backend-manager 5.9.4 → 5.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/CLAUDE.md +6 -0
  2. package/package.json +8 -1
  3. package/src/cli/commands/install.js +4 -3
  4. package/src/cli/commands/setup-tests/backend-manager.js +2 -1
  5. package/src/cli/commands/setup-tests/firebase-admin.js +2 -1
  6. package/src/cli/commands/setup-tests/firebase-functions.js +2 -1
  7. package/src/cli/utils/safe-install.js +13 -0
  8. package/src/manager/routes/payments/cancel/post.js +22 -2
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  13. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  20. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  21. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  22. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  23. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  24. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  25. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  26. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  27. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  28. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  29. package/src/test/fixtures/firebase-project/firestore-debug.log +136 -0
  30. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  31. package/src/test/test-accounts.js +9 -0
  32. package/.codeclimate.yml +0 -32
  33. package/.nvmrc +0 -1
  34. package/CHANGELOG.md +0 -1432
  35. package/PROGRESS.md +0 -86
  36. package/TODO-2.md +0 -121
  37. package/TODO-CHARGEBLAST.md +0 -32
  38. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  39. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  40. package/TODO-email-auth.md +0 -14
  41. package/TODO.md +0 -187
  42. package/plans/mcp2.md +0 -247
  43. package/scripts/test-helper-providers.js +0 -162
  44. package/scripts/update-disposable-domains.js +0 -44
  45. package/templates/_.env +0 -42
  46. package/templates/_.gitignore +0 -60
  47. package/templates/backend-manager-config.json +0 -249
  48. package/templates/database.rules.json +0 -83
  49. package/templates/firebase.json +0 -66
  50. package/templates/firestore.indexes.json +0 -4
  51. package/templates/firestore.rules +0 -112
  52. package/templates/public/404.html +0 -26
  53. package/templates/public/index.html +0 -24
  54. package/templates/remoteconfig.template.json +0 -1
  55. package/templates/storage-lifecycle-config-1-day.json +0 -9
  56. package/templates/storage-lifecycle-config-30-days.json +0 -9
  57. package/templates/storage.rules +0 -8
  58. package/test/_init/accounts-validation.js +0 -58
  59. package/test/_legacy/ai/index.js +0 -231
  60. package/test/_legacy/ai/test.jpg +0 -0
  61. package/test/_legacy/ai/test.pdf +0 -0
  62. package/test/_legacy/index.js +0 -31
  63. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  64. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  66. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  67. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  68. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  69. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  70. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  71. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  72. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  73. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  74. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  75. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  76. package/test/_legacy/payment-resolver/index.js +0 -1558
  77. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  78. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  84. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  85. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  86. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  87. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  88. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  89. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  90. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  91. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  92. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  94. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  95. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  96. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  97. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  98. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  99. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  100. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  101. package/test/_legacy/test-new +0 -1178
  102. package/test/_legacy/test.md +0 -89
  103. package/test/_legacy/usage.js +0 -175
  104. package/test/_legacy/user.js +0 -31
  105. package/test/ai/tools-live.js +0 -170
  106. package/test/boot/emulator-boots.js +0 -37
  107. package/test/content/blog-generate.js +0 -160
  108. package/test/email/campaign-send.js +0 -45
  109. package/test/email/consent-lifecycle.js +0 -257
  110. package/test/email/feedback-and-plain-send.js +0 -52
