSettings: true`): All strings are sanitized with no opt-out.
+3. The middleware uses `Manager.Utilities().sanitize()` under the hood.
+
+### Schema Opt-Out
+For fields that legitimately need HTML (rich text, email templates, etc.), set `sanitize: false` in the schema:
+```javascript
+// This field will NOT be sanitized — raw HTML is preserved
+htmlContent: {
+  types: ['string'],
+  default: '',
+  sanitize: false,
+},
+// This field IS sanitized (default behavior, no flag needed)
+name: {
+  types: ['string'],
+  default: '',
+},
+```
+
+### Route-Level Opt-Out
+Disable sanitization entirely for a route (rare — only for routes that handle raw HTML everywhere):
+```javascript
+// In functions/index.js
+Manager.Middleware(req, res).run('my-route', { sanitize: false });
+```
+
+### Manual Sanitization (Outside Middleware)
+For cron jobs, event handlers, or anywhere outside the request pipeline, use `utilities.sanitize()` directly:
+```javascript
+// Available in route context
+const clean = utilities.sanitize(untrustedData);
+
+// Or via Manager
+const clean = Manager.Utilities().sanitize(untrustedData);
+```
+Accepts any data type — strings, objects, arrays, primitives. Walks objects/arrays recursively, strips HTML from strings, passes everything else through unchanged.
+
+### Route Handler Context
+The middleware injects these into every route handler:
+```javascript
+module.exports = async ({ Manager, assistant, analytics, usage, user, settings, libraries, utilities }) => {
+  // settings    — already sanitized by middleware
+  // utilities   — Manager.Utilities() instance for manual sanitization
+};
+```
+
 ## Creating New Components
 
 ### New API Command

package/TODO-2.md

@@ -10,10 +10,26 @@ payments/reactivate
 payments/upgrade
   * takes a subscription id and a new plan id and upgrades the user's subscription to the new plan. this can only be done if the user has an active subscription.
 
+I'd call that cancellation-reversed — it pairs naturally with the existing cancellation-requested transition and clearly communicates the action (they reversed/undid the pending cancellation).
+
+on the email we send, for payment recovered what is the category
+Let me check the handler.
+
+Read payment-recovered.js
+The category is order/payment-recovered (line 13).
+
+TODO-2.md
+waht about when they request a cancel
+Read cancellation-requested.js
+The category is order/cancellation-requested (line 13).
+
 ---
 GHOSTII REVAMP
 * better logic for generating posts. better model? claude?
 
+---- MCP
+* ability for consuming prjec to specify MCP functions
+
 -------
 UPSELL
 * products in BEM can have an UPSELL where you link another product ID and it allows you to add it to your cart OR shows you after checkout?

package/TODO-email-auth.md

@@ -0,0 +1,14 @@
+https://github.com/disposable-email-domains/disposable-email-domains?tab=readme-ov-file
+https://www.npmjs.com/package/disposable-domains
+https://github.com/tompec/disposable-email-domains
+
+Two repos:
+
+Repo	Domains	Approach
+disposable-email-domains/disposable-email-domains	5,359	Curated, conservative, high confidence
+ivolo/disposable-email-domains	121,569	Aggressive, aggregated from many sources, more false positives
+Our current list has 854 — so even the smaller curated list is 6x larger.
+
+For our use case (currently only used to skip marketing sync, not blocking signups), I'd recommend the 5,359 curated list — it's comprehensive enough without being overly aggressive. And if we ever do use it for blocking signups, the false positive risk is much lower.
+
+Want to swap to that one?

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.185",
+  "version": "5.0.187",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {
@@ -11,6 +11,7 @@
   },
   "scripts": {
     "start": "node src/manager/index.js",
+    "prepublishOnly": "node scripts/update-disposable-domains.js",
     "prepare": "node -e \"require('prepare-package')()\"",
     "prepare:watch": "node -e \"require('prepare-package/watch')()\""
   },
@@ -78,6 +79,7 @@
     "npm-api": "^1.0.1",
     "paypal-server-api": "^2.0.14",
     "pushid": "^1.0.0",
+    "sanitize-html": "^2.17.2",
     "shortid": "^2.2.17",
     "stripe": "^20.3.1",
     "uid-generator": "^2.0.0",

