npm - backend-manager - Versions diffs - 5.0.197 → 5.0.199 - Mend

backend-manager 5.0.197 → 5.0.199

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -14,6 +14,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
+# [5.0.199] - 2026-04-23
+### Fixed
+- Storage helper (`Manager.storage().get()` / `.set()`) was referencing `_.get` and `_.set` without a lodash namespace import — lodash is destructured at the top of the file, so `_` was undefined and every call crashed. Destructured `get` and `set` (aliased as `_get` / `_set`) and updated both call sites.
+# [5.0.198] - 2026-04-10
+### Security
+- Added Stripe idempotency keys on all Stripe write operations to prevent duplicate charges, refunds, customers, and coupons from webhook retries, concurrent requests, or user double-clicks. Keys are scoped to stable resource identifiers and Stripe caches responses for 24 hours.
+  - `bem-dispute-refund-{chargeId}` on auto-refunds from dispute alert Firestore triggers
+  - `bem-customer-create-{uid}` on Stripe customer creation
+  - `bem-coupon-{couponId}` on coupon creation in the intent route
+  - `bem-refund-{resourceId}` on manual subscription refunds
 # [5.0.197] - 2026-04-10
 ### Added
 - `--retry=N` flag on `npx mgr setup` — re-runs the full setup sequence up to N times, stopping early as soon as all checks pass. Useful for test cases that only succeed after a prior run creates fixtures or indexes propagate.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.197",
+  "version": "5.0.199",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/manager/events/firestore/payments-disputes/processors/stripe.js CHANGED Viewed

@@ -121,9 +121,14 @@ async function processDispute(match, alert, assistant) {
   // Issue full refund
   if (match.chargeId) {
     try {
+      // Idempotency key scoped to the charge prevents double-refund when the
+      // Firestore trigger fires more than once (retries, re-delivered webhooks,
+      // etc.). Stripe caches the response for 24 hours.
       const refund = await stripe.refunds.create({
         charge: match.chargeId,
         amount: amountCents,
+      }, {
+        idempotencyKey: `bem-dispute-refund-${match.chargeId}`,
       });
       result.refundId = refund.id;

package/src/manager/index.js CHANGED Viewed

@@ -1,6 +1,6 @@
 // Libraries
 const path = require('path');
-const { mergeWith, isArray } = require('lodash');
+const { mergeWith, isArray, get: _get, set: _set } = require('lodash');
 const jetpack = require('fs-jetpack');
 const JSON5 = require('json5');
 const EventEmitter = require('events');
@@ -657,10 +657,10 @@ Manager.prototype.storage = function (options) {
         _db: db,
         _location: location,
         get(path, defaultValue) {
-          const result = _.get(db.data, path, defaultValue);
+          const result = _get(db.data, path, defaultValue);
           return { value() { return result; } };
         },
-        set(path, value) { _.set(db.data, path, value); return this; },
+        set(path, value) { _set(db.data, path, value); return this; },
         write() { db.write(); return this; },
         getState() { return db.data; },
         setState(data) { db.data = data; return this; },

