backend-manager 5.1.4 → 5.2.1

package/test/routes/marketing/contact.js

@@ -6,11 +6,25 @@
  * (requires SENDGRID_API_KEY and BEEHIIV_API_KEY env vars)
  */
 
-// Test email patterns - look like real emails but +bem suffix identifies them for cleanup
-// Names should be inferred by AI from the email local part
+// Test email patterns - look like real emails but +bem suffix identifies them for cleanup.
+// Names should be inferred by AI from the email local part.
+//
+// Fixed test domain (`acme.com`) — deterministic across brands. Using the running brand's
+// domain caused cross-brand state divergence in SendGrid/Beehiiv and non-deterministic
+// company inference (different domain → different inferred company name).
+//
+// `valid`: use a name that won't be flagged as fictional/placeholder by the AI prompt.
+// (The infer-contact prompt rejects fictional names — e.g. "rachel.greene" sometimes
+// matches the Friends character and returns empty. Use a more anonymous name.)
+//
+// `invalid`: must reach the ZeroBounce mailbox check (so previous checks all pass — must
+// NOT start with "test"/"example" which are in BLOCKED_LOCAL_PATTERNS, NOT be on
+// a corporate/disposable domain). Real-looking name on a real domain with no actual
+// mailbox there is the safest pick.
+const TEST_DOMAIN = 'acme.com';
 const TEST_EMAILS = {
-  valid: (domain) => `rachel.greene+bem@${domain}`,  // Should infer: Rachel Greene
-  invalid: () => `test+bem@test.com`,                // Guaranteed to fail ZeroBounce (fake domain)
+  valid: () => `sarah.martinez+bem@${TEST_DOMAIN}`,         // Should infer: Sarah Martinez
+  invalid: () => `nonexistent.user+bem@${TEST_DOMAIN}`,     // No such mailbox — ZeroBounce should flag as invalid
 };
 
 module.exports = {
@@ -25,13 +39,18 @@ module.exports = {
       auth: 'admin',
       timeout: 30000,
 
-      async run({ http, assert, config, state }) {
-        const testEmail = TEST_EMAILS.valid(config.domain);
+      async run({ http, assert, state }) {
+        const testEmail = TEST_EMAILS.valid();
         state.testEmail = testEmail;
 
         const response = await http.post('marketing/contact', {
           email: testEmail,
           source: 'bem-test',
+          // skipValidation bypasses the ZeroBounce mailbox check — the test email
+          // (rachel.greene+bem@{brand}) doesn't have a real mailbox so ZeroBounce
+          // (correctly) marks it as not deliverable. We're testing the route flow,
+          // not the deliverability check itself.
+          skipValidation: true,
           // No firstName/lastName - should be inferred as "Rachel Greene"
         });
 
@@ -137,9 +156,9 @@ module.exports = {
       auth: 'admin',
       timeout: 30000,
 
-      async run({ http, assert, config, state }) {
+      async run({ http, assert, state }) {
         // Use valid email without providing name - should infer "Rachel Greene"
-        const testEmail = TEST_EMAILS.valid(config.domain);
+        const testEmail = TEST_EMAILS.valid();
         state.testEmail = testEmail;
 
         const response = await http.post('marketing/contact', {
@@ -218,8 +237,8 @@ module.exports = {
         ? 'TEST_EXTENDED_MODE or ZEROBOUNCE_API_KEY not set'
         : false,
 
-      async run({ http, assert, config, state, skip }) {
-        const testEmail = TEST_EMAILS.valid(config.domain);
+      async run({ http, assert, state, skip }) {
+        const testEmail = TEST_EMAILS.valid();
         state.testEmail = testEmail;
 
         const response = await http.post('marketing/contact', {
@@ -268,7 +287,8 @@ module.exports = {
         : false,
 
       async run({ http, assert, skip }) {
-        // Use fake email that mailbox verification should flag as invalid
+        // Email that should reach ZeroBounce and be flagged as undeliverable.
+        // Must NOT trip earlier checks (localPart blocklist, disposable, corporate).
         const testEmail = TEST_EMAILS.invalid();
 
         const response = await http.post('marketing/contact', {
@@ -276,17 +296,24 @@ module.exports = {
           source: 'bem-test',
         });
 
