backend-manager 5.2.3 → 5.2.6

package/src/manager/events/firestore/payments-webhooks/analytics.js

@@ -225,7 +225,7 @@ function fireMeta({ resolved, currency, uid, processor, assistant, config }) {
       method: 'post',
       response: 'json',
       body: payload,
-      timeout: 30000,
+      timeout: 60000,
       tries: 2,
     })
     .then(() => {
@@ -298,7 +298,7 @@ function fireTikTok({ resolved, currency, uid, processor, assistant, config }) {
         'Access-Token': accessToken,
       },
       body: { data: [payload] },
-      timeout: 30000,
+      timeout: 60000,
       tries: 2,
     })
     .then(() => {

package/src/manager/functions/core/actions/api/user/delete.js

@@ -31,7 +31,7 @@ Module.prototype.main = function () {
       assistant.log(`Signout of all sessions...`);
       await fetch(`${self.Manager.project.apiUrl}/backend-manager`, {
         method: 'post',
-        timeout: 30000,
+        timeout: 60000,
         response: 'json',
         tries: 2,
         log: true,

package/src/manager/helpers/analytics.js

@@ -328,7 +328,7 @@ Analytics.prototype.event = function (payload, params) {
     method: 'post',
     response: 'text',
     tries: 2,
-    timeout: 30000,
+    timeout: 60000,
     // headers: {
     //   "Content-Type": "application/json"
     // },

package/src/manager/helpers/middleware.js

@@ -35,7 +35,7 @@ Middleware.prototype.run = function (libPath, options) {
     options.setupAnalytics = typeof options.setupAnalytics === 'boolean' ? options.setupAnalytics : true;
     options.setupUsage = typeof options.setupUsage === 'boolean' ? options.setupUsage : true;
     options.setupSettings = typeof options.setupSettings === 'undefined' ? true : options.setupSettings;
-    options.sanitize = typeof options.sanitize === 'undefined' ? true : options.sanitize;
+    options.sanitize = typeof options.sanitize === 'undefined' ? false : options.sanitize;
     options.includeNonSchemaSettings = typeof options.includeNonSchemaSettings === 'undefined' ? false : options.includeNonSchemaSettings;
     options.schema = typeof options.schema === 'undefined' ? libPath : options.schema;
     options.parseMultipartFormData = typeof options.parseMultipartFormData === 'undefined' ? true : options.parseMultipartFormData;
@@ -177,13 +177,16 @@ Middleware.prototype.run = function (libPath, options) {
       assistant.settings = data;
     }
 
-    // Sanitize settings — trim whitespace and strip HTML from all strings
-    // Respects sanitize: false on individual schema fields
+    // Trim whitespace on all string settings (always on — harmless and useful).
+    assistant.settings = Manager.Utilities().trim(assistant.settings);
+
+    // Optional HTML strip (off by default — opt in with `{ sanitize: true }`).
+    // Sanitize at the HTML-insertion site instead unless you need a belt-and-suspenders pass here.
+    // Respects sanitize: false on individual schema fields.
     if (options.sanitize) {
       const schema = options.setupSettings ? Manager.Settings().schema : null;
       const utilities = Manager.Utilities();
 
-      // Walk settings, skipping fields the schema marks as sanitize: false
       assistant.settings = sanitizeWithSchema(utilities, assistant.settings, schema);
     }
 

package/src/manager/helpers/utilities.js

@@ -528,4 +528,35 @@ Utilities.prototype.sanitize = function (input) {
   return input;
 };
 
