backend-manager 5.2.17 → 5.2.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "backend-manager",
3
- "version": "5.2.17",
3
+ "version": "5.2.18",
4
4
  "description": "Quick tools for developing Firebase functions",
5
5
  "main": "src/manager/index.js",
6
6
  "bin": {
@@ -446,11 +446,20 @@ module.exports = {
446
446
  async run({ http, firestore, assert, accounts }) {
447
447
  const uid = accounts['signup-merge'].uid;
448
448
 
449
- // Seed real/custom state that the signup write must NOT clobber, plus a deliberately
450
- // PARTIAL attribution (only affiliate.code) to prove leaves get filled, not replaced-away.
449
+ // Capture the REAL api keys onCreate generated — the signup write must preserve these
450
+ // exactly (regenerating them would break the user's API access AND this test's auth,
451
+ // since http.as() authenticates with api.privateKey). We assert against the real values,
452
+ // NOT a seeded fake (seeding a fake privateKey would 401 the request).
453
+ const before = await firestore.get(`users/${uid}`);
454
+ const realClientId = before?.api?.clientId;
455
+ const realPrivateKey = before?.api?.privateKey;
456
+ const realAffiliateCode = before?.affiliate?.code;
457
+
458
+ // Seed adversarial NON-auth state the signup write must NOT clobber: a paid subscription,
459
+ // admin role, a custom non-schema field, and a deliberately PARTIAL attribution (only
460
+ // affiliate.code) to prove leaves get filled, not replaced-away. We do NOT touch api.* —
461
+ // that's the auth credential and is asserted-preserved via the captured real values.
451
462
  await firestore.set(`users/${uid}`, {
452
- api: { clientId: 'REAL-CLIENT-ID', privateKey: 'REAL-PRIVATE-KEY' },
453
- affiliate: { code: 'REALAFFILIATECODE', referrals: [{ uid: 'someone' }] },
454
463
  subscription: { product: { id: 'pro', name: 'Pro' }, status: 'active' },
455
464
  roles: { admin: true, betaTester: false, developer: false },
456
465
  attribution: { affiliate: { code: 'PARTIALONLY' } },
@@ -466,9 +475,9 @@ module.exports = {
466
475
  const doc = await firestore.get(`users/${uid}`);
467
476
 
468
477
  // (b) Existing real values must survive untouched — NOT regenerated/reset by the schema layer.
469
- assert.equal(doc?.api?.clientId, 'REAL-CLIENT-ID', 'api.clientId must be preserved (not regenerated)');
470
- assert.equal(doc?.api?.privateKey, 'REAL-PRIVATE-KEY', 'api.privateKey must be preserved (not regenerated)');
471
- assert.equal(doc?.affiliate?.code, 'REALAFFILIATECODE', 'affiliate.code must be preserved (not regenerated)');
478
+ assert.equal(doc?.api?.clientId, realClientId, 'api.clientId must be preserved (not regenerated)');
479
+ assert.equal(doc?.api?.privateKey, realPrivateKey, 'api.privateKey must be preserved (not regenerated)');
480
+ assert.equal(doc?.affiliate?.code, realAffiliateCode, 'affiliate.code must be preserved (not regenerated)');
472
481
  assert.equal(doc?.subscription?.product?.id, 'pro', 'subscription must be preserved (not reset to basic)');
473
482
  assert.equal(doc?.roles?.admin, true, 'roles.admin must be preserved (not reset to false)');
474
483