-        // Should still succeed (we fail open) but mailbox should report invalid
-        assert.isSuccess(response, 'Request should succeed even with invalid email');
-
+        // With no ZeroBounce credits the route fails-open and returns 200; with credits
+        // the route should EITHER succeed (200) and report invalid in checks, OR error
+        // (400) with "Email validation failed". Either is correct behavior — what we
+        // verify here is that mailbox check ran and didn't mark the email as `valid`.
         const mbResult = response.data?.validation?.checks?.mailbox;
 
-        // If out of credits, skip test - not a failure
-        if (mbResult?.error?.includes('out of credits')) {
+        // If credits are out, the test can't actually exercise rejection — skip.
+        if (mbResult?.error?.includes('out of credits') || mbResult?.error?.includes('Invalid API key')) {
           skip('Mailbox verification out of credits');
         }
 
-        // Mailbox should return a status indicating the email is not valid
+        // If the response was a 400, that's the legitimate rejection path — done.
+        if (response.status === 400) {
+          return;
+        }
+
+        // Otherwise expect a 200 with a non-"valid" mailbox status.
+        assert.isSuccess(response, 'Request should succeed (fail-open) or error 400');
         if (mbResult) {
           assert.hasProperty(mbResult, 'status', 'Should have status');
           assert.notEqual(mbResult.status, 'valid', 'Fake email should not be marked valid');
@@ -296,20 +323,27 @@ module.exports = {
 
     // --- Auth rejection tests ---
     {
-      name: 'add-unauthenticated-requires-recaptcha',
+      name: 'add-unauthenticated-rejected',
       auth: 'none',
       timeout: 15000,
-      skip: !process.env.TEST_EXTENDED_MODE && 'reCAPTCHA is skipped in test mode (TEST_EXTENDED_MODE not set)',
 
-      async run({ http, assert, config }) {
-        // Public request without reCAPTCHA should fail
+      async run({ http, assert }) {
+        // Public request without auth must be rejected. The exact rejection mechanism
+        // depends on environment:
+        //   - Production: missing reCAPTCHA token → 403
+        //   - Local emulator (BEM_TESTING=true): reCAPTCHA is bypassed, but unauthenticated
+        //     users hit the marketing-subscribe rate limit (quota 0/0) → 429
+        // Both are correct: the route protects itself from anonymous abuse. Accept either.
         const response = await http.post('marketing/contact', {
-          email: TEST_EMAILS.valid(config.domain),
+          email: TEST_EMAILS.valid(),
           source: 'bem-test',
         });
 
-        // Should fail with 403 because no reCAPTCHA token
-        assert.isError(response, 403, 'Public request without reCAPTCHA should fail');
+        assert.ok(!response.success, 'Public request should be rejected');
+        assert.ok(
+          response.status === 403 || response.status === 429,
+          `Expected 403 or 429 but got ${response.status}`
+        );
       },
     },
 
@@ -322,9 +356,9 @@ module.exports = {
       timeout: 30000,
       skip: !process.env.TEST_EXTENDED_MODE ? 'TEST_EXTENDED_MODE not set' : false,
 
-      async run({ http, assert, config }) {
+      async run({ http, assert }) {
         // Clean up the rachel.greene+bem test contact from marketing providers
-        const testEmail = TEST_EMAILS.valid(config.domain);
+        const testEmail = TEST_EMAILS.valid();
 
         const response = await http.delete('marketing/contact', {
           email: testEmail,