+/**
+ * Trim whitespace from all strings in input. Walks objects/arrays recursively.
+ * Does NOT strip HTML — use sanitize() for that.
+ *
+ * @param {*} input - The data to trim (string, object, array, or primitive)
+ * @returns {*} Trimmed copy (objects/arrays) or trimmed value (strings)
+ */
+Utilities.prototype.trim = function (input) {
+  if (input == null) {
+    return input;
+  }
+
+  if (typeof input === 'string') {
+    return input.trim();
+  }
+
+  if (Array.isArray(input)) {
+    return input.map(item => this.trim(item));
+  }
+
+  if (typeof input === 'object') {
+    const result = {};
+    for (const [key, value] of Object.entries(input)) {
+      result[key] = this.trim(value);
+    }
+    return result;
+  }
+
+  return input;
+};
+
 module.exports = Utilities;

package/src/manager/libraries/email/generators/newsletter.js

@@ -517,7 +517,7 @@ async function fetchSources(parentUrl, categories, brandId, assistant) {
       const data = await fetch(`${parentUrl}/newsletter-sources`, {
         method: 'get',
         response: 'json',
-        timeout: 15000,
+        timeout: 60000,
         query: {
           category,
           limit: 3,
@@ -546,7 +546,7 @@ async function claimSources(parentUrl, sources, brandId, assistant) {
       await fetch(`${parentUrl}/newsletter-sources`, {
         method: 'put',
         response: 'json',
-        timeout: 10000,
+        timeout: 60000,
         body: {
           id: source.id,
           usedBy: brandId || 'unknown',

package/src/manager/libraries/email/providers/beehiiv.js

@@ -9,6 +9,11 @@ const { FIELDS, resolveFieldValues } = require('../constants.js');
 
 const BASE_URL = 'https://api.beehiiv.com/v2';
 
+// Beehiiv API spikes past 10s during their hiccups, dropping signups silently.
+// 60s is generous but harmless — caches are in place for metadata calls so a
+// slow first call costs nothing in steady state.
+const BEEHIIV_TIMEOUT_MS = 60000;
+
 // --- Internal helpers ---
 
 function headers() {
@@ -63,7 +68,7 @@ async function addSubscriber({ email, firstName, lastName, source, publicationId
       method: 'post',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: BEEHIIV_TIMEOUT_MS,
       body,
     });
 
@@ -79,39 +84,55 @@ async function addSubscriber({ email, firstName, lastName, source, publicationId
 }
 
 /**
- * Remove a subscriber from a Beehiiv publication by email.
+ * Look up a Beehiiv subscriber by email. Returns the subscription object
+ * (id, email, status, custom_fields, ...) or null if not found.
+ *
+ * Useful for tests that need to verify whether a subscriber landed in the
+ * publication after a marketing sync.
  *
  * @param {string} email
  * @param {string} publicationId
- * @returns {{ success: boolean, deleted?: boolean, skipped?: boolean, error?: string }}
+ * @returns {Promise<object|null>}
  */
-async function removeSubscriber(email, publicationId) {
+async function findSubscriber(email, publicationId) {
   try {
     const encodedEmail = encodeURIComponent(email);
-
-    // Step 1: Get subscription by email
-    let searchData;
-    try {
-      searchData = await fetch(
-        `${BASE_URL}/publications/${publicationId}/subscriptions/by_email/${encodedEmail}`,
-        {
-          response: 'json',
-          headers: headers(),
-          timeout: 10000,
-        }
-      );
-    } catch (e) {
-      if (e.status === 404) {
-        return { success: true, skipped: true, reason: 'Subscriber not found' };
+    const searchData = await fetch(
+      `${BASE_URL}/publications/${publicationId}/subscriptions/by_email/${encodedEmail}`,
+      {
+        response: 'json',
+        headers: headers(),
+        timeout: BEEHIIV_TIMEOUT_MS,
       }
-      throw e;
+    );
+
+    return searchData.data || null;
+  } catch (e) {
+    if (e.status === 404) {
+      return null;
     }
+    console.error('Beehiiv findSubscriber error:', e);
+    return null;
+  }
+}
+
+/**
+ * Remove a subscriber from a Beehiiv publication by email.
+ *
+ * @param {string} email
+ * @param {string} publicationId
+ * @returns {{ success: boolean, deleted?: boolean, skipped?: boolean, error?: string }}
+ */
+async function removeSubscriber(email, publicationId) {
+  try {
+    // Step 1: Look up the subscription
+    const subscription = await findSubscriber(email, publicationId);
 