package/scripts/update-disposable-domains.js

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+
+/**
+ * Fetches the latest disposable email domain list from GitHub and saves it as JSON.
+ *
+ * Source: https://github.com/disposable-email-domains/disposable-email-domains
+ * (curated, ~5k domains, low false-positive rate)
+ *
+ * Run manually:   node scripts/update-disposable-domains.js
+ * Runs automatically on: npm prepublishOnly
+ */
+const fs = require('fs');
+const path = require('path');
+
+const SOURCE_URL = 'https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/main/disposable_email_blocklist.conf';
+const OUTPUT_PATH = path.join(__dirname, '..', 'src', 'manager', 'libraries', 'disposable-domains.json');
+
+async function main() {
+  console.log('Fetching disposable domain list...');
+
+  const response = await fetch(SOURCE_URL);
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch: ${response.status} ${response.statusText}`);
+  }
+
+  const text = await response.text();
+  const domains = text
+    .trim()
+    .split('\n')
+    .map(d => d.trim().toLowerCase())
+    .filter(Boolean);
+
+  const unique = [...new Set(domains)].sort();
+
+  fs.writeFileSync(OUTPUT_PATH, JSON.stringify(unique, null, 2) + '\n');
+
+  console.log(`Updated disposable-domains.json: ${unique.length} domains`);
+}
+
+main().catch((e) => {
+  console.error('Failed to update disposable domains:', e.message);
+  process.exit(1);
+});

package/src/manager/events/auth/before-create.js

@@ -1,10 +1,12 @@
-const ERROR_TOO_MANY_ATTEMPTS = 'You have created too many accounts with our service. Please try again later.';
+const { isDisposable } = require('../../libraries/email/validation.js');
+
+const ERROR_TOO_MANY_ATTEMPTS = 'Unable to create account at this time. Please try again later.';
+const ERROR_DISPOSABLE_EMAIL = 'This email domain is not allowed. Please use a different email address.';
 const MAX_SIGNUPS_PER_DAY = 2;
 
 /**
- * beforeUserCreated - IP Rate Limiting ONLY
+ * beforeUserCreated - Disposable email blocking + IP rate limiting
  *
- * This function ONLY handles IP rate limiting to prevent abuse.
  * User doc creation is handled by on-create.js (which fires for all user creations including Admin SDK).
  *
  * Why not create user doc here?
@@ -18,6 +20,13 @@ module.exports = async ({ Manager, assistant, user, context, libraries }) => {
 
   assistant.log(`beforeCreate: ${user.uid}`, { email: user.email, ip: ipAddress });
 
+  // Block disposable email domains
+  if (isDisposable(user.email)) {
+    assistant.error(`beforeCreate: Blocked disposable email ${user.email}`);
+
+    throw new functions.auth.HttpsError('invalid-argument', ERROR_DISPOSABLE_EMAIL);
+  }
+
   // Skip rate limiting if no IP (shouldn't happen in production)
   if (!ipAddress) {
     assistant.log(`beforeCreate: No IP address, skipping rate limit check (${Date.now() - startTime}ms)`);

package/src/manager/helpers/middleware.js

@@ -35,7 +35,7 @@ Middleware.prototype.run = function (libPath, options) {
     options.setupAnalytics = typeof options.setupAnalytics === 'boolean' ? options.setupAnalytics : true;
     options.setupUsage = typeof options.setupUsage === 'boolean' ? options.setupUsage : true;
     options.setupSettings = typeof options.setupSettings === 'undefined' ? true : options.setupSettings;
-    options.cleanSettings = typeof options.cleanSettings === 'undefined' ? true : options.cleanSettings;
+    options.sanitize = typeof options.sanitize === 'undefined' ? true : options.sanitize;
     options.includeNonSchemaSettings = typeof options.includeNonSchemaSettings === 'undefined' ? false : options.includeNonSchemaSettings;
     options.schema = typeof options.schema === 'undefined' ? libPath : options.schema;
     options.parseMultipartFormData = typeof options.parseMultipartFormData === 'undefined' ? true : options.parseMultipartFormData;
@@ -168,14 +168,6 @@ Middleware.prototype.run = function (libPath, options) {
         assistant.settings = merge(data, assistant.settings)
       }
 
-      // Clean settings by looping through and trimming all strings
-      if (options.cleanSettings) {
-        clean(assistant.settings);
-      }
-
-      // Log
-      assistant.log(`Middleware.process(): Resolved settings with schema=${options.schema}`, safeStringify(assistant.settings));
-
       // Log multipart files if they exist
       const files = assistant.request.multipartData.files || {};
       if (files) {
@@ -185,6 +177,19 @@ Middleware.prototype.run = function (libPath, options) {
       assistant.settings = data;
     }
 