package/test/routes/marketing/email-preferences.js

@@ -1,9 +1,15 @@
 /**
  * Test: POST /marketing/email-preferences
- * Tests the email preferences endpoint for unsubscribe/resubscribe via SendGrid ASM
  *
- * Set TEST_EXTENDED_MODE=true to run tests against real SendGrid ASM API
- * (requires SENDGRID_API_KEY env var)
+ * Two modes:
+ * - Anonymous HMAC: from email-footer unsubscribe link. Requires email + asmId + sig.
+ *   Hits SendGrid ASM and (NEW) mirrors to user doc if email maps to a user.
+ * - Authenticated: from account-page toggle. Requires only `action`.
+ *   Writes consent.marketing to user doc with source='account' and hits SendGrid + Beehiiv
+ *   via the email library.
+ *
+ * Set TEST_EXTENDED_MODE=true to hit real SendGrid + Beehiiv. Otherwise provider calls
+ * are skipped but user-doc mutations still happen.
  */
 const crypto = require('crypto');
 
@@ -15,201 +21,271 @@ function generateSig(email) {
 }
 
 module.exports = {
-  description: 'Marketing email-preferences (POST unsubscribe/resubscribe)',
+  description: 'Marketing email-preferences (anonymous HMAC + authenticated)',
   type: 'group',
   tests: [
-    // Test 1: Successful unsubscribe with valid sig
+    // ─── Anonymous HMAC flow ───
+
     {
-      name: 'unsubscribe-valid-sig-succeeds',
+      name: 'anon-unsubscribe-valid-sig-succeeds',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isSuccess(response, 'Unsubscribe with valid sig should succeed');
         assert.propertyEquals(response, 'data.success', true, 'success should be true');
       },
     },
 
-    // Test 2: Successful resubscribe with valid sig
     {
-      name: 'resubscribe-valid-sig-succeeds',
+      name: 'anon-subscribe-valid-sig-succeeds',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
-          action: 'resubscribe',
-          sig: sig,
+          action: 'subscribe',
+          sig,
         });
-
-        assert.isSuccess(response, 'Resubscribe with valid sig should succeed');
+        assert.isSuccess(response, 'Subscribe with valid sig should succeed');
         assert.propertyEquals(response, 'data.success', true, 'success should be true');
       },
     },
 
-    // Test 3: Invalid sig rejected
     {
-      name: 'invalid-sig-rejected',
+      name: 'anon-resubscribe-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
+        // Old 'resubscribe' action is no longer accepted — must use 'subscribe'
+        const sig = generateSig(TEST_EMAIL);
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
-          action: 'unsubscribe',
-          sig: 'invalid-signature-value',
+          action: 'resubscribe',
+          sig,
         });
-
-        assert.isError(response, 403, 'Invalid sig should return 403');
+        assert.isError(response, 400, 'Old "resubscribe" action should be rejected');
       },
     },
 
-    // Test 4: Missing sig rejected (schema requires it)
     {
-      name: 'missing-sig-rejected',
+      name: 'anon-invalid-sig-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
+          sig: 'invalid-signature-value',
         });
-
-        assert.isError(response, 400, 'Missing sig should return 400');
+        assert.isError(response, 403, 'Invalid sig should return 403');
       },
     },
 
-    // Test 5: Missing email rejected
     {
-      name: 'missing-email-rejected',
+      name: 'anon-missing-email-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const response = await http.post('marketing/email-preferences', {
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
           sig: 'anything',
         });
-
         assert.isError(response, 400, 'Missing email should return 400');
       },
     },
 
-    // Test 6: Invalid email format rejected
     {
-      name: 'invalid-email-rejected',
+      name: 'anon-invalid-email-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig('not-an-email');
-
         const response = await http.post('marketing/email-preferences', {
           email: 'not-an-email',
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Invalid email format should return 400');
       },
     },
 
-    // Test 7: Missing asmId rejected
     {
-      name: 'missing-asmid-rejected',
+      name: 'anon-missing-asmid-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Missing asmId should return 400');
       },
     },
 
-    // Test 8: Invalid action rejected
     {
-      name: 'invalid-action-rejected',
+      name: 'anon-invalid-action-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
         const sig = generateSig(TEST_EMAIL);
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'delete',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 400, 'Invalid action should return 400');
       },
     },
 