package/src/manager/libraries/disposable-domains.json CHANGED Viewed

@@ -214,6 +214,7 @@
   "a45.in",
   "a7996.com",
   "aa5zy64.com",
+  "aachendate.de",
   "aakk.link",
   "aakkmail.com",
   "aaqwe.ru",
@@ -670,6 +671,7 @@
   "bltiwd.com",
   "bluedumpling.info",
   "bluewerks.com",
+  "bmoar.com",
   "bnote.com",
   "boatmail.us",
   "bobgf.ru",
@@ -711,6 +713,7 @@
   "boxomail.live",
   "boxtemp.com.br",
   "boyaga.com",
+  "bpotogo.com",
   "bptfp.net",
   "brand-app.biz",
   "brandallday.net",
@@ -784,6 +787,7 @@
   "cafesui.com",
   "caftee.com",
   "calendro.fr.nf",
+  "california.edu.pl",
   "californiafitnessdeals.com",
   "calima.asso.st",
   "cam4you.cc",
@@ -853,6 +857,7 @@
   "chaocosen.com",
   "chapsmail.com",
   "chasefreedomactivate.com",
+  "chatgptmail.shop",
   "chatgptuk.pp.ua",
   "chatich.com",
   "chatworkstation.com",
@@ -887,6 +892,7 @@
   "chuan.info",
   "chumpstakingdumps.com",
   "cigar-auctions.com",
+  "cimario.com",
   "citmo.net",
   "civikli.com",
   "civx.org",
@@ -971,6 +977,7 @@
   "consumerriot.com",
   "contaco.org",
   "contact.infos.st",
+  "contactbox.work",
   "contbay.com",
   "cood.food",
   "cooh-2.site",
@@ -980,6 +987,7 @@
   "copyhome.win",
   "coreclip.com",
   "corhash.net",
+  "cosdas.com",
   "cosmorph.com",
   "cosoinan.com",
   "cotasen.com",
@@ -1114,6 +1122,7 @@
   "delikkt.de",
   "delivrmail.com",
   "delorex.com",
+  "deltajohnsons.com",
   "deluxmail.com",
   "demen.ml",
   "dengekibunko.ga",
@@ -1148,6 +1157,8 @@
   "diemhenvn.com",
   "digdig.org",
   "digi-value.fr",
+  "digibeast.my",
+  "digibeast.store",
   "diginey.com",
   "digital-message.com",
   "digitalesbusiness.info",
@@ -1263,6 +1274,7 @@
   "dpmurt.my",
   "dpptd.com",
   "dr69.site",
+  "draughtier.com",
   "drdrb.com",
   "drdrb.net",
   "dreamclarify.org",
@@ -1313,6 +1325,7 @@
   "dv2.host",
   "dvdpit.com",
   "dwse.edu.pl",
+  "dwseal.com",
   "dyceroprojects.com",
   "dygovil.com",
   "dz17.net",
@@ -1321,6 +1334,7 @@
   "e-marketstore.ru",
   "e-pool.co.uk",
   "e-pool.uk",
+  "e-postkasten.de",
   "e-record.com",
   "e-tomarigi.com",
   "e3z.de",
@@ -1406,6 +1420,7 @@
   "emailaoa.pro",
   "emailate.com",
   "emailawb.pro",
+  "emailax.pro",
   "emailbbox.pro",
   "emailbin.net",
   "emailboxer.one",
@@ -1424,6 +1439,7 @@
   "emailgen.uk",
   "emailgenerator.de",
   "emailgo.de",
+  "emailhook.site",
   "emailias.com",
   "emailigo.de",
   "emailinfive.com",
@@ -1431,6 +1447,7 @@
   "emailkp.com",
   "emaillime.com",
   "emailmiser.com",
+  "emailmuaqat.shop",
   "emailna.co",
   "emailnator.com",
   "emailnax.com",
@@ -1508,6 +1525,7 @@
   "epb.ro",
   "epbox.ru",
   "epbox.store",
+  "epetsoft.com",
   "ephemail.net",
   "ephemeral.email",
   "eposta.buzz",
@@ -1629,6 +1647,7 @@
   "fansworldwide.de",
   "fantastu.com",
   "fantasymail.de",
+  "fanymail.com",
   "farah.rip",
   "farrse.co.uk",
   "fasssd.ru",
@@ -1696,6 +1715,7 @@
   "fingso.com",
   "fir.hk",
   "fira.my",
+  "firemail.com.br",
   "firemailbox.club",
   "firstlawyer.org",
   "fitnesrezink.ru",
@@ -1970,6 +1990,7 @@
   "go2usa.info",
   "go2vpn.net",
   "goatmail.uk",
+  "gob.re",
   "godfare.com",
   "goemailgo.com",
   "goeschman.com",
@@ -2154,6 +2175,7 @@
   "hook2ad.com",
   "hooooooo.store",
   "hopemail.biz",
+  "hopesx.com",
   "horizonspost.com",
   "hornyalwary.top",
   "host1s.com",
@@ -2220,6 +2242,7 @@
   "icmans.com",
   "iconmal.com",
   "icousd.com",
+  "icubik.com",
   "icx.in",
   "icx.ro",