  111. package/test/email/fixtures/editorial.json +0 -30
  112. package/test/email/fixtures/field-report.json +0 -53
  113. package/test/email/marketing-lifecycle.js +0 -132
  114. package/test/email/newsletter-generate.js +0 -819
  115. package/test/email/newsletter-templates.js +0 -491
  116. package/test/email/templates.js +0 -207
  117. package/test/email/transactional-send.js +0 -34
  118. package/test/email/transactional.js +0 -560
  119. package/test/email/validation.js +0 -710
  120. package/test/events/auth-delete-race.js +0 -201
  121. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  122. package/test/events/payments/journey-payments-cancel.js +0 -182
  123. package/test/events/payments/journey-payments-discount.js +0 -89
  124. package/test/events/payments/journey-payments-failure.js +0 -146
  125. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  126. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  127. package/test/events/payments/journey-payments-one-time.js +0 -136
  128. package/test/events/payments/journey-payments-plan-change.js +0 -144
  129. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  130. package/test/events/payments/journey-payments-suspend.js +0 -181
  131. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  132. package/test/events/payments/journey-payments-trial.js +0 -171
  133. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  134. package/test/events/payments/journey-payments-upgrade.js +0 -135
  135. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  136. package/test/fixtures/chargebee/subscription-active.json +0 -44
  137. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  138. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  139. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  140. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  141. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  142. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  143. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  144. package/test/fixtures/paypal/order-approved.json +0 -62
  145. package/test/fixtures/paypal/order-completed.json +0 -110
  146. package/test/fixtures/paypal/subscription-active.json +0 -76
  147. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  148. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  149. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  150. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  151. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  152. package/test/fixtures/stripe/subscription-active.json +0 -161
  153. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  154. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  155. package/test/functions/admin/database-read.js +0 -134
  156. package/test/functions/admin/database-write.js +0 -159
  157. package/test/functions/admin/edit-post.js +0 -366
  158. package/test/functions/admin/firestore-query.js +0 -207
  159. package/test/functions/admin/firestore-read.js +0 -129
  160. package/test/functions/admin/firestore-write.js +0 -105
  161. package/test/functions/admin/get-stats.js +0 -115
  162. package/test/functions/admin/send-email.js +0 -119
  163. package/test/functions/admin/send-notification.js +0 -208
  164. package/test/functions/admin/write-repo-content.js +0 -223
  165. package/test/functions/general/add-marketing-contact.js +0 -335
  166. package/test/functions/general/fetch-post.js +0 -54
  167. package/test/functions/general/generate-uuid.js +0 -114
  168. package/test/functions/test/authenticate.js +0 -64
  169. package/test/functions/user/create-custom-token.js +0 -73
  170. package/test/functions/user/delete.js +0 -135
  171. package/test/functions/user/get-active-sessions.js +0 -111
  172. package/test/functions/user/get-subscription-info.js +0 -99
  173. package/test/functions/user/regenerate-api-keys.js +0 -156
  174. package/test/functions/user/resolve.js +0 -52
  175. package/test/functions/user/sign-out-all-sessions.js +0 -94
  176. package/test/functions/user/sign-up.js +0 -252
  177. package/test/functions/user/submit-feedback.js +0 -104
  178. package/test/functions/user/validate-settings.js +0 -82
  179. package/test/helpers/ai-request-payload.js +0 -300
  180. package/test/helpers/ai-test-provider.js +0 -202
  181. package/test/helpers/ai-tools-format.js +0 -383
  182. package/test/helpers/content/blog-auto-publisher.js +0 -484
  183. package/test/helpers/content/feed-parser.js +0 -528
  184. package/test/helpers/content/ghostii-blocks.js +0 -134
  185. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  186. package/test/helpers/content/ghostii-write-article.js +0 -243
  187. package/test/helpers/environment.js +0 -230
  188. package/test/helpers/infer-contact.js +0 -113
  189. package/test/helpers/merge-line-files.js +0 -271
