backend-manager 5.0.87 → 5.0.88

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "backend-manager",
-  "version": "5.0.87",
+  "version": "5.0.88",
   "description": "Quick tools for developing Firebase functions",
   "main": "src/manager/index.js",
   "bin": {

package/src/manager/events/firestore/payments-webhooks/on-write.js

@@ -68,14 +68,15 @@ module.exports = async ({ Manager, assistant, change, context, libraries }) => {
     // Build timestamps
     const now = powertools.timestamp(new Date(), { output: 'string' });
     const nowUNIX = powertools.timestamp(now, { output: 'unix' });
+    const webhookReceivedUNIX = dataAfter.metadata?.received?.timestampUNIX || nowUNIX;
 
     // Branch on category
     let transitionName = null;
 
     if (category === 'subscription') {
-      transitionName = await processSubscription({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, admin, assistant, Manager });
+      transitionName = await processSubscription({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, webhookReceivedUNIX, admin, assistant, Manager });
     } else if (category === 'one-time') {
-      transitionName = await processOneTime({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, admin, assistant, Manager });
+      transitionName = await processOneTime({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, webhookReceivedUNIX, admin, assistant, Manager });
     } else {
       throw new Error(`Unknown event category: ${category}`);
     }
@@ -112,7 +113,19 @@ module.exports = async ({ Manager, assistant, change, context, libraries }) => {
  * 3. Detect and dispatch transition handlers (non-blocking)
  * 4. Write to user doc + payments-subscriptions
  */
-async function processSubscription({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, admin, assistant, Manager }) {
+async function processSubscription({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, webhookReceivedUNIX, admin, assistant, Manager }) {
+  // Staleness check: skip if a newer webhook already wrote to this resource
+  if (resourceId) {
+    const existingDoc = await admin.firestore().doc(`payments-subscriptions/${resourceId}`).get();
+    if (existingDoc.exists) {
+      const existingUpdatedUNIX = existingDoc.data()?.metadata?.updated?.timestampUNIX || 0;
+      if (webhookReceivedUNIX < existingUpdatedUNIX) {
+        assistant.log(`Stale webhook ${eventId}: received=${webhookReceivedUNIX}, existing updated=${existingUpdatedUNIX}, skipping`);
+        return null;
+      }
+    }
+  }
+
   // Read current user doc BEFORE writing (for transition detection)
   const userDoc = await admin.firestore().doc(`users/${uid}`).get();
   const userData = userDoc.exists ? userDoc.data() : {};
@@ -191,7 +204,19 @@ async function processSubscription({ library, resource, uid, processor, eventTyp
  * 2. Detect and dispatch transition handlers (non-blocking)
  * 3. Write to payments-one-time
  */
-async function processOneTime({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, admin, assistant, Manager }) {
+async function processOneTime({ library, resource, uid, processor, eventType, eventId, resourceId, now, nowUNIX, webhookReceivedUNIX, admin, assistant, Manager }) {
+  // Staleness check: skip if a newer webhook already wrote to this resource
+  if (resourceId) {
+    const existingDoc = await admin.firestore().doc(`payments-one-time/${resourceId}`).get();
+    if (existingDoc.exists) {
+      const existingUpdatedUNIX = existingDoc.data()?.metadata?.updated?.timestampUNIX || 0;
+      if (webhookReceivedUNIX < existingUpdatedUNIX) {
+        assistant.log(`Stale webhook ${eventId}: received=${webhookReceivedUNIX}, existing updated=${existingUpdatedUNIX}, skipping`);
+        return null;
+      }
+    }
+  }
+
   const unified = library.toUnifiedOneTime(resource, {
     config: Manager.config,
     eventName: eventType,

package/src/manager/functions/core/actions/api/user/oauth2.js

@@ -25,14 +25,10 @@ Module.prototype.main = function () {
     Api.resolveUser({adminRequired: true})
     .then(async (user) => {
 
-      self.ultimateJekyllOAuth2Url = assistant.isDevelopment()
-        ? `https://localhost:4000/oauth2`
-        : `${Manager.config.brand.url}/oauth2`
+      self.ultimateJekyllOAuth2Url = `${Manager.project.websiteUrl}/oauth2`
       self.oauth2 = null;
       self.omittedPayloadFields = ['redirect', 'referrer', 'provider', 'state'];
 
