backend-manager 5.1.2 → 5.2.0

package/test/routes/marketing/email-preferences.js

@@ -1,9 +1,15 @@
 /**
  * Test: POST /marketing/email-preferences
- * Tests the email preferences endpoint for unsubscribe/resubscribe via SendGrid ASM
  *
- * Set TEST_EXTENDED_MODE=true to run tests against real SendGrid ASM API
- * (requires SENDGRID_API_KEY env var)
+ * Two modes:
+ * - Anonymous HMAC: from email-footer unsubscribe link. Requires email + asmId + sig.
+ *   Hits SendGrid ASM and (NEW) mirrors to user doc if email maps to a user.
+ * - Authenticated: from account-page toggle. Requires only `action`.
+ *   Writes consent.marketing to user doc with source='account' and hits SendGrid + Beehiiv
+ *   via the email library.
+ *
+ * Set TEST_EXTENDED_MODE=true to hit real SendGrid + Beehiiv. Otherwise provider calls
+ * are skipped but user-doc mutations still happen.
  */
 const crypto = require('crypto');
 
@@ -15,201 +21,271 @@ function generateSig(email) {
 }
 
 module.exports = {
-  description: 'Marketing email-preferences (POST unsubscribe/resubscribe)',
+  description: 'Marketing email-preferences (anonymous HMAC + authenticated)',
   type: 'group',
   tests: [
-    // Test 1: Successful unsubscribe with valid sig
+    // ─── Anonymous HMAC flow ───
+
     {
-      name: 'unsubscribe-valid-sig-succeeds',
+      name: 'anon-unsubscribe-valid-sig-succeeds',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isSuccess(response, 'Unsubscribe with valid sig should succeed');
         assert.propertyEquals(response, 'data.success', true, 'success should be true');
       },
     },
 
-    // Test 2: Successful resubscribe with valid sig
     {
-      name: 'resubscribe-valid-sig-succeeds',
+      name: 'anon-subscribe-valid-sig-succeeds',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
-          action: 'resubscribe',
-          sig: sig,
+          action: 'subscribe',
+          sig,
         });
-
-        assert.isSuccess(response, 'Resubscribe with valid sig should succeed');
+        assert.isSuccess(response, 'Subscribe with valid sig should succeed');
         assert.propertyEquals(response, 'data.success', true, 'success should be true');
       },
     },
 
-    // Test 3: Invalid sig rejected
     {
-      name: 'invalid-sig-rejected',
+      name: 'anon-resubscribe-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
+        // Old 'resubscribe' action is no longer accepted — must use 'subscribe'
+        const sig = generateSig(TEST_EMAIL);
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
-          action: 'unsubscribe',
-          sig: 'invalid-signature-value',
+          action: 'resubscribe',
+          sig,
         });
-
-        assert.isError(response, 403, 'Invalid sig should return 403');
+        assert.isError(response, 400, 'Old "resubscribe" action should be rejected');
       },
     },
 
-    // Test 4: Missing sig rejected (schema requires it)
     {
-      name: 'missing-sig-rejected',
+      name: 'anon-invalid-sig-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
+          sig: 'invalid-signature-value',
         });
-
-        assert.isError(response, 400, 'Missing sig should return 400');
+        assert.isError(response, 403, 'Invalid sig should return 403');
       },
     },
 
-    // Test 5: Missing email rejected
     {
-      name: 'missing-email-rejected',
+      name: 'anon-missing-email-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const response = await http.post('marketing/email-preferences', {
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
           sig: 'anything',
         });
-
         assert.isError(response, 400, 'Missing email should return 400');
       },
     },
 
-    // Test 6: Invalid email format rejected
     {
-      name: 'invalid-email-rejected',
+      name: 'anon-invalid-email-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig('not-an-email');
-
         const response = await http.post('marketing/email-preferences', {
           email: 'not-an-email',
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Invalid email format should return 400');
       },
     },
 