-    if (!searchData.data?.id) {
-      return { success: true, skipped: true, reason: 'Subscription not found' };
+    if (!subscription?.id) {
+      return { success: true, skipped: true, reason: 'Subscriber not found' };
     }
 
-    const subscriptionId = searchData.data.id;
+    const subscriptionId = subscription.id;
 
     // Step 2: Permanently delete the subscription
     await fetch(
@@ -119,7 +140,7 @@ async function removeSubscriber(email, publicationId) {
       {
         method: 'delete',
         headers: headers(),
-        timeout: 10000,
+        timeout: BEEHIIV_TIMEOUT_MS,
       }
     );
 
@@ -186,7 +207,7 @@ function getPublicationId() {
 //       const data = await fetch(`${BASE_URL}/publications?limit=${limit}&page=${page}`, {
 //         response: 'json',
 //         headers: headers(),
-//         timeout: 10000,
+//         timeout: BEEHIIV_TIMEOUT_MS,
 //       });
 //
 //       if (!data.data || data.data.length === 0) {
@@ -270,6 +291,25 @@ async function removeContact(email) {
   return removeSubscriber(email, publicationId);
 }
 
+/**
+ * Look up a contact in this brand's Beehiiv publication. Resolves the
+ * publicationId from config and calls findSubscriber. Mirrors SendGrid's
+ * findContact() surface so tests can use the same pattern across both
+ * providers.
+ *
+ * @param {string} email
+ * @returns {Promise<object|null>}
+ */
+async function findContact(email) {
+  const publicationId = getPublicationId();
+
+  if (!publicationId) {
+    return null;
+  }
+
+  return findSubscriber(email, publicationId);
+}
+
 /**
  * Build Beehiiv custom_fields array from a user doc.
  * Resolves all field values, then maps to display names for Beehiiv.
@@ -316,7 +356,7 @@ async function resolveSegmentIds() {
     const data = await fetch(`${BASE_URL}/publications/${publicationId}/segments?limit=100`, {
       response: 'json',
       headers: headers(),
-      timeout: 10000,
+      timeout: BEEHIIV_TIMEOUT_MS,
     });
 
     _segmentIdCache = {};
@@ -412,7 +452,7 @@ async function createPost(options) {
       method: 'post',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: BEEHIIV_TIMEOUT_MS,
       body,
     });
 
@@ -435,6 +475,8 @@ module.exports = {
 
   // Contacts
   addContact,
+  findContact,
+  findSubscriber,
   removeContact,
   buildFields,
 

package/src/manager/libraries/email/providers/sendgrid.js

@@ -115,7 +115,7 @@ async function upsertContacts({ contacts, listIds }) {
       method: 'put',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: SENDGRID_TIMEOUT_MS,
       body,
     });
 
@@ -131,14 +131,17 @@ async function upsertContacts({ contacts, listIds }) {
 }
 
 /**
- * Remove a contact from SendGrid by email address.
+ * Look up a SendGrid contact by email. Returns the contact object (id, email,
+ * list_ids, custom_fields, ...) or null if not found.
+ *
+ * Useful for tests that need to verify whether a contact landed in the list
+ * after a marketing sync.
  *
  * @param {string} email
- * @returns {{ success: boolean, jobId?: string, skipped?: boolean, error?: string }}
+ * @returns {Promise<object|null>}
  */
-async function removeContact(email) {
+async function findContact(email) {
   try {
-    // Step 1: Get contact ID by email
     const searchData = await fetch(`${BASE_URL}/marketing/contacts/search/emails`, {
       method: 'post',
       response: 'json',
@@ -147,11 +150,33 @@ async function removeContact(email) {
       body: { emails: [email] },
     });
 
