backend-manager 5.9.5 → 5.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (244) hide show
  1. package/package.json +8 -1
  2. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  3. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  4. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  5. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  6. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  7. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  8. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  13. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  20. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  21. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  22. package/src/test/fixtures/firebase-project/firestore-debug.log +136 -0
  23. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  24. package/.codeclimate.yml +0 -32
  25. package/.nvmrc +0 -1
  26. package/CHANGELOG.md +0 -1440
  27. package/PROGRESS.md +0 -93
  28. package/TODO-2.md +0 -121
  29. package/TODO-CHARGEBLAST.md +0 -32
  30. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  31. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  32. package/TODO-email-auth.md +0 -14
  33. package/TODO.md +0 -187
  34. package/plans/mcp2.md +0 -247
  35. package/plans/suspended-subscription-dead-zone.md +0 -97
  36. package/scripts/test-helper-providers.js +0 -162
  37. package/scripts/update-disposable-domains.js +0 -44
  38. package/templates/_.env +0 -42
  39. package/templates/_.gitignore +0 -60
  40. package/templates/backend-manager-config.json +0 -249
  41. package/templates/database.rules.json +0 -83
  42. package/templates/firebase.json +0 -66
  43. package/templates/firestore.indexes.json +0 -4
  44. package/templates/firestore.rules +0 -112
  45. package/templates/public/404.html +0 -26
  46. package/templates/public/index.html +0 -24
  47. package/templates/remoteconfig.template.json +0 -1
  48. package/templates/storage-lifecycle-config-1-day.json +0 -9
  49. package/templates/storage-lifecycle-config-30-days.json +0 -9
  50. package/templates/storage.rules +0 -8
  51. package/test/_init/accounts-validation.js +0 -58
  52. package/test/_legacy/ai/index.js +0 -231
  53. package/test/_legacy/ai/test.jpg +0 -0
  54. package/test/_legacy/ai/test.pdf +0 -0
  55. package/test/_legacy/index.js +0 -31
  56. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  57. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  58. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  59. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  60. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  61. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  62. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  63. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  64. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  66. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  67. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  68. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  69. package/test/_legacy/payment-resolver/index.js +0 -1558
  70. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  71. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  72. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  73. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  74. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  75. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  76. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  77. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  78. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  84. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  85. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  86. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  87. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  88. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  89. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  90. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  91. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  92. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  94. package/test/_legacy/test-new +0 -1178
  95. package/test/_legacy/test.md +0 -89
  96. package/test/_legacy/usage.js +0 -175
  97. package/test/_legacy/user.js +0 -31
  98. package/test/ai/tools-live.js +0 -170
  99. package/test/boot/emulator-boots.js +0 -37
  100. package/test/content/blog-generate.js +0 -160
  101. package/test/email/campaign-send.js +0 -45
  102. package/test/email/consent-lifecycle.js +0 -257
  103. package/test/email/feedback-and-plain-send.js +0 -52
  104. package/test/email/fixtures/editorial.json +0 -30
  105. package/test/email/fixtures/field-report.json +0 -53
  106. package/test/email/marketing-lifecycle.js +0 -132
  107. package/test/email/newsletter-generate.js +0 -819
  108. package/test/email/newsletter-templates.js +0 -491
  109. package/test/email/templates.js +0 -207
  110. package/test/email/transactional-send.js +0 -34
  111. package/test/email/transactional.js +0 -560
  112. package/test/email/validation.js +0 -710
  113. package/test/events/auth-delete-race.js +0 -201
  114. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  115. package/test/events/payments/journey-payments-cancel.js +0 -182
  116. package/test/events/payments/journey-payments-discount.js +0 -89
  117. package/test/events/payments/journey-payments-failure.js +0 -146
  118. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  119. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  120. package/test/events/payments/journey-payments-one-time.js +0 -136
