backend-manager 5.9.4 → 5.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/CLAUDE.md +6 -0
  2. package/package.json +8 -1
  3. package/src/cli/commands/install.js +4 -3
  4. package/src/cli/commands/setup-tests/backend-manager.js +2 -1
  5. package/src/cli/commands/setup-tests/firebase-admin.js +2 -1
  6. package/src/cli/commands/setup-tests/firebase-functions.js +2 -1
  7. package/src/cli/utils/safe-install.js +13 -0
  8. package/src/manager/routes/payments/cancel/post.js +22 -2
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  13. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  20. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  21. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  22. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  23. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  24. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  25. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  26. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  27. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  28. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  29. package/src/test/fixtures/firebase-project/firestore-debug.log +136 -0
  30. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  31. package/src/test/test-accounts.js +9 -0
  32. package/.codeclimate.yml +0 -32
  33. package/.nvmrc +0 -1
  34. package/CHANGELOG.md +0 -1432
  35. package/PROGRESS.md +0 -86
  36. package/TODO-2.md +0 -121
  37. package/TODO-CHARGEBLAST.md +0 -32
  38. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  39. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  40. package/TODO-email-auth.md +0 -14
  41. package/TODO.md +0 -187
  42. package/plans/mcp2.md +0 -247
  43. package/scripts/test-helper-providers.js +0 -162
  44. package/scripts/update-disposable-domains.js +0 -44
  45. package/templates/_.env +0 -42
  46. package/templates/_.gitignore +0 -60
  47. package/templates/backend-manager-config.json +0 -249
  48. package/templates/database.rules.json +0 -83
  49. package/templates/firebase.json +0 -66
  50. package/templates/firestore.indexes.json +0 -4
  51. package/templates/firestore.rules +0 -112
  52. package/templates/public/404.html +0 -26
  53. package/templates/public/index.html +0 -24
  54. package/templates/remoteconfig.template.json +0 -1
  55. package/templates/storage-lifecycle-config-1-day.json +0 -9
  56. package/templates/storage-lifecycle-config-30-days.json +0 -9
  57. package/templates/storage.rules +0 -8
  58. package/test/_init/accounts-validation.js +0 -58
  59. package/test/_legacy/ai/index.js +0 -231
  60. package/test/_legacy/ai/test.jpg +0 -0
  61. package/test/_legacy/ai/test.pdf +0 -0
  62. package/test/_legacy/index.js +0 -31
  63. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  64. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  66. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  67. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  68. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  69. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  70. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  71. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  72. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  73. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  74. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  75. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  76. package/test/_legacy/payment-resolver/index.js +0 -1558
  77. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  78. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  84. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  85. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  86. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  87. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  88. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  89. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  90. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  91. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  92. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  94. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  95. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  96. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  97. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  98. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  99. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  100. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  101. package/test/_legacy/test-new +0 -1178
  102. package/test/_legacy/test.md +0 -89
  103. package/test/_legacy/usage.js +0 -175
  104. package/test/_legacy/user.js +0 -31
  105. package/test/ai/tools-live.js +0 -170
  106. package/test/boot/emulator-boots.js +0 -37
  107. package/test/content/blog-generate.js +0 -160
  108. package/test/email/campaign-send.js +0 -45
  109. package/test/email/consent-lifecycle.js +0 -257