  190. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  191. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  192. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  193. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  194. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  195. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  196. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  197. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  198. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  199. package/test/helpers/sanitize.js +0 -222
  200. package/test/helpers/slugify.js +0 -394
  201. package/test/helpers/storage.js +0 -194
  202. package/test/helpers/user.js +0 -755
  203. package/test/helpers/webhook-forward.js +0 -418
  204. package/test/mcp/discovery.js +0 -53
  205. package/test/mcp/oauth.js +0 -161
  206. package/test/mcp/protocol.js +0 -268
  207. package/test/mcp/roles.js +0 -188
  208. package/test/mcp/utils.js +0 -245
  209. package/test/routes/admin/create-post.js +0 -364
  210. package/test/routes/admin/database.js +0 -131
  211. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  212. package/test/routes/admin/email.js +0 -114
  213. package/test/routes/admin/firestore-query.js +0 -204
  214. package/test/routes/admin/firestore.js +0 -127
  215. package/test/routes/admin/infer-contact.js +0 -218
  216. package/test/routes/admin/notification.js +0 -198
  217. package/test/routes/admin/post-resize-image.js +0 -184
  218. package/test/routes/admin/post.js +0 -368
  219. package/test/routes/admin/repo-content.js +0 -223
  220. package/test/routes/admin/stats.js +0 -112
  221. package/test/routes/content/post.js +0 -54
  222. package/test/routes/general/uuid.js +0 -115
  223. package/test/routes/marketing/campaign.js +0 -125
  224. package/test/routes/marketing/contact.js +0 -370
  225. package/test/routes/marketing/email-preferences.js +0 -292
  226. package/test/routes/marketing/push-send.js +0 -32
  227. package/test/routes/marketing/webhook-forward.js +0 -61
  228. package/test/routes/marketing/webhook.js +0 -639
  229. package/test/routes/payments/cancel.js +0 -140
  230. package/test/routes/payments/discount.js +0 -80
  231. package/test/routes/payments/dispute-alert.js +0 -320
  232. package/test/routes/payments/intent.js +0 -336
  233. package/test/routes/payments/portal.js +0 -92
  234. package/test/routes/payments/refund.js +0 -179
  235. package/test/routes/payments/trial-eligibility.js +0 -71
  236. package/test/routes/payments/webhook.js +0 -107
  237. package/test/routes/test/authenticate.js +0 -59
  238. package/test/routes/test/schema.js +0 -554
  239. package/test/routes/test/usage.js +0 -342
  240. package/test/routes/user/api-keys.js +0 -156
  241. package/test/routes/user/delete.js +0 -136
  242. package/test/routes/user/feedback.js +0 -104
  243. package/test/routes/user/sessions.js +0 -199
  244. package/test/routes/user/settings-validate.js +0 -82
  245. package/test/routes/user/signup.js +0 -542
  246. package/test/routes/user/subscription.js +0 -99
  247. package/test/routes/user/token.js +0 -73
  248. package/test/routes/user/user.js +0 -157
  249. package/test/rules/notifications.js +0 -410
  250. package/test/rules/payments-carts.js +0 -371
  251. package/test/rules/user.js +0 -396
@@ -1,396 +0,0 @@
1
- /**
2
- * Test: Firestore Security Rules - User Documents
3
- * Tests that security rules correctly protect user data
4
- *
5
- * Rules being tested:
6
- * - Users can read their own document
7
- * - Users can write to their own document (non-protected fields only)
8
- * - Users cannot read/write other users' documents
9
- * - Protected fields (auth, roles, flags, subscription, affiliate, api, metadata, usage, consent) cannot be written by users
10
- *
11
- * @see templates/firestore.rules
12
- */
13
- module.exports = {
14
- description: 'Firestore security rules for user documents',
15
- type: 'group',
16
- timeout: 30000,
17
-
18
- tests: [
19
- // Test 1: User can read their own document
20
- {
21
- name: 'user-can-read-own-doc',
22
- auth: 'none', // We use rules context, not http auth
23
-
24
- async run({ rules, accounts }) {
25
- const uid = accounts.basic.uid;
26
- const db = rules.asAccount('basic');
27
-
28
- // Should succeed - reading own document
29
- await rules.expectSuccess(
30
- db.doc(`users/${uid}`).get()
31
- );
32
- },
33
- },
34
-
35
- // Test 2: User cannot read another user's document
36
- {
37
- name: 'user-cannot-read-other-doc',
38
- auth: 'none',
39
-
40
- async run({ rules, accounts }) {
41
- const otherUid = accounts.admin.uid;
42
- const db = rules.asAccount('basic');
43
-
44
- // Should fail - reading another user's document
45
- await rules.expectFailure(
46
- db.doc(`users/${otherUid}`).get()
47
- );
48
- },
49
- },
50
-
51
- // Test 3: Unauthenticated user cannot read any user document
52
- {
53
- name: 'anonymous-cannot-read-user-doc',
54
- auth: 'none',
55
-
56
- async run({ rules, accounts }) {
57
- const uid = accounts.basic.uid;
58
- const db = rules.asAnonymous();
59
-
60
- // Should fail - unauthenticated read
61
- await rules.expectFailure(
62
- db.doc(`users/${uid}`).get()