-    // Test 9: Sig for different email rejected (proves per-email sig)
     {
-      name: 'wrong-email-sig-rejected',
+      name: 'anon-wrong-email-sig-rejected',
       auth: 'none',
       timeout: 15000,
-
       async run({ http, assert }) {
-        // Generate sig for a different email
+        // sig generated for a different email — must not validate against TEST_EMAIL
         const sig = generateSig('someone-else@gmail.com');
-
         const response = await http.post('marketing/email-preferences', {
           email: TEST_EMAIL,
           asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
+          sig,
         });
-
         assert.isError(response, 403, 'Sig for different email should return 403');
       },
     },
 
-    // Test 10: Authenticated user also works (sig is checked regardless of auth)
+    // ─── Authenticated mode ───
+
+    {
+      name: 'auth-unsubscribe-writes-consent-and-records-source-account',
+      auth: 'basic',
+      timeout: 15000,
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+
+        const beforeMs = Date.now();
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'unsubscribe',
+        });
+        const afterMs = Date.now();
+
+        assert.isSuccess(response, `Authenticated unsubscribe should succeed: ${JSON.stringify(response, null, 2)}`);
+        assert.propertyEquals(response, 'data.success', true, 'success should be true');
+        assert.propertyEquals(response, 'data.action', 'unsubscribe', 'action echoed in response');
+
+        const userDoc = await firestore.get(`users/${uid}`);
+
+        assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'consent.marketing.status should be revoked');
+        assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'account', 'revokedAt.source should be account');
+        assert.ok(userDoc?.consent?.marketing?.revokedAt?.timestamp, 'revokedAt.timestamp should be set');
+        assert.equal(typeof userDoc?.consent?.marketing?.revokedAt?.timestampUNIX, 'number', 'revokedAt.timestampUNIX should be number');
+
+        // Server time used (defense against clock manipulation).
+        // Server uses Math.round, so the stamped value can be 1 second past Math.floor(afterMs/1000)
+        // when the request takes >500ms. Use Math.round on the upper bound + a small fudge.
+        const revokedUNIX = userDoc.consent.marketing.revokedAt.timestampUNIX;
+        const beforeUNIX = Math.floor(beforeMs / 1000);
+        const afterUNIX = Math.round(afterMs / 1000) + 1;
+        assert.ok(
+          revokedUNIX >= beforeUNIX && revokedUNIX <= afterUNIX,
+          `revokedAt.timestampUNIX (${revokedUNIX}) should be server time, between ${beforeUNIX} and ${afterUNIX}`
+        );
+      },
+    },
+
     {
-      name: 'authenticated-user-with-valid-sig-succeeds',
-      auth: 'user',
+      name: 'auth-subscribe-after-unsubscribe-flips-status-keeps-prior-revokedAt',
+      auth: 'basic',
       timeout: 15000,
+      async run({ http, firestore, assert, accounts }) {
+        const uid = accounts.basic.uid;
+
+        // Capture revokedAt from the previous test
+        const beforeDoc = await firestore.get(`users/${uid}`);
+        const priorRevokedAt = beforeDoc?.consent?.marketing?.revokedAt;
+        assert.ok(priorRevokedAt?.timestamp, 'Prior test should have left a revokedAt timestamp');
+
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'subscribe',
+        });
+
+        assert.isSuccess(response, `Authenticated subscribe should succeed: ${JSON.stringify(response, null, 2)}`);
 
+        const userDoc = await firestore.get(`users/${uid}`);
+
+        // status flips
+        assert.equal(userDoc?.consent?.marketing?.status, 'granted', 'status should flip to granted');
+
+        // grantedAt populated with new server time + source=account
+        assert.equal(userDoc?.consent?.marketing?.grantedAt?.source, 'account', 'grantedAt.source should be account');
+        assert.ok(userDoc?.consent?.marketing?.grantedAt?.timestamp, 'grantedAt.timestamp should be set');
+
+        // revokedAt UNTOUCHED — still reflects the most recent revoke
+        assert.equal(
+          userDoc?.consent?.marketing?.revokedAt?.timestamp,
+          priorRevokedAt.timestamp,
+          'revokedAt.timestamp should be preserved from prior revoke'
+        );
+        assert.equal(
+          userDoc?.consent?.marketing?.revokedAt?.source,
+          priorRevokedAt.source,
+          'revokedAt.source should be preserved from prior revoke'
+        );
+      },
+    },
+
+    {
+      name: 'auth-invalid-action-rejected',
+      auth: 'basic',
+      timeout: 15000,
       async run({ http, assert }) {
-        const sig = generateSig(TEST_EMAIL);
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'delete',
+        });
+        assert.isError(response, 400, 'Invalid action should return 400');
+      },
+    },
 