  110. package/test/email/feedback-and-plain-send.js +0 -52
  111. package/test/email/fixtures/editorial.json +0 -30
  112. package/test/email/fixtures/field-report.json +0 -53
  113. package/test/email/marketing-lifecycle.js +0 -132
  114. package/test/email/newsletter-generate.js +0 -819
  115. package/test/email/newsletter-templates.js +0 -491
  116. package/test/email/templates.js +0 -207
  117. package/test/email/transactional-send.js +0 -34
  118. package/test/email/transactional.js +0 -560
  119. package/test/email/validation.js +0 -710
  120. package/test/events/auth-delete-race.js +0 -201
  121. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  122. package/test/events/payments/journey-payments-cancel.js +0 -182
  123. package/test/events/payments/journey-payments-discount.js +0 -89
  124. package/test/events/payments/journey-payments-failure.js +0 -146
  125. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  126. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  127. package/test/events/payments/journey-payments-one-time.js +0 -136
  128. package/test/events/payments/journey-payments-plan-change.js +0 -144
  129. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  130. package/test/events/payments/journey-payments-suspend.js +0 -181
  131. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  132. package/test/events/payments/journey-payments-trial.js +0 -171
  133. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  134. package/test/events/payments/journey-payments-upgrade.js +0 -135
  135. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  136. package/test/fixtures/chargebee/subscription-active.json +0 -44
  137. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  138. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  139. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  140. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  141. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  142. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  143. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  144. package/test/fixtures/paypal/order-approved.json +0 -62
  145. package/test/fixtures/paypal/order-completed.json +0 -110
  146. package/test/fixtures/paypal/subscription-active.json +0 -76
  147. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  148. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  149. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  150. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  151. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  152. package/test/fixtures/stripe/subscription-active.json +0 -161
  153. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  154. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  155. package/test/functions/admin/database-read.js +0 -134
  156. package/test/functions/admin/database-write.js +0 -159
  157. package/test/functions/admin/edit-post.js +0 -366
  158. package/test/functions/admin/firestore-query.js +0 -207
  159. package/test/functions/admin/firestore-read.js +0 -129
  160. package/test/functions/admin/firestore-write.js +0 -105
  161. package/test/functions/admin/get-stats.js +0 -115
  162. package/test/functions/admin/send-email.js +0 -119
  163. package/test/functions/admin/send-notification.js +0 -208
  164. package/test/functions/admin/write-repo-content.js +0 -223
  165. package/test/functions/general/add-marketing-contact.js +0 -335
  166. package/test/functions/general/fetch-post.js +0 -54
  167. package/test/functions/general/generate-uuid.js +0 -114
  168. package/test/functions/test/authenticate.js +0 -64
  169. package/test/functions/user/create-custom-token.js +0 -73
  170. package/test/functions/user/delete.js +0 -135
  171. package/test/functions/user/get-active-sessions.js +0 -111
  172. package/test/functions/user/get-subscription-info.js +0 -99
  173. package/test/functions/user/regenerate-api-keys.js +0 -156
  174. package/test/functions/user/resolve.js +0 -52
  175. package/test/functions/user/sign-out-all-sessions.js +0 -94
  176. package/test/functions/user/sign-up.js +0 -252
  177. package/test/functions/user/submit-feedback.js +0 -104
  178. package/test/functions/user/validate-settings.js +0 -82
  179. package/test/helpers/ai-request-payload.js +0 -300
  180. package/test/helpers/ai-test-provider.js +0 -202
  181. package/test/helpers/ai-tools-format.js +0 -383
  182. package/test/helpers/content/blog-auto-publisher.js +0 -484
  183. package/test/helpers/content/feed-parser.js +0 -528
  184. package/test/helpers/content/ghostii-blocks.js +0 -134
  185. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  186. package/test/helpers/content/ghostii-write-article.js +0 -243
  187. package/test/helpers/environment.js +0 -230
  188. package/test/helpers/infer-contact.js +0 -113
  189. package/test/helpers/merge-line-files.js +0 -271