63
- );
64
- },
65
- },
66
-
67
- // Test 4: User can write non-protected fields to own document
68
- {
69
- name: 'user-can-write-non-protected-fields',
70
- auth: 'none',
71
-
72
- async run({ rules, accounts }) {
73
- const uid = accounts.basic.uid;
74
- const db = rules.asAccount('basic');
75
-
76
- // Should succeed - writing allowed fields
77
- await rules.expectSuccess(
78
- db.doc(`users/${uid}`).set({
79
- profile: {
80
- displayName: 'Test User',
81
- bio: 'This is my bio',
82
- },
83
- preferences: {
84
- theme: 'dark',
85
- notifications: true,
86
- },
87
- }, { merge: true })
88
- );
89
- },
90
- },
91
-
92
- // Test 5: User cannot write 'auth' field (protected)
93
- {
94
- name: 'user-cannot-write-auth-field',
95
- auth: 'none',
96
-
97
- async run({ rules, accounts }) {
98
- const uid = accounts.basic.uid;
99
- const db = rules.asAccount('basic');
100
-
101
- // Should fail - auth is protected
102
- await rules.expectFailure(
103
- db.doc(`users/${uid}`).set({
104
- auth: {
105
- uid: 'hacked-uid',
106
- email: 'hacked@example.com',
107
- },
108
- }, { merge: true })
109
- );
110
- },
111
- },
112
-
113
- // Test 6: User cannot write 'roles' field (protected)
114
- {
115
- name: 'user-cannot-write-roles-field',
116
- auth: 'none',
117
-
118
- async run({ rules, accounts }) {
119
- const uid = accounts.basic.uid;
120
- const db = rules.asAccount('basic');
121
-
122
- // Should fail - roles is protected
123
- await rules.expectFailure(
124
- db.doc(`users/${uid}`).set({
125
- roles: {
126
- admin: true,
127
- },
128
- }, { merge: true })
129
- );
130
- },
131
- },
132
-
133
- // Test 7: User cannot write 'subscription' field (protected)
134
- {
135
- name: 'user-cannot-write-subscription-field',
136
- auth: 'none',
137
-
138
- async run({ rules, accounts }) {
139
- const uid = accounts.basic.uid;
140
- const db = rules.asAccount('basic');
141
-
142
- // Should fail - subscription is protected
143
- await rules.expectFailure(
144
- db.doc(`users/${uid}`).set({
145
- subscription: {
146
- product: { id: 'premium' },
147
- status: 'active',
148
- },
149
- }, { merge: true })
150
- );
151
- },
152
- },
153
-
154
- // Test 8: User cannot write 'api' field (protected - contains privateKey)
155
- {
156
- name: 'user-cannot-write-api-field',
157
- auth: 'none',
158
-
159
- async run({ rules, accounts }) {
160
- const uid = accounts.basic.uid;
161
- const db = rules.asAccount('basic');
162
-
163
- // Should fail - api is protected
164
- await rules.expectFailure(
165
- db.doc(`users/${uid}`).set({
166
- api: {
167
- privateKey: 'stolen-key',
168
- clientId: 'fake-client',
169
- },
170
- }, { merge: true })
171
- );
172
- },
173
- },
174
-
175
- // Test 9: User cannot write 'flags' field (protected - system flags)
176
- {
177
- name: 'user-cannot-write-flags-field',
178
- auth: 'none',
179
-
180
- async run({ rules, accounts }) {
181
- const uid = accounts.basic.uid;
182
- const db = rules.asAccount('basic');
183
-
184
- // Should fail - flags is protected
185
- // Use a unique value to ensure isUpdatingField triggers
186
- await rules.expectFailure(
187
- db.doc(`users/${uid}`).set({
188
- flags: {
189
- hacked: true,
190
- },
191
- }, { merge: true })
192
- );
193
- },
194
- },
195
-
196
- // Test 10: User cannot write 'usage' field (protected - tracked by server)
197
- {
198
- name: 'user-cannot-write-usage-field',
199
- auth: 'none',
200
-
201
- async run({ rules, accounts }) {
202
- const uid = accounts.basic.uid;
203
- const db = rules.asAccount('basic');
204
-
205
- // Should fail - usage is protected
206
- await rules.expectFailure(
207
- db.doc(`users/${uid}`).set({
208
- usage: {
209
- requests: 0, // Try to reset usage
210
- },
211
- }, { merge: true })
212
- );
213
- },
214
- },
215
-
216
- // Test 11: User cannot write 'affiliate' field (protected)
217
- {
218
- name: 'user-cannot-write-affiliate-field',
219
- auth: 'none',
220
-
221
- async run({ rules, accounts }) {
222
- const uid = accounts.basic.uid;
223
- const db = rules.asAccount('basic');
224
-
225
- // Should fail - affiliate is protected
226
- await rules.expectFailure(
227
- db.doc(`users/${uid}`).set({
228
- affiliate: {
229
- code: 'STOLEN',
230
- referrals: [],
231
- },
232
- }, { merge: true })
233
- );
234
- },
235
- },
236
-
237
- // Test 11.5: User cannot write 'consent' field (protected - server-only)
238
- {
239
- name: 'user-cannot-write-consent-field',
240
- auth: 'none',
241
-
242
- async run({ rules, accounts }) {
243
- const uid = accounts.basic.uid;
244
- const db = rules.asAccount('basic');
245
-
246
- // Should fail - consent is protected (only signup route + webhook
247
- // processors can mutate it server-side; a client write would let a
248
- // user retroactively forge their own consent record).
249
- // Use a value that can't match any prior state — earlier tests
250
- // (email-preferences) may have set marketing.status to 'granted',
251
- // and writing the SAME value is a no-op the rules correctly allow.