+    {
+      name: 'auth-opt-in-old-name-rejected',
+      auth: 'basic',
+      timeout: 15000,
+      async run({ http, assert }) {
+        // Old proposed 'opt-in' is NOT accepted — must use 'subscribe'
+        const response = await http.as('basic').post('marketing/email-preferences', {
+          action: 'opt-in',
+        });
+        assert.isError(response, 400, 'Old "opt-in" name should be rejected (use "subscribe")');
+      },
+    },
+
+    {
+      name: 'unauthenticated-without-sig-rejected',
+      auth: 'none',
+      timeout: 15000,
+      async run({ http, assert }) {
+        // Unauthenticated + no sig → email field is required for HMAC path → 400.
+        // (No auth means we hit the anonymous path; no email/asmId means missing-required.)
         const response = await http.post('marketing/email-preferences', {
-          email: TEST_EMAIL,
-          asmId: TEST_ASM_ID,
           action: 'unsubscribe',
-          sig: sig,
         });
-
-        assert.isSuccess(response, 'Authenticated user with valid sig should succeed');
-        assert.propertyEquals(response, 'data.success', true, 'success should be true');
+        assert.isError(response, 400, 'Unauthenticated request without HMAC fields should 400');
       },
     },
   ],

package/test/routes/marketing/webhook-forward.js

@@ -0,0 +1,54 @@
+/**
+ * Test: POST /marketing/webhook/forward (parent forwarder)
+ *
+ * This route is gated to only work when Manager.config.parent === 'self'.
+ * Most test runs happen on a CHILD brand (e.g. Somiibo's backend-manager-config.json
+ * has `parent: 'https://api.itwcreativeworks.com'`), so the route should return 404.
+ *
+ * The actual fan-out behavior (reading brands collection, derive API URLs,
+ * POST to each child) is verified by unit-style tests in test/helpers/webhook-forward.js
+ * which exercise the forwarder logic against a mock admin + mock fetch — no emulator
+ * round-trip required.
+ *
+ * This file only verifies the GATE: on a non-parent BEM, the route is invisible.
+ */
+module.exports = {
+  description: 'Marketing webhook forwarder gating (parent-only)',
+  type: 'group',
+  timeout: 15000,
+
+  tests: [
+    {
+      name: 'forwarder-returns-404-on-non-parent-brand',
+      auth: 'none',
+      async run({ http, assert, config }) {
+        // Sanity check: this brand should NOT be configured as the parent
+        assert.ok(
+          config.parent && config.parent !== 'self',
+          `Test brand should have config.parent set to a URL (got: ${config.parent})`
+        );
+
+        const response = await http.as('none').post(
+          `marketing/webhook/forward?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          [{ sg_event_id: 'should-not-process', event: 'group_unsubscribe', email: 'test@example.com' }]
+        );
+
+        assert.isError(response, 404, 'Forwarder should be invisible (404) on non-parent BEMs');
+      },
+    },
+
+    {
+      name: 'forwarder-returns-404-even-with-valid-key',
+      auth: 'none',
+      async run({ http, assert }) {
+        // A valid key shouldn't unlock the forwarder — gate is on config.parent, not key.
+        const response = await http.as('none').post(
+          `marketing/webhook/forward?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
+          { id: 'should-not-process', event: 'subscription.unsubscribed', email: 'test@example.com' }
+        );
+
+        assert.isError(response, 404, 'Even with valid key, non-parent returns 404');
+      },
+    },
+  ],
+};