  190. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  191. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  192. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  193. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  194. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  195. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  196. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  197. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  198. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  199. package/test/helpers/sanitize.js +0 -222
  200. package/test/helpers/slugify.js +0 -394
  201. package/test/helpers/storage.js +0 -194
  202. package/test/helpers/user.js +0 -755
  203. package/test/helpers/webhook-forward.js +0 -418
  204. package/test/mcp/discovery.js +0 -53
  205. package/test/mcp/oauth.js +0 -161
  206. package/test/mcp/protocol.js +0 -268
  207. package/test/mcp/roles.js +0 -188
  208. package/test/mcp/utils.js +0 -245
  209. package/test/routes/admin/create-post.js +0 -364
  210. package/test/routes/admin/database.js +0 -131
  211. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  212. package/test/routes/admin/email.js +0 -114
  213. package/test/routes/admin/firestore-query.js +0 -204
  214. package/test/routes/admin/firestore.js +0 -127
  215. package/test/routes/admin/infer-contact.js +0 -218
  216. package/test/routes/admin/notification.js +0 -198
  217. package/test/routes/admin/post-resize-image.js +0 -184
  218. package/test/routes/admin/post.js +0 -368
  219. package/test/routes/admin/repo-content.js +0 -223
  220. package/test/routes/admin/stats.js +0 -112
  221. package/test/routes/content/post.js +0 -54
  222. package/test/routes/general/uuid.js +0 -115
  223. package/test/routes/marketing/campaign.js +0 -125
  224. package/test/routes/marketing/contact.js +0 -370
  225. package/test/routes/marketing/email-preferences.js +0 -292
  226. package/test/routes/marketing/push-send.js +0 -32
  227. package/test/routes/marketing/webhook-forward.js +0 -61
  228. package/test/routes/marketing/webhook.js +0 -639
  229. package/test/routes/payments/cancel.js +0 -140
  230. package/test/routes/payments/discount.js +0 -80
  231. package/test/routes/payments/dispute-alert.js +0 -320
  232. package/test/routes/payments/intent.js +0 -336
  233. package/test/routes/payments/portal.js +0 -92
  234. package/test/routes/payments/refund.js +0 -179
  235. package/test/routes/payments/trial-eligibility.js +0 -71
  236. package/test/routes/payments/webhook.js +0 -107
  237. package/test/routes/test/authenticate.js +0 -59
  238. package/test/routes/test/schema.js +0 -554
  239. package/test/routes/test/usage.js +0 -342
  240. package/test/routes/user/api-keys.js +0 -156
  241. package/test/routes/user/delete.js +0 -136
  242. package/test/routes/user/feedback.js +0 -104
  243. package/test/routes/user/sessions.js +0 -199
  244. package/test/routes/user/settings-validate.js +0 -82
  245. package/test/routes/user/signup.js +0 -542
  246. package/test/routes/user/subscription.js +0 -99
  247. package/test/routes/user/token.js +0 -73
  248. package/test/routes/user/user.js +0 -157
  249. package/test/rules/notifications.js +0 -410
  250. package/test/rules/payments-carts.js +0 -371
  251. package/test/rules/user.js +0 -396
@@ -1,292 +0,0 @@
1
- /**
2
- * Test: POST /marketing/email-preferences
3
- *
4
- * Two modes:
5
- * - Anonymous HMAC: from email-footer unsubscribe link. Requires email + asmId + sig.
6
- * Hits SendGrid ASM and (NEW) mirrors to user doc if email maps to a user.
7
- * - Authenticated: from account-page toggle. Requires only `action`.
8
- * Writes consent.marketing to user doc with source='account' and hits SendGrid + Beehiiv
9
- * via the email library.
10
- *
11
- * Set TEST_EXTENDED_MODE=true to hit real SendGrid + Beehiiv. Otherwise provider calls
12
- * are skipped but user-doc mutations still happen.
13
- */
14
- const crypto = require('crypto');
15
-
16
- const TEST_EMAIL = 'rachel.greene+bem-unsub@gmail.com';
17
- const TEST_ASM_ID = '24077';
18
-
19
- function generateSig(email) {
20
- return crypto.createHmac('sha256', process.env.UNSUBSCRIBE_HMAC_KEY).update(email.toLowerCase()).digest('hex');
21
- }
22
-
23
- module.exports = {
24
- description: 'Marketing email-preferences (anonymous HMAC + authenticated)',
25
- type: 'group',
26
- tests: [
27
- // ─── Anonymous HMAC flow ───
28
-
29
- {
30
- name: 'anon-unsubscribe-valid-sig-succeeds',
31
- auth: 'none',
32
- timeout: 15000,
33
- async run({ http, assert }) {
34
- const sig = generateSig(TEST_EMAIL);
35
- const response = await http.post('backend-manager/marketing/email-preferences', {
36
- email: TEST_EMAIL,
37
- asmId: TEST_ASM_ID,
38
- action: 'unsubscribe',
39
- sig,
40
- });
41
- assert.isSuccess(response, 'Unsubscribe with valid sig should succeed');
42
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
43
- },
44
- },
45
-
46
- {
47
- name: 'anon-subscribe-valid-sig-succeeds',
48
- auth: 'none',
49
- timeout: 15000,
50
- async run({ http, assert }) {