-    // Test 7: Missing asmId rejected
     {
-      name: 'missing-asmid-rejected',
+      name: 'anon-missing-asmid-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Missing asmId should return 400');
       },
     },
 
-    // Test 8: Invalid action rejected
     {
-      name: 'invalid-action-rejected',
+      name: 'anon-invalid-action-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'delete',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Invalid action should return 400');
       },
     },
 
-    // Test 9: Sig for different email rejected (proves per-email sig)
     {
-      name: 'wrong-email-sig-rejected',
+      name: 'anon-wrong-email-sig-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
-        // Generate sig for a different email
+        // sig generated for a different email — must not validate against TEST_EMAIL
         const sig = generateSig('someone-else@gmail.com');
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 403, 'Sig for different email should return 403');
       },
     },
 
-    // Test 10: Authenticated user also works (sig is checked regardless of auth)
+    // ─── Authenticated mode ───
+
+    {
+      name: 'auth-unsubscribe-writes-consent-and-records-source-account',
+      auth: 'basic',
+      timeout: 15000,
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+
+        const beforeMs = Date.now();
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'unsubscribe',
+        });
+        const afterMs = Date.now();
+
+        assert.isSuccess(response, `Authenticated unsubscribe should succeed: ${JSON.stringify(response, null, 2)}`);
+        assert.propertyEquals(response, 'data.success', true, 'success should be true');
+        assert.propertyEquals(response, 'data.action', 'unsubscribe', 'action echoed in response');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'consent.marketing.status should be revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'account', 'revokedAt.source should be account');
+        assert.ok(userDoc?.consent?.marketing?.revokedAt?.timestamp, 'revokedAt.timestamp should be set');
+        assert.equal(typeof userDoc?.consent?.marketing?.revokedAt?.timestampUNIX, 'number', 'revokedAt.timestampUNIX should be number');
+
+        // Server time used (defense against clock manipulation).
+        // Server uses Math.round, so the stamped value can be 1 second past Math.floor(afterMs/1000)
+        // when the request takes >500ms. Use Math.round on the upper bound + a small fudge.
+        const revokedUNIX = userDoc.consent.marketing.revokedAt.timestampUNIX;
+        const beforeUNIX = Math.floor(beforeMs / 1000);
+        const afterUNIX = Math.round(afterMs / 1000) + 1;
+        assert.ok(
+          revokedUNIX >= beforeUNIX && revokedUNIX <= afterUNIX,
+          `revokedAt.timestampUNIX (${revokedUNIX}) should be server time, between ${beforeUNIX} and ${afterUNIX}`
+        );
+      },
+    },
+
     {
-      name: 'authenticated-user-with-valid-sig-succeeds',
-      auth: 'user',
+      name: 'auth-subscribe-after-unsubscribe-flips-status-keeps-prior-revokedAt',
+      auth: 'basic',
       timeout: 15000,
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+
+        // Capture revokedAt from the previous test
+        const beforeDoc = await firestore.get(`users/${uid}`);
+        const priorRevokedAt = beforeDoc?.consent?.marketing?.revokedAt;
+        assert.ok(priorRevokedAt?.timestamp, 'Prior test should have left a revokedAt timestamp');
+
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'subscribe',
+        });
+
+        assert.isSuccess(response, `Authenticated subscribe should succeed: ${JSON.stringify(response, null, 2)}`);
 