-    if (!searchData.result?.[email]?.contact?.id) {
+    return searchData.result?.[email]?.contact || null;
+  } catch (e) {
+    // 404 is the normal "not in contacts" response — return null silently.
+    if (e.status === 404) {
+      return null;
+    }
+    console.error('SendGrid findContact error:', e);
+    return null;
+  }
+}
+
+/**
+ * Remove a contact from SendGrid by email address.
+ *
+ * @param {string} email
+ * @returns {{ success: boolean, jobId?: string, skipped?: boolean, error?: string }}
+ */
+async function removeContact(email) {
+  try {
+    // Step 1: Get contact ID by email
+    const contact = await findContact(email);
+
+    if (!contact?.id) {
       return { success: true, skipped: true, reason: 'Contact not found' };
     }
 
-    const contactId = searchData.result[email].contact.id;
+    const contactId = contact.id;
 
     // Step 2: Delete contact by ID
     const deleteData = await fetch(`${BASE_URL}/marketing/contacts?ids=${contactId}`, {
@@ -332,7 +357,7 @@ async function createSingleSend({ name, subject, preheader, templateId, from, se
       method: 'post',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: SENDGRID_TIMEOUT_MS,
       body,
     });
 
@@ -360,7 +385,7 @@ async function scheduleSingleSend(singleSendId, sendAt) {
       method: 'put',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: SENDGRID_TIMEOUT_MS,
       body: { send_at: sendAt },
     });
 
@@ -520,7 +545,7 @@ async function getSegmentContacts(segmentId, maxWaitMs = 60000) {
       method: 'post',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: SENDGRID_TIMEOUT_MS,
       body: { segment_ids: [segmentId] },
     });
 
@@ -550,7 +575,7 @@ async function getSegmentContacts(segmentId, maxWaitMs = 60000) {
         // Download CSV — disable cacheBreaker to preserve presigned S3 URL signature
         const csvText = await fetch(statusData.urls[0], {
           response: 'text',
-          timeout: 30000,
+          timeout: 60000,
           cacheBreaker: false,
         });
 
@@ -614,7 +639,7 @@ async function bulkDeleteContacts(contactIds) {
       method: 'delete',
       response: 'json',
       headers: headers(),
-      timeout: 15000,
+      timeout: SENDGRID_TIMEOUT_MS,
     });
 
     if (data.job_id) {
@@ -635,6 +660,7 @@ module.exports = {
 
   // Contacts
   addContact,
+  findContact,
   removeContact,
   getSegmentContacts,
   bulkDeleteContacts,

package/src/manager/libraries/email/validation.js

@@ -133,7 +133,7 @@ async function validate(email, options = {}) {
     try {
       const data = await fetch(
         `https://api.zerobounce.net/v2/validate?api_key=${process.env.ZEROBOUNCE_API_KEY}&email=${encodeURIComponent(email)}`,
-        { response: 'json', timeout: 10000 }
+        { response: 'json', timeout: 60000 }
       );
 
       if (data.error) {

package/src/manager/libraries/infer-contact.js

@@ -43,7 +43,7 @@ async function inferContactWithAI(email, assistant) {
     const ai = assistant.Manager.AI(assistant, process.env.BACKEND_MANAGER_OPENAI_API_KEY);
     const result = await ai.request({
       model: 'gpt-5-mini',
-      timeout: 30000,
+      timeout: 60000,
       maxTokens: 1024,
       moderate: false,
       response: 'json',

package/src/manager/routes/general/email/post.js

@@ -22,10 +22,12 @@ module.exports = async ({ assistant, Manager, settings }) => {
     payload: {},
   };
 