  121. package/test/events/payments/journey-payments-plan-change.js +0 -144
  122. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  123. package/test/events/payments/journey-payments-suspend.js +0 -181
  124. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  125. package/test/events/payments/journey-payments-trial.js +0 -171
  126. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  127. package/test/events/payments/journey-payments-upgrade.js +0 -135
  128. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  129. package/test/fixtures/chargebee/subscription-active.json +0 -44
  130. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  131. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  132. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  133. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  134. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  135. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  136. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  137. package/test/fixtures/paypal/order-approved.json +0 -62
  138. package/test/fixtures/paypal/order-completed.json +0 -110
  139. package/test/fixtures/paypal/subscription-active.json +0 -76
  140. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  141. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  142. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  143. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  144. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  145. package/test/fixtures/stripe/subscription-active.json +0 -161
  146. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  147. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  148. package/test/functions/admin/database-read.js +0 -134
  149. package/test/functions/admin/database-write.js +0 -159
  150. package/test/functions/admin/edit-post.js +0 -366
  151. package/test/functions/admin/firestore-query.js +0 -207
  152. package/test/functions/admin/firestore-read.js +0 -129
  153. package/test/functions/admin/firestore-write.js +0 -105
  154. package/test/functions/admin/get-stats.js +0 -115
  155. package/test/functions/admin/send-email.js +0 -119
  156. package/test/functions/admin/send-notification.js +0 -208
  157. package/test/functions/admin/write-repo-content.js +0 -223
  158. package/test/functions/general/add-marketing-contact.js +0 -335
  159. package/test/functions/general/fetch-post.js +0 -54
  160. package/test/functions/general/generate-uuid.js +0 -114
  161. package/test/functions/test/authenticate.js +0 -64
  162. package/test/functions/user/create-custom-token.js +0 -73
  163. package/test/functions/user/delete.js +0 -135
  164. package/test/functions/user/get-active-sessions.js +0 -111
  165. package/test/functions/user/get-subscription-info.js +0 -99
  166. package/test/functions/user/regenerate-api-keys.js +0 -156
  167. package/test/functions/user/resolve.js +0 -52
  168. package/test/functions/user/sign-out-all-sessions.js +0 -94
  169. package/test/functions/user/sign-up.js +0 -252
  170. package/test/functions/user/submit-feedback.js +0 -104
  171. package/test/functions/user/validate-settings.js +0 -82
  172. package/test/helpers/ai-request-payload.js +0 -300
  173. package/test/helpers/ai-test-provider.js +0 -202
  174. package/test/helpers/ai-tools-format.js +0 -383
  175. package/test/helpers/content/blog-auto-publisher.js +0 -484
  176. package/test/helpers/content/feed-parser.js +0 -528
  177. package/test/helpers/content/ghostii-blocks.js +0 -134
  178. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  179. package/test/helpers/content/ghostii-write-article.js +0 -243
  180. package/test/helpers/environment.js +0 -230
  181. package/test/helpers/infer-contact.js +0 -113
  182. package/test/helpers/merge-line-files.js +0 -271
  183. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  184. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  185. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  186. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  187. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  188. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  189. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  190. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  191. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  192. package/test/helpers/sanitize.js +0 -222
  193. package/test/helpers/slugify.js +0 -394
  194. package/test/helpers/storage.js +0 -194
  195. package/test/helpers/user.js +0 -755
  196. package/test/helpers/webhook-forward.js +0 -418
  197. package/test/mcp/discovery.js +0 -53
  198. package/test/mcp/oauth.js +0 -161
  199. package/test/mcp/protocol.js +0 -268
  200. package/test/mcp/roles.js +0 -188
  201. package/test/mcp/utils.js +0 -245
  202. package/test/routes/admin/create-post.js +0 -364
  203. package/test/routes/admin/database.js +0 -131
  204. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  205. package/test/routes/admin/email.js +0 -114
  206. package/test/routes/admin/firestore-query.js +0 -204
  207. package/test/routes/admin/firestore.js +0 -127
  208. package/test/routes/admin/infer-contact.js +0 -218
  209. package/test/routes/admin/notification.js +0 -198
  210. package/test/routes/admin/post-resize-image.js +0 -184
  211. package/test/routes/admin/post.js +0 -368
  212. package/test/routes/admin/repo-content.js +0 -223
  213. package/test/routes/admin/stats.js +0 -112
  214. package/test/routes/content/post.js +0 -54