   "icznn.com",
@@ -2418,6 +2441,7 @@
   "jasonbella.online",
   "javadmin.com",
   "javaemail.com",
+  "jbsze.com",
   "jcnorris.com",
   "jdmadventures.com",
   "jdz.ro",
@@ -2489,6 +2513,7 @@
   "kagi.be",
   "kakadua.net",
   "kakao-mail.com",
+  "kakator.com",
   "kakslsie.store",
   "kalapi.org",
   "kamen-market.ru",
@@ -2509,6 +2534,7 @@
   "kasmail.com",
   "kaspop.com",
   "katztube.com",
+  "kayilo.com",
   "kazelink.ml",
   "kbox.li",
   "kcoporation.com",
@@ -2966,6 +2992,7 @@
   "mailshell.com",
   "mailshiv.com",
   "mailshou.com",
+  "mailshun.com",
   "mailsiphon.com",
   "mailslapping.com",
   "mailslite.com",
@@ -3159,6 +3186,7 @@
   "moondyal.com",
   "moonfee.com",
   "moonwake.com",
+  "mooo.com",
   "moot.es",
   "moreawesomethanyou.com",
   "moreorcs.com",
@@ -3290,6 +3318,8 @@
   "nanonym.ch",
   "nanopools.info",
   "naobk.com",
+  "narsub.online",
+  "narsub.shop",
   "naslazhdai.ru",
   "nationalgardeningclub.com",
   "nautonk.com",
@@ -3300,6 +3330,7 @@
   "naxx.dev",
   "naylonksosmed.com",
   "naymedia.com",
+  "nazisat.com",
   "nbmbb.com",
   "nbzmr.com",
   "ncien.com",
@@ -3515,6 +3546,7 @@
   "onheb.com",
   "onionred.com",
   "onlatedotcom.info",
+  "onldm.net",
   "online.ms",
   "onlineidea.info",
   "onlyapp.net",
@@ -3596,6 +3628,7 @@
   "paplease.com",
   "para2019.ru",
   "parlimentpetitioner.tk",
+  "parsitv.com",
   "pastebitch.com",
   "pastryofistanbul.com",
   "patity.com",
@@ -3948,6 +3981,7 @@
   "rotaniliam.com",
   "rotomails.co.uk",
   "rotomails.com",
+  "route64.de",
   "routerboardvietnam.com",
   "rover.info",
   "rowdydow.com",
@@ -4031,6 +4065,7 @@
   "secure-mail.cc",
   "secured-link.net",
   "securehost.com.es",
+  "seduck.com",
   "seedspeed.site",
   "seekapps.com",
   "seekjobs4u.com",
@@ -4043,6 +4078,7 @@
   "send4.uk",
   "sendapp.uk",
   "sendfree.org",
+  "sendgrid.ovh",
   "sendingspecialflyers.com",
   "sendnow.win",
   "sendos.fr.nf",
@@ -4064,6 +4100,7 @@
   "sgm.ovh",
   "shadap.org",
   "shalar.net",
+  "sharebot.net",
   "sharedmailbox.org",
   "sharkfaces.com",
   "sharklasers.com",
@@ -4342,6 +4379,7 @@
   "storiqax.top",
   "storj99.com",
   "storj99.top",
+  "strayhood.org",
   "streetwisemail.com",
   "stromox.com",
   "stuckmail.com",
@@ -4423,6 +4461,7 @@
   "taxibmt.net",
   "tb-on-line.net",
   "tbgroupconsultants.com",
+  "tbr.fr.nf",
   "tcwlm.com",
   "tcwlx.com",
   "tdtda.com",
@@ -4502,6 +4541,7 @@
   "tempmailo.com",
   "tempmailr.com",
   "tempmails.net",
+  "tempmailto.com",
   "tempmailyo.org",
   "tempomail.fr",
   "tempomail.org",
@@ -4546,6 +4586,7 @@
   "the23app.com",
   "theaviors.com",
   "thebearshark.com",
+  "thebest73.shop",
   "thecarinformation.com",
   "thechildrensfocus.com",
   "thecity.biz",
@@ -4564,6 +4605,7 @@
   "thereddoors.online",
   "theroyalweb.club",
   "thescrappermovie.com",
+  "these.cc",
   "thespamfather.com",
   "theteastory.info",
   "thetechnext.net",
@@ -4841,6 +4883,7 @@
   "upphim.net",
   "upsnab.net",
   "urfunktion.se",
+  "urgentmail.ovh",
   "urhen.com",
   "uroid.com",
   "us.af",
@@ -4990,6 +5033,7 @@
   "voxelcore.com",
   "voxinh.net",
   "vpn.st",
+  "vpn64.de",
   "vpnseat.com",
   "vps30.com",
   "vps911.net",
@@ -4999,6 +5043,7 @@
   "vsimcard.com",
   "vsmailpro.com",
   "vssms.com",
+  "vtmpj.net",
   "vtxmail.us",
   "vubby.com",
   "vuiy.pw",
@@ -5231,6 +5276,7 @@
   "yarnpedia.ga",
   "ycare.de",
   "ycn.ro",
+  "ydns.eu",
   "ye.vc",
   "yecp.ru",
   "yecp.store",