-  // Load email template
+  // Load email template — colons in id are converted to nested folders
+  // (e.g. "general:download-app-link" → templates/general/download-app-link.js)
+  const templatePath = settings.id.split(':').join('/');
   let emailPayload;
   try {
-    const script = require(path.join(__dirname, 'templates', `${settings.id}.js`));
+    const script = require(path.join(__dirname, 'templates', `${templatePath}.js`));
     emailPayload = merge(
       {},
       DEFAULT,

package/src/manager/routes/marketing/email-preferences/post.js

@@ -166,7 +166,7 @@ async function handleAnonymous({ assistant, Manager, settings, analytics }) {
         method: 'POST',
         response: 'json',
         headers: { 'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}` },
-        timeout: 10000,
+        timeout: 60000,
         body: { recipient_emails: [email] },
       });
     } else {
@@ -176,7 +176,7 @@ async function handleAnonymous({ assistant, Manager, settings, analytics }) {
         method: 'DELETE',
         response: 'text',
         headers: { 'Authorization': `Bearer ${process.env.SENDGRID_API_KEY}` },
-        timeout: 10000,
+        timeout: 60000,
       });
     }
   } catch (e) {

package/src/manager/routes/payments/dispute-alert/post.js

@@ -8,16 +8,16 @@ const powertools = require('node-powertools');
  *
  * Query params:
  *   - provider: alert provider name (default: 'chargeblast')
- *   - key: must match BACKEND_MANAGER_KEY
+ *   - key: must match BACKEND_MANAGER_WEBHOOK_KEY (BACKEND_MANAGER_KEY accepted as legacy fallback)
  */
 module.exports = async ({ assistant, Manager, libraries }) => {
   const { admin } = libraries;
   const body = assistant.request.body;
   const query = assistant.request.query;
 
-  // Validate key against BACKEND_MANAGER_KEY
+  // Validate key — accept either BACKEND_MANAGER_WEBHOOK_KEY (preferred) or BACKEND_MANAGER_KEY (legacy)
   const key = query.key;
-  if (!key || key !== process.env.BACKEND_MANAGER_KEY) {
+  if (!key || (key !== process.env.BACKEND_MANAGER_WEBHOOK_KEY && key !== process.env.BACKEND_MANAGER_KEY)) {
     return assistant.respond('Invalid key', { code: 401 });
   }
 

package/src/manager/routes/payments/intent/processors/test.js

@@ -155,12 +155,12 @@ async function createOneTimeIntent({ uid, orderId, product, productId, confirmat
  * Fire-and-forget webhook to trigger the full pipeline
  */
 function fireWebhook({ event, assistant }) {
-  const webhookUrl = `${assistant.Manager.project.apiUrl}/backend-manager/payments/webhook?processor=test&key=${process.env.BACKEND_MANAGER_KEY}`;
+  const webhookUrl = `${assistant.Manager.project.apiUrl}/backend-manager/payments/webhook?processor=test&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`;
   fetch(webhookUrl, {
     method: 'POST',
     response: 'json',
     body: event,
-    timeout: 15000,
+    timeout: 60000,
   }).catch((e) => {
     assistant.log(`Test processor auto-webhook failed: ${e.message}`);
   });

package/src/manager/routes/payments/webhook/post.js

@@ -24,8 +24,8 @@ module.exports = async ({ assistant, Manager, libraries }) => {
     return assistant.respond('Missing processor parameter', { code: 400 });
   }
 
-  // Validate key against BACKEND_MANAGER_KEY
-  if (!key || key !== process.env.BACKEND_MANAGER_KEY) {
+  // Validate key — accept either BACKEND_MANAGER_WEBHOOK_KEY (preferred) or BACKEND_MANAGER_KEY (legacy)
+  if (!key || (key !== process.env.BACKEND_MANAGER_WEBHOOK_KEY && key !== process.env.BACKEND_MANAGER_KEY)) {
     return assistant.respond('Invalid key', { code: 401 });
   }
 

package/src/manager/routes/user/delete.js

@@ -48,7 +48,7 @@ module.exports = async ({ assistant, Manager, user, settings, libraries }) => {
 
   await fetch(`${Manager.project.apiUrl}/backend-manager/user/sessions`, {
     method: 'delete',
-    timeout: 30000,
+    timeout: 60000,
     response: 'json',
     tries: 2,
     log: true,