+        const userDoc = await firestore.get(`users/${uid}`);
+
+        // status flips
+        assert.equal(userDoc?.consent?.marketing?.status, 'granted', 'status should flip to granted');
+
+        // grantedAt populated with new server time + source=account
+        assert.equal(userDoc?.consent?.marketing?.grantedAt?.source, 'account', 'grantedAt.source should be account');
+        assert.ok(userDoc?.consent?.marketing?.grantedAt?.timestamp, 'grantedAt.timestamp should be set');
+
+        // revokedAt UNTOUCHED — still reflects the most recent revoke
+        assert.equal(
+          userDoc?.consent?.marketing?.revokedAt?.timestamp,
+          priorRevokedAt.timestamp,
+          'revokedAt.timestamp should be preserved from prior revoke'
+        );
+        assert.equal(
+          userDoc?.consent?.marketing?.revokedAt?.source,
+          priorRevokedAt.source,
+          'revokedAt.source should be preserved from prior revoke'
+        );
+      },
+    },
+
+    {
+      name: 'auth-invalid-action-rejected',
+      auth: 'basic',
+      timeout: 15000,
       async run({ http, assert }) {
-        const sig = generateSig(TEST_EMAIL);
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'delete',
+        });
+        assert.isError(response, 400, 'Invalid action should return 400');
+      },
+    },
 
+    {
+      name: 'auth-opt-in-old-name-rejected',
+      auth: 'basic',
+      timeout: 15000,
+      async run({ http, assert }) {
+        // Old proposed 'opt-in' is NOT accepted — must use 'subscribe'
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'opt-in',
+        });
+        assert.isError(response, 400, 'Old "opt-in" name should be rejected (use "subscribe")');
+      },
+    },
+
+    {
+      name: 'unauthenticated-without-sig-rejected',
+      auth: 'none',
+      timeout: 15000,
+      async run({ http, assert }) {
+        // Unauthenticated + no sig → email field is required for HMAC path → 400.
+        // (No auth means we hit the anonymous path; no email/asmId means missing-required.)
         const response = await http.post('marketing/email-preferences', {
-          email: TEST_EMAIL,
-          asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
         });
-
-        assert.isSuccess(response, 'Authenticated user with valid sig should succeed');
-        assert.propertyEquals(response, 'data.success', true, 'success should be true');
+        assert.isError(response, 400, 'Unauthenticated request without HMAC fields should 400');
       },
     },
   ],

package/test/routes/marketing/webhook-forward.js

@@ -0,0 +1,54 @@
+/**
+ * Test: POST /marketing/webhook/forward (parent forwarder)
+ *
+ * This route is gated to only work when Manager.config.parent === 'self'.
+ * Most test runs happen on a CHILD brand (e.g. Somiibo's backend-manager-config.json
+ * has `parent: 'https://api.itwcreativeworks.com'`), so the route should return 404.
+ *
+ * The actual fan-out behavior (reading brands collection, derive API URLs,
+ * POST to each child) is verified by unit-style tests in test/helpers/webhook-forward.js
+ * which exercise the forwarder logic against a mock admin + mock fetch — no emulator
+ * round-trip required.
+ *
+ * This file only verifies the GATE: on a non-parent BEM, the route is invisible.
+ */
+module.exports = {
+  description: 'Marketing webhook forwarder gating (parent-only)',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'forwarder-returns-404-on-non-parent-brand',
+      auth: 'none',
+      async run({ http, assert, config }) {
+        // Sanity check: this brand should NOT be configured as the parent
+        assert.ok(
+          config.parent && config.parent !== 'self',
+          `Test brand should have config.parent set to a URL (got: ${config.parent})`
+        );
+
+        const response = await http.as('none').post(
+          `marketing/webhook/forward?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [{ sg_event_id: 'should-not-process', event: 'group_unsubscribe', email: 'test@example.com' }]
+        );
+
+        assert.isError(response, 404, 'Forwarder should be invisible (404) on non-parent BEMs');
+      },
+    },
+
+    {
+      name: 'forwarder-returns-404-even-with-valid-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        // A valid key shouldn't unlock the forwarder — gate is on config.parent, not key.
+        const response = await http.as('none').post(
+          `marketing/webhook/forward?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          { id: 'should-not-process', event: 'subscription.unsubscribed', email: 'test@example.com' }
+        );
+
+        assert.isError(response, 404, 'Even with valid key, non-parent returns 404');
+      },
+    },
+  ],
+};