51
- const sig = generateSig(TEST_EMAIL);
52
- const response = await http.post('backend-manager/marketing/email-preferences', {
53
- email: TEST_EMAIL,
54
- asmId: TEST_ASM_ID,
55
- action: 'subscribe',
56
- sig,
57
- });
58
- assert.isSuccess(response, 'Subscribe with valid sig should succeed');
59
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
60
- },
61
- },
62
-
63
- {
64
- name: 'anon-resubscribe-rejected',
65
- auth: 'none',
66
- timeout: 15000,
67
- async run({ http, assert }) {
68
- // Old 'resubscribe' action is no longer accepted — must use 'subscribe'
69
- const sig = generateSig(TEST_EMAIL);
70
- const response = await http.post('backend-manager/marketing/email-preferences', {
71
- email: TEST_EMAIL,
72
- asmId: TEST_ASM_ID,
73
- action: 'resubscribe',
74
- sig,
75
- });
76
- assert.isError(response, 400, 'Old "resubscribe" action should be rejected');
77
- },
78
- },
79
-
80
- {
81
- name: 'anon-invalid-sig-rejected',
82
- auth: 'none',
83
- timeout: 15000,
84
- async run({ http, assert }) {
85
- const response = await http.post('backend-manager/marketing/email-preferences', {
86
- email: TEST_EMAIL,
87
- asmId: TEST_ASM_ID,
88
- action: 'unsubscribe',
89
- sig: 'invalid-signature-value',
90
- });
91
- assert.isError(response, 403, 'Invalid sig should return 403');
92
- },
93
- },
94
-
95
- {
96
- name: 'anon-missing-email-rejected',
97
- auth: 'none',
98
- timeout: 15000,
99
- async run({ http, assert }) {
100
- const response = await http.post('backend-manager/marketing/email-preferences', {
101
- asmId: TEST_ASM_ID,
102
- action: 'unsubscribe',
103
- sig: 'anything',
104
- });
105
- assert.isError(response, 400, 'Missing email should return 400');
106
- },
107
- },
108
-
109
- {
110
- name: 'anon-invalid-email-rejected',
111
- auth: 'none',
112
- timeout: 15000,
113
- async run({ http, assert }) {
114
- const sig = generateSig('not-an-email');
115
- const response = await http.post('backend-manager/marketing/email-preferences', {
116
- email: 'not-an-email',
117
- asmId: TEST_ASM_ID,
118
- action: 'unsubscribe',
119
- sig,
120
- });
121
- assert.isError(response, 400, 'Invalid email format should return 400');
122
- },
123
- },
124
-
125
- {
126
- name: 'anon-missing-asmid-rejected',
127
- auth: 'none',
128
- timeout: 15000,
129
- async run({ http, assert }) {
130
- const sig = generateSig(TEST_EMAIL);
131
- const response = await http.post('backend-manager/marketing/email-preferences', {
132
- email: TEST_EMAIL,
133
- action: 'unsubscribe',
134
- sig,
135
- });
136
- assert.isError(response, 400, 'Missing asmId should return 400');
137
- },
138
- },
139
-
140
- {
141
- name: 'anon-invalid-action-rejected',
142
- auth: 'none',
143
- timeout: 15000,
144
- async run({ http, assert }) {
145
- const sig = generateSig(TEST_EMAIL);
146
- const response = await http.post('backend-manager/marketing/email-preferences', {
147
- email: TEST_EMAIL,
148
- asmId: TEST_ASM_ID,
149
- action: 'delete',
150
- sig,
151
- });
152
- assert.isError(response, 400, 'Invalid action should return 400');
153
- },
154
- },
155
-
156
- {
157
- name: 'anon-wrong-email-sig-rejected',
158
- auth: 'none',
159
- timeout: 15000,
160
- async run({ http, assert }) {
161
- // sig generated for a different email — must not validate against TEST_EMAIL
162
- const sig = generateSig('someone-else@gmail.com');
163
- const response = await http.post('backend-manager/marketing/email-preferences', {
164
- email: TEST_EMAIL,
165
- asmId: TEST_ASM_ID,
166
- action: 'unsubscribe',
167
- sig,
168
- });
169
- assert.isError(response, 403, 'Sig for different email should return 403');
170
- },
171
- },
172
-
173
- // ─── Authenticated mode ───
174
-
175
- {
176
- name: 'auth-unsubscribe-writes-consent-and-records-source-account',
177
- auth: 'basic',
178
- timeout: 15000,
179
- async run({ http, firestore, assert, accounts }) {
180
- const uid = accounts.basic.uid;
181
-
182
- const beforeMs = Date.now();
183
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
184
- action: 'unsubscribe',
185
- });
186
- const afterMs = Date.now();
187
-
188
- assert.isSuccess(response, `Authenticated unsubscribe should succeed: ${JSON.stringify(response, null, 2)}`);
189
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
190
- assert.propertyEquals(response, 'data.action', 'unsubscribe', 'action echoed in response');
191
-
192
- const userDoc = await firestore.get(`users/${uid}`);
193
-
194
- assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'consent.marketing.status should be revoked');
195
- assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'account', 'revokedAt.source should be account');
196
- assert.ok(userDoc?.consent?.marketing?.revokedAt?.timestamp, 'revokedAt.timestamp should be set');
197
- assert.equal(typeof userDoc?.consent?.marketing?.revokedAt?.timestampUNIX, 'number', 'revokedAt.timestampUNIX should be number');
198
-
199
- // Server time used (defense against clock manipulation).