-      // self.ultimateJekyllOAuth2Url = `${Manager.config.brand.url}/oauth2`;
-
       // Options
       // payload.data.payload.uid = payload.data.payload.uid;
       payload.data.payload.redirect = typeof payload.data.payload.redirect === 'undefined'
@@ -40,7 +36,7 @@ Module.prototype.main = function () {
         : payload.data.payload.redirect
 
       payload.data.payload.referrer = typeof payload.data.payload.referrer === 'undefined'
-        ? (assistant.isDevelopment() ? `https://localhost:4000/account` : `${Manager.config.brand.url}/account`)
+        ? `${Manager.project.websiteUrl}/account`
         : payload.data.payload.referrer
 
       payload.data.payload.serverUrl = typeof payload.data.payload.serverUrl === 'undefined'

package/src/manager/index.js

@@ -178,12 +178,20 @@ Manager.prototype.init = function (exporter, options) {
     ? 'http://localhost:5002'
     : `https://api.${(self.config.brand?.url || '').replace(/^https?:\/\//, '')}`;
 
+  // Set website URL
+  // Development: https://localhost:4000 (local hosting)
+  // Production: https://{domain} (from brand.url)
+  self.project.websiteUrl = self.assistant.isDevelopment()
+    ? 'https://localhost:4000'
+    : self.config.brand?.url || '';
+
   // Set environment
   process.env.ENVIRONMENT = process.env.ENVIRONMENT || self.assistant.meta.environment;
 
   // Set BEM env variables
   process.env.BEM_FUNCTIONS_URL = self.project.functionsUrl;
   process.env.BEM_API_URL = self.project.apiUrl;
+  process.env.BEM_WEBSITE_URL = self.project.websiteUrl;
 
   // Use the working Firebase logger that they disabled for whatever reason
   if (

package/src/manager/libraries/payment-processors/stripe.js

@@ -29,29 +29,39 @@ const Stripe = {
 
   /**
    * Fetch the latest resource from Stripe's API
+   * Falls back to the raw webhook payload if the API call fails
    *
    * @param {string} resourceType - 'subscription' | 'invoice' | 'session'
    * @param {string} resourceId - Stripe resource ID
-   * @param {object} rawFallback - Fallback data from webhook payload (unused for Stripe — fetches live)
-   * @param {object} context - Additional context (e.g., { admin }) — unused for Stripe
+   * @param {object} rawFallback - Fallback data from webhook payload
+   * @param {object} context - Additional context (e.g., { admin })
    * @returns {object} Full Stripe resource object
    */
   async fetchResource(resourceType, resourceId, rawFallback, context) {
     const stripe = this.init();
 
-    if (resourceType === 'subscription') {
-      return stripe.subscriptions.retrieve(resourceId);
-    }
+    try {
+      if (resourceType === 'subscription') {
+        return await stripe.subscriptions.retrieve(resourceId);
+      }
 
-    if (resourceType === 'invoice') {
-      return stripe.invoices.retrieve(resourceId);
-    }
+      if (resourceType === 'invoice') {
+        return await stripe.invoices.retrieve(resourceId);
+      }
 
-    if (resourceType === 'session') {
-      return stripe.checkout.sessions.retrieve(resourceId);
-    }
+      if (resourceType === 'session') {
+        return await stripe.checkout.sessions.retrieve(resourceId);
+      }
+
+      throw new Error(`Unknown resource type: ${resourceType}`);
+    } catch (e) {
+      // If the API call fails but we have raw webhook data, use it
+      if (rawFallback && Object.keys(rawFallback).length > 0) {
+        return rawFallback;
+      }
 
-    throw new Error(`Unknown resource type: ${resourceType}`);
+      throw e;
+    }
   },
 