package/src/manager/routes/user/oauth2/providers/discord.js

@@ -22,7 +22,7 @@ module.exports = {
 
     const response = await fetch(this.urls.revoke, {
       method: 'POST',
-      timeout: 30000,
+      timeout: 60000,
       body: new URLSearchParams({
         token,
         client_id: clientId,

package/src/manager/routes/user/oauth2/providers/google.js

@@ -27,7 +27,7 @@ module.exports = {
 
     const response = await fetch(this.urls.revoke, {
       method: 'POST',
-      timeout: 30000,
+      timeout: 60000,
       body: new URLSearchParams({ token }),
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
     }).catch(e => e);

package/src/test/runner.js

@@ -119,25 +119,6 @@ class TestRunner {
       await this.runTestsInDir(projectTestsDir, 'project');
     }
 
-    // Post-run cleanup: scrub test accounts from third-party marketing providers
-    // (SendGrid/Beehiiv) so each test run leaves the contact list in the same
-    // state it found it. Pairs with the pre-run cleanup as defense in depth —
-    // pre-run handles crashed previous runs, post-run handles the current run.
-    // Only fires in extended mode (normal mode never touches real providers).
-    if (process.env.TEST_EXTENDED_MODE) {
-      process.stdout.write(chalk.gray('\n  Cleaning up test accounts from marketing providers... '));
-      try {
-        const cleanupResult = await testAccounts.cleanupMarketingProviders(this.options.domain, {
-          apiUrl: this.options.apiUrl,
-          backendManagerKey: this.options.backendManagerKey,
-        });
-        console.log(chalk.green(`✓ (${cleanupResult.cleaned} cleaned)`));
-      } catch (e) {
-        // Post-run cleanup is best-effort — failures shouldn't change the test result
-        console.log(chalk.yellow(`⚠ cleanup error: ${e.message}`));
-      }
-    }
-
     // Cleanup rules context
     if (this.rulesContext) {
       await this.rulesContext.cleanup();
@@ -166,6 +147,12 @@ class TestRunner {
       return false;
     }
 
+    if (!this.options.backendManagerWebhookKey) {
+      console.log(chalk.red('  ✗ Missing backendManagerWebhookKey'));
+      console.log(chalk.gray('    Set BEM_BACKEND_MANAGER_WEBHOOK_KEY environment variable or pass --webhook-key flag'));
+      return false;
+    }
+
     if (!this.options.brand?.id) {
       console.log(chalk.red('  ✗ Missing brand.id'));
       console.log(chalk.gray('    Could not determine brand ID from configuration'));
@@ -229,18 +216,6 @@ class TestRunner {
     const deleteResult = await testAccounts.deleteTestUsers(this.options.admin);
     console.log(chalk.green(`✓ (${deleteResult.deleted} deleted, ${deleteResult.skipped} skipped)`));
 
-    // Clean any leftover test accounts from third-party marketing providers
-    // (SendGrid/Beehiiv). Runs BEFORE we create fresh users so a previously
-    // killed run doesn't leave the contact list polluted.
-    if (process.env.TEST_EXTENDED_MODE) {
-      process.stdout.write(chalk.gray('  Cleaning test accounts from marketing providers... '));
-      const cleanupResult = await testAccounts.cleanupMarketingProviders(this.options.domain, {
-        apiUrl: this.options.apiUrl,
-        backendManagerKey: this.options.backendManagerKey,
-      });
-      console.log(chalk.green(`✓ (${cleanupResult.cleaned} cleaned)`));
-    }
-
     process.stdout.write(chalk.gray('  Creating test accounts... '));
 
     // Create fresh test accounts
@@ -692,6 +667,7 @@ class TestRunner {
       timeout: this.options.timeout,
       accounts: this.accounts,
       backendManagerKey: this.options.backendManagerKey,
+      backendManagerWebhookKey: this.options.backendManagerWebhookKey,
     });
 
     // Set default auth