200
- // Server uses Math.round, so the stamped value can be 1 second past Math.floor(afterMs/1000)
201
- // when the request takes >500ms. Use Math.round on the upper bound + a small fudge.
202
- const revokedUNIX = userDoc.consent.marketing.revokedAt.timestampUNIX;
203
- const beforeUNIX = Math.floor(beforeMs / 1000);
204
- const afterUNIX = Math.round(afterMs / 1000) + 1;
205
- assert.ok(
206
- revokedUNIX >= beforeUNIX && revokedUNIX <= afterUNIX,
207
- `revokedAt.timestampUNIX (${revokedUNIX}) should be server time, between ${beforeUNIX} and ${afterUNIX}`
208
- );
209
- },
210
- },
211
-
212
- {
213
- name: 'auth-subscribe-after-unsubscribe-flips-status-keeps-prior-revokedAt',
214
- auth: 'basic',
215
- timeout: 15000,
216
- async run({ http, firestore, assert, accounts }) {
217
- const uid = accounts.basic.uid;
218
-
219
- // Capture revokedAt from the previous test
220
- const beforeDoc = await firestore.get(`users/${uid}`);
221
- const priorRevokedAt = beforeDoc?.consent?.marketing?.revokedAt;
222
- assert.ok(priorRevokedAt?.timestamp, 'Prior test should have left a revokedAt timestamp');
223
-
224
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
225
- action: 'subscribe',
226
- });
227
-
228
- assert.isSuccess(response, `Authenticated subscribe should succeed: ${JSON.stringify(response, null, 2)}`);
229
-
230
- const userDoc = await firestore.get(`users/${uid}`);
231
-
232
- // status flips
233
- assert.equal(userDoc?.consent?.marketing?.status, 'granted', 'status should flip to granted');
234
-
235
- // grantedAt populated with new server time + source=account
236
- assert.equal(userDoc?.consent?.marketing?.grantedAt?.source, 'account', 'grantedAt.source should be account');
237
- assert.ok(userDoc?.consent?.marketing?.grantedAt?.timestamp, 'grantedAt.timestamp should be set');
238
-
239
- // revokedAt UNTOUCHED — still reflects the most recent revoke
240
- assert.equal(
241
- userDoc?.consent?.marketing?.revokedAt?.timestamp,
242
- priorRevokedAt.timestamp,
243
- 'revokedAt.timestamp should be preserved from prior revoke'
244
- );
245
- assert.equal(
246
- userDoc?.consent?.marketing?.revokedAt?.source,
247
- priorRevokedAt.source,
248
- 'revokedAt.source should be preserved from prior revoke'
249
- );
250
- },
251
- },
252
-
253
- {
254
- name: 'auth-invalid-action-rejected',
255
- auth: 'basic',
256
- timeout: 15000,
257
- async run({ http, assert }) {
258
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
259
- action: 'delete',
260
- });
261
- assert.isError(response, 400, 'Invalid action should return 400');
262
- },
263
- },
264
-
265
- {
266
- name: 'auth-opt-in-old-name-rejected',
267
- auth: 'basic',
268
- timeout: 15000,
269
- async run({ http, assert }) {
270
- // Old proposed 'opt-in' is NOT accepted — must use 'subscribe'
271
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
272
- action: 'opt-in',
273
- });
274
- assert.isError(response, 400, 'Old "opt-in" name should be rejected (use "subscribe")');
275
- },
276
- },
277
-
278
- {
279
- name: 'unauthenticated-without-sig-rejected',
280
- auth: 'none',
281
- timeout: 15000,
282
- async run({ http, assert }) {
283
- // Unauthenticated + no sig → email field is required for HMAC path → 400.
284
- // (No auth means we hit the anonymous path; no email/asmId means missing-required.)