252
- await rules.expectFailure(
253
- db.doc(`users/${uid}`).set({
254
- consent: {
255
- marketing: { status: 'forged' },
256
- },
257
- }, { merge: true })
258
- );
259
- },
260
- },
261
-
262
- // Test 12: User cannot write to another user's document
263
- {
264
- name: 'user-cannot-write-other-doc',
265
- auth: 'none',
266
-
267
- async run({ rules, accounts }) {
268
- const otherUid = accounts['premium-active'].uid;
269
- const db = rules.asAccount('basic');
270
-
271
- // Should fail - writing to another user's document
272
- await rules.expectFailure(
273
- db.doc(`users/${otherUid}`).set({
274
- profile: { hacked: true },
275
- }, { merge: true })
276
- );
277
- },
278
- },
279
-
280
- // Test 13: Unauthenticated user cannot write to any user document
281
- {
282
- name: 'anonymous-cannot-write-user-doc',
283
- auth: 'none',
284
-
285
- async run({ rules, accounts }) {
286
- const uid = accounts.basic.uid;
287
- const db = rules.asAnonymous();
288
-
289
- // Should fail - unauthenticated write
290
- await rules.expectFailure(
291
- db.doc(`users/${uid}`).set({
292
- profile: { displayName: 'Anonymous Hacker' },
293
- }, { merge: true })
294
- );
295
- },
296
- },
297
-
298
- // Test 14: Admin can read any user's document
299
- {
300
- name: 'admin-can-read-any-user-doc',
301
- auth: 'none',
302
-
303
- async run({ rules, accounts }) {
304
- const basicUid = accounts.basic.uid;
305
- const db = rules.asAccount('admin');
306
-
307
- // Should succeed - admin can read any user doc
308
- await rules.expectSuccess(
309
- db.doc(`users/${basicUid}`).get()
310
- );
311
- },
312
- },
313
-
314
- // Tests 15–18 exercise admin write/create/delete on a DEDICATED throwaway
315
- // doc — never the shared seeded accounts. Mutating accounts.basic here
316
- // poisons every suite that runs afterward (its api.privateKey and
317
- // subscription are live fixtures for HTTP auth across the whole run).
318
-
319
- // Test 15: Admin can create a user document
320
- {
321
- name: 'admin-can-create-user-doc',
322
- auth: 'none',
323
-
324
- async run({ rules }) {
325
- const db = rules.asAccount('admin');
326
- const newUid = '_test-new-user-by-admin';
327
-
328
- // Should succeed - admin can create any user doc. The _test. email
329
- // prefix keeps this doc blocked at the marketing validation layer
330
- // (never reaches SendGrid/Beehiiv) even though a raw rules-context
331
- // Firestore write fires no auth events anyway.
332
- await rules.expectSuccess(
333
- db.doc(`users/${newUid}`).set({
334
- auth: { uid: newUid, email: '_test.new-user-by-admin@example.com' },
335
- roles: {},
336
- subscription: { product: { id: 'basic' }, status: 'active' },
337
- })
338
- );
339
- },
340
- },
341
-
342
- // Test 16: Admin can write any user's document
343
- {
344
- name: 'admin-can-write-any-user-doc',
345
- auth: 'none',
346
-
347
- async run({ rules }) {
348
- const db = rules.asAccount('admin');
349
-
350
- // Should succeed - admin can write any user doc
351
- await rules.expectSuccess(
352
- db.doc('users/_test-new-user-by-admin').set({
353
- profile: { updatedByAdmin: true },
354
- }, { merge: true })
355
- );
356
- },
357
- },
358
-
359
- // Test 17: Admin can write protected fields
360
- {
361
- name: 'admin-can-write-protected-fields',
362
- auth: 'none',
363
-
364
- async run({ rules }) {
365
- const db = rules.asAccount('admin');
366
-
367
- // Should succeed - admin can write protected fields
368
- await rules.expectSuccess(
369
- db.doc('users/_test-new-user-by-admin').set({
370
- roles: { premium: true },
371
- subscription: { product: { id: 'pro' }, status: 'active' },
372
- }, { merge: true })
373
- );
374
- },
375
- },
376
-
377
- // Test 18: Admin can delete a user document
378
- {
379
- name: 'admin-can-delete-user-doc',
380
- auth: 'none',
381
-
382
- async run({ rules }) {
383
- const db = rules.asAccount('admin');
384
-
385
- // Should succeed - admin can delete any user doc (the throwaway
386
- // created in test 15, which also cleans it up)
387
- await rules.expectSuccess(
388
- db.doc('users/_test-new-user-by-admin').delete()
389
- );
390
- },
391
- },
392
-
393
- // Note: User create/delete tests are omitted because users don't create or delete
394
- // their own documents - that's handled by system auth triggers (on-create/on-delete)
395
- ],
396
- };