   /**

package/src/manager/routes/handler/post/post.js

@@ -110,7 +110,7 @@ module.exports = async ({ assistant, Manager, user, settings, analytics }) => {
         notification: {
           title: settings.title,
           body: `"${settings.title}" was just published on our blog. It's a great read and we think you'll enjoy the content!`,
-          click_action: `${Manager.config.brand.url}/blog`,
+          click_action: `${Manager.project.websiteUrl}/blog`,
           icon: Manager.config.brand.images.brandmark,
         }
       },

package/src/manager/routes/payments/intent/processors/stripe.js

@@ -44,13 +44,12 @@ module.exports = {
     assistant?.log(`Stripe checkout: type=${productType}, priceId=${priceId}, uid=${uid}, customerId=${customer.id}, trial=${trial}, trialDays=${product.trial?.days || 'none'}`);
 
     // Build confirmation redirect URL
-    const baseUrl = config.brand?.url;
+    const baseUrl = Manager.project.websiteUrl;
     const amount = productType === 'subscription'
       ? (product.prices?.[frequency]?.amount || 0)
       : (product.prices?.once?.amount || 0);
 
-    const confirmationUrl = new URL('/payment/confirmation', baseUrl);
-    confirmationUrl.searchParams.set('orderId', '{CHECKOUT_SESSION_ID}');
+    let confirmationUrl = new URL('/payment/confirmation', baseUrl);
     confirmationUrl.searchParams.set('productId', productId);
     confirmationUrl.searchParams.set('productName', product.name || productId);
     confirmationUrl.searchParams.set('amount', trial && product.trial?.days ? '0' : String(amount));
@@ -59,13 +58,17 @@ module.exports = {
     confirmationUrl.searchParams.set('paymentMethod', 'stripe');
     confirmationUrl.searchParams.set('trial', String(!!trial && !!product.trial?.days));
     confirmationUrl.searchParams.set('track', 'true');
+    // Append orderId as raw string — Stripe replaces {CHECKOUT_SESSION_ID} at redirect
+    // time, but only if the braces are NOT URL-encoded
+    confirmationUrl = `${confirmationUrl.toString()}&orderId={CHECKOUT_SESSION_ID}`;
 
-    const cancelUrl = new URL('/payment/checkout', baseUrl);
+    let cancelUrl = new URL('/payment/checkout', baseUrl);
     cancelUrl.searchParams.set('product', productId);
     if (frequency) {
       cancelUrl.searchParams.set('frequency', frequency);
     }
     cancelUrl.searchParams.set('payment', 'cancelled');
+    cancelUrl = cancelUrl.toString();
 
     // Build session params based on product type
     let sessionParams;
@@ -105,8 +108,8 @@ function buildSubscriptionSession({ priceId, customer, uid, productId, frequency
         uid: uid,
       },
     },
-    success_url: confirmationUrl.toString(),
-    cancel_url: cancelUrl.toString(),
+    success_url: confirmationUrl,
+    cancel_url: cancelUrl,
     metadata: {
       uid: uid,
       productId: productId,
@@ -138,8 +141,8 @@ function buildOneTimeSession({ priceId, customer, uid, productId, product, confi
         uid: uid,
       },
     },
-    success_url: confirmationUrl.toString(),
-    cancel_url: cancelUrl.toString(),
+    success_url: confirmationUrl,
+    cancel_url: cancelUrl,
     metadata: {
       uid: uid,
       productId: productId,

package/src/manager/routes/user/oauth2/_helpers.js

@@ -43,9 +43,7 @@ async function buildContext({ assistant, Manager, user, settings, libraries, req
   }
 
   // Build redirect URI
-  const redirectUri = assistant.isDevelopment()
-    ? 'https://localhost:4000/oauth2'
-    : `${Manager.config.brand.url}/oauth2`;
+  const redirectUri = `${Manager.project.websiteUrl}/oauth2`;
 
   // If provider not required (e.g., tokenize gets it from encrypted state), skip loading
   if (!requireProvider) {

package/src/manager/routes/user/oauth2/post.js

@@ -52,9 +52,7 @@ async function processTokenize({ assistant, Manager, admin, settings }) {
   }
 
   // Build redirect URI
-  const redirectUri = assistant.isDevelopment()
-    ? 'https://localhost:4000/oauth2'
-    : `${Manager.config.brand.url}/oauth2`;
+  const redirectUri = `${Manager.project.websiteUrl}/oauth2`;
 
   // Decrypt and validate state
   let stateData;