package/src/manager/libraries/payment/processors/stripe.js CHANGED Viewed

@@ -206,6 +206,9 @@ const Stripe = {
     }
     // Create new customer
+    // Use an idempotency key scoped to the uid so concurrent creates (e.g. user
+    // double-clicks checkout) return the same customer instead of duplicates.
+    // Stripe caches the response under this key for 24 hours.
     const params = {
       metadata: { uid },
     };
@@ -214,7 +217,9 @@ const Stripe = {
       params.email = email;
     }
-    const customer = await stripe.customers.create(params);
+    const customer = await stripe.customers.create(params, {
+      idempotencyKey: `bem-customer-create-${uid}`,
+    });
     assistant.log(`Created new Stripe customer: ${customer.id}`);
     return customer;
   },

package/src/manager/routes/payments/intent/processors/stripe.js CHANGED Viewed

@@ -153,11 +153,16 @@ async function resolveStripeCoupon(stripe, discount, assistant) {
   }
   // Create the coupon
+  // Idempotency key uses the deterministic couponId so concurrent requests for
+  // the same discount code don't race each other into a duplicate-create error.
+  // Stripe returns the cached response for 24 hours.
   await stripe.coupons.create({
     id: couponId,
     percent_off: discount.percent,
     duration: 'once',
     name: `${discount.code} (${discount.percent}% off first payment)`,
+  }, {
+    idempotencyKey: `bem-coupon-${couponId}`,
   });
   assistant.log(`Stripe coupon created: ${couponId}`);

package/src/manager/routes/payments/refund/processors/stripe.js CHANGED Viewed

@@ -79,10 +79,16 @@ module.exports = {
       ? invoice.payment_intent
       : invoice.payment_intent.id;
+    // Idempotency key scoped to the subscription prevents double-refund from
+    // a user double-clicking the refund button. Stripe caches the response for
+    // 24 hours — any concurrent or repeated refund request for the same sub
+    // within that window returns the original refund instead of issuing a new one.
     const refund = await stripe.refunds.create({
       payment_intent: paymentIntentId,
       amount: refundAmount,
       reason: 'requested_by_customer',
+    }, {
+      idempotencyKey: `bem-refund-${resourceId}`,
     });
     assistant.log(`Stripe refund created: refundId=${refund.id}, amount=${refundAmount}, full=${isFullRefund}, uid=${uid}`);