285
- const response = await http.post('backend-manager/marketing/email-preferences', {
286
- action: 'unsubscribe',
287
- });
288
- assert.isError(response, 400, 'Unauthenticated request without HMAC fields should 400');
289
- },
290
- },
291
- ],
292
- };
@@ -1,32 +0,0 @@
1
- /**
2
- * Test: Push notification send
3
- * Sends a test push notification to a specific FCM token.
4
- * Requires TEST_EXTENDED_MODE=true and TEST_FCM_TOKEN env var.
5
- */
6
- module.exports = {
7
- description: 'Push notification send',
8
- auth: 'admin',
9
- skip: !process.env.TEST_EXTENDED_MODE
10
- ? 'TEST_EXTENDED_MODE not set'
11
- : !process.env.TEST_FCM_TOKEN
12
- ? 'TEST_FCM_TOKEN env var not set'
13
- : false,
14
- timeout: 30000,
15
-
16
- async run({ http, assert, config }) {
17
- const response = await http.post('backend-manager/marketing/campaign', {
18
- name: '[TEST] Push notification',
19
- subject: 'This is a test push notification from BEM',
20
- type: 'push',
21
- test: true,
22
- sendAt: 'now',
23
- filters: { token: process.env.TEST_FCM_TOKEN },
24
- });
25
-
26
- assert.isSuccess(response, 'Should create and send push campaign');
27
- assert.ok(response.data.id, 'Should have campaign ID');
28
- assert.equal(response.data.status, 'sent', 'Should be sent immediately');
29
- assert.ok(response.data.providers?.push, 'Should have push result');
30
- assert.equal(response.data.providers.push.sent, 1, 'Should have sent to 1 token');
31
- },
32
- };
@@ -1,61 +0,0 @@
1
- /**
2
- * Test: POST /marketing/webhook/forward (parent forwarder)
3
- *
4
- * This route is gated to only work when Manager.config.parent === 'self'.
5
- * Most test runs happen on a CHILD brand (e.g. Somiibo's backend-manager-config.json
6
- * has `parent: 'https://api.itwcreativeworks.com'`), so the route should return 404.
7
- *
8
- * The actual fan-out behavior (reading brands collection, derive API URLs,
9
- * POST to each child) is verified by unit-style tests in test/helpers/webhook-forward.js
10
- * which exercise the forwarder logic against a mock admin + mock fetch — no emulator
11
- * round-trip required.
12
- *
13
- * This file only verifies the GATE: on a non-parent BEM, the route is invisible.
14
- */
15
- module.exports = {
16
- description: 'Marketing webhook forwarder gating (parent-only)',
17
- type: 'group',
18
- timeout: 15000,
19
-
20
- tests: [
21
- {
22
- name: 'forwarder-returns-404-on-non-parent-brand',
23
- auth: 'none',
24
- async run({ http, assert, config, skip }) {
25
- // This gate only applies to CHILD brands. If this brand IS the parent
26
- // (config.parent === 'self'), the forwarder route is visible by design,
27
- // so there's nothing to assert here — skip rather than fail.
28
- if (!config.parent || config.parent === 'self') {
29
- skip('Brand is its own parent (config.parent === "self") — forwarder gate does not apply');
30
- }
31
-
32
- const response = await http.as('none').post(
33
- `backend-manager/marketing/webhook/forward?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
34
- [{ sg_event_id: 'should-not-process', event: 'group_unsubscribe', email: 'test@example.com' }]
35
- );
36
-
37
- assert.isError(response, 404, 'Forwarder should be invisible (404) on non-parent BEMs');
38
- },
39
- },
40
-
41
- {
42
- name: 'forwarder-returns-404-even-with-valid-key',
43
- auth: 'none',
44
- async run({ http, assert, config, skip }) {
45
- // Only meaningful on a CHILD brand. On the parent itself the forwarder is
46
- // visible by design, so skip rather than fail.
47
- if (!config.parent || config.parent === 'self') {
48
- skip('Brand is its own parent (config.parent === "self") — forwarder gate does not apply');
49
- }
50
-
51
- // A valid key shouldn't unlock the forwarder — gate is on config.parent, not key.
52
- const response = await http.as('none').post(
53
- `backend-manager/marketing/webhook/forward?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
54
- { id: 'should-not-process', event: 'subscription.unsubscribed', email: 'test@example.com' }
55
- );
56
-
57
- assert.isError(response, 404, 'Even with valid key, non-parent returns 404');
58
- },
59
- },
60
- ],
61
- };