+    // Sanitize settings — trim whitespace and strip HTML from all strings
+    // Respects sanitize: false on individual schema fields
+    if (options.sanitize) {
+      const schema = options.setupSettings ? Manager.Settings().schema : null;
+      const utilities = Manager.Utilities();
+
+      // Walk settings, skipping fields the schema marks as sanitize: false
+      assistant.settings = sanitizeWithSchema(utilities, assistant.settings, schema);
+    }
+
+    // Log
+    assistant.log(`Middleware.process(): Resolved settings with schema=${options.schema}`, safeStringify(assistant.settings));
+
     // Build context object for route handler
     const context = {
       Manager: Manager,
@@ -194,6 +199,7 @@ Middleware.prototype.run = function (libPath, options) {
       settings: assistant.settings,
       analytics: assistant.analytics,
       libraries: Manager.libraries,
+      utilities: Manager.Utilities(),
     };
 
     // Execute route handler
@@ -208,15 +214,29 @@ Middleware.prototype.run = function (libPath, options) {
   });
 };
 
-function clean(obj) {
-  for (let key in obj) {
-    if (typeof obj[key] === 'object') {
-      clean(obj[key]);
-    } else if (typeof obj[key] === 'string') {
-      obj[key] = obj[key]
-        .trim();
+function sanitizeWithSchema(utilities, obj, schema) {
+  // Not an object — sanitize directly
+  if (obj == null || typeof obj !== 'object') {
+    return utilities.sanitize(obj);
+  }
+
+  // Arrays — sanitize each item (no schema for array items)
+  if (Array.isArray(obj)) {
+    return obj.map(item => utilities.sanitize(item));
+  }
+
+  // Objects — walk keys, skip fields where schema says sanitize: false
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    const schemaNode = schema ? schema[key] : null;
+
+    if (schemaNode && schemaNode.sanitize === false) {
+      result[key] = value;
+    } else {
+      result[key] = sanitizeWithSchema(utilities, value, schemaNode);
     }
   }
+  return result;
 }
 
 function stripUrl(url) {

package/src/manager/helpers/settings.js

@@ -8,6 +8,7 @@ const powertools = require('node-powertools');
 const _ = require('lodash');
 const moment = require('moment');
 
+
 function Settings(m) {
   const self = this;
 
@@ -129,6 +130,7 @@ Settings.prototype.resolve = function (assistant, schema, settings, options) {
       available: typeof schemaNode.available === 'undefined' ? true : schemaNode.available,
       min: typeof schemaNode.min === 'undefined' ? undefined : schemaNode.min,
       max: typeof schemaNode.max === 'undefined' ? undefined : schemaNode.max,
+      sanitize: typeof schemaNode.sanitize === 'undefined' ? true : schemaNode.sanitize,
     }
 
     // Update schema

package/src/manager/helpers/utilities.js

@@ -1,5 +1,6 @@
 let nanoId;
 let _;
+let sanitizeHtml;
 
 function Utilities(Manager) {
   const self = this;
@@ -467,4 +468,43 @@ Utilities.prototype.get = function (docPath, options) {
   });
 };
 
+/**
+ * Sanitize input by stripping HTML tags and trimming strings.
+ * Accepts any data type — walks objects/arrays recursively.
+ *
+ * @param {*} input - The data to sanitize (string, object, array, or primitive)
+ * @returns {*} Sanitized copy (objects/arrays) or sanitized value (strings)
+ */
+Utilities.prototype.sanitize = function (input) {
+  // Handle null/undefined
+  if (input == null) {
+    return input;
+  }
+
+  // Handle strings
+  if (typeof input === 'string') {
+    sanitizeHtml = sanitizeHtml
+      ? sanitizeHtml
+      : require('sanitize-html');
+    return sanitizeHtml(input, { allowedTags: [], allowedAttributes: {} }).trim();
+  }
+
+  // Handle arrays
+  if (Array.isArray(input)) {
+    return input.map(item => this.sanitize(item));
+  }
+
+  // Handle objects
+  if (typeof input === 'object') {
+    const result = {};
+    for (const [key, value] of Object.entries(input)) {
+      result[key] = this.sanitize(value);
+    }
+    return result;
+  }
+
+  // Numbers, booleans, etc. — pass through
+  return input;
+};
+
 module.exports = Utilities;

package/src/manager/libraries/custom-disposable-domains.json

@@ -0,0 +1,12 @@
+[
+  "10mail.info",
+  "mail2me.co",
+  "maximail.fyi",
+  "maximail.vip",
+  "mimimail.me",
+  "minitts.net",
+  "pickmail.org",
+  "pickmemail.com",
+  "picomail.biz",
+  "sharebot.net"
+]