  215. package/test/routes/general/uuid.js +0 -115
  216. package/test/routes/marketing/campaign.js +0 -125
  217. package/test/routes/marketing/contact.js +0 -370
  218. package/test/routes/marketing/email-preferences.js +0 -292
  219. package/test/routes/marketing/push-send.js +0 -32
  220. package/test/routes/marketing/webhook-forward.js +0 -61
  221. package/test/routes/marketing/webhook.js +0 -639
  222. package/test/routes/payments/cancel.js +0 -163
  223. package/test/routes/payments/discount.js +0 -80
  224. package/test/routes/payments/dispute-alert.js +0 -320
  225. package/test/routes/payments/intent.js +0 -336
  226. package/test/routes/payments/portal.js +0 -92
  227. package/test/routes/payments/refund.js +0 -179
  228. package/test/routes/payments/trial-eligibility.js +0 -71
  229. package/test/routes/payments/webhook.js +0 -107
  230. package/test/routes/test/authenticate.js +0 -59
  231. package/test/routes/test/schema.js +0 -554
  232. package/test/routes/test/usage.js +0 -342
  233. package/test/routes/user/api-keys.js +0 -156
  234. package/test/routes/user/delete.js +0 -136
  235. package/test/routes/user/feedback.js +0 -104
  236. package/test/routes/user/sessions.js +0 -199
  237. package/test/routes/user/settings-validate.js +0 -82
  238. package/test/routes/user/signup.js +0 -542
  239. package/test/routes/user/subscription.js +0 -99
  240. package/test/routes/user/token.js +0 -73
  241. package/test/routes/user/user.js +0 -157
  242. package/test/rules/notifications.js +0 -410
  243. package/test/rules/payments-carts.js +0 -371
  244. package/test/rules/user.js +0 -396
@@ -1,396 +0,0 @@
1
- /**
2
- * Test: Firestore Security Rules - User Documents
3
- * Tests that security rules correctly protect user data
4
- *
5
- * Rules being tested:
6
- * - Users can read their own document
7
- * - Users can write to their own document (non-protected fields only)
8
- * - Users cannot read/write other users' documents
9
- * - Protected fields (auth, roles, flags, subscription, affiliate, api, metadata, usage, consent) cannot be written by users
10
- *
11
- * @see templates/firestore.rules
12
- */
13
- module.exports = {
14
- description: 'Firestore security rules for user documents',
15
- type: 'group',
16
- timeout: 30000,
17
-
18
- tests: [
19
- // Test 1: User can read their own document
20
- {
21
- name: 'user-can-read-own-doc',
22
- auth: 'none', // We use rules context, not http auth
23
-
24
- async run({ rules, accounts }) {
25
- const uid = accounts.basic.uid;
26
- const db = rules.asAccount('basic');
27
-
28
- // Should succeed - reading own document
29
- await rules.expectSuccess(
30
- db.doc(`users/${uid}`).get()
31
- );
32
- },
33
- },
34
-
35
- // Test 2: User cannot read another user's document
36
- {
37
- name: 'user-cannot-read-other-doc',
38
- auth: 'none',
39
-
40
- async run({ rules, accounts }) {
41
- const otherUid = accounts.admin.uid;
42
- const db = rules.asAccount('basic');
43
-
44
- // Should fail - reading another user's document
45
- await rules.expectFailure(
46
- db.doc(`users/${otherUid}`).get()
47
- );
48
- },
49
- },
50
-
51
- // Test 3: Unauthenticated user cannot read any user document
52
- {
53
- name: 'anonymous-cannot-read-user-doc',
54
- auth: 'none',
55
-
56
- async run({ rules, accounts }) {
57
- const uid = accounts.basic.uid;
58
- const db = rules.asAnonymous();
59
-
60
- // Should fail - unauthenticated read
61
- await rules.expectFailure(
62
- db.doc(`users/${uid}`).get()
63
- );
64
- },
65
- },
66
-
67
- // Test 4: User can write non-protected fields to own document
68
- {
69
- name: 'user-can-write-non-protected-fields',
70
- auth: 'none',
71
-
72
- async run({ rules, accounts }) {
73
- const uid = accounts.basic.uid;
74
- const db = rules.asAccount('basic');
75
-
76
- // Should succeed - writing allowed fields
77
- await rules.expectSuccess(
78
- db.doc(`users/${uid}`).set({
79
- profile: {
80
- displayName: 'Test User',
81
- bio: 'This is my bio',
82
- },
83
- preferences: {
84
- theme: 'dark',
85
- notifications: true,
86
- },
87
- }, { merge: true })
88
- );
89
- },
90
- },
91
-
92
- // Test 5: User cannot write 'auth' field (protected)
93
- {
94
- name: 'user-cannot-write-auth-field',
95
- auth: 'none',
96
-
97
- async run({ rules, accounts }) {
98
- const uid = accounts.basic.uid;
99
- const db = rules.asAccount('basic');
100
-
101
- // Should fail - auth is protected
102
- await rules.expectFailure(
103
- db.doc(`users/${uid}`).set({
104
- auth: {
105
- uid: 'hacked-uid',
106
- email: 'hacked@example.com',
107
- },
108
- }, { merge: true })
109
- );
110
- },
111
- },
112
-
113
- // Test 6: User cannot write 'roles' field (protected)
114
- {
115
- name: 'user-cannot-write-roles-field',
116
- auth: 'none',
117
-
118
- async run({ rules, accounts }) {
119
- const uid = accounts.basic.uid;
120
- const db = rules.asAccount('basic');
121
-
122
- // Should fail - roles is protected
123
- await rules.expectFailure(
124
- db.doc(`users/${uid}`).set({
125
- roles: {
126
- admin: true,
127
- },
128
- }, { merge: true })
129
- );
130
- },
131
- },
132
-
133
- // Test 7: User cannot write 'subscription' field (protected)
134
- {
135
- name: 'user-cannot-write-subscription-field',
136
- auth: 'none',
137
-
138
- async run({ rules, accounts }) {
139
- const uid = accounts.basic.uid;
140
- const db = rules.asAccount('basic');
141
-
142
- // Should fail - subscription is protected
143
- await rules.expectFailure(
144
- db.doc(`users/${uid}`).set({
145
- subscription: {
146
- product: { id: 'premium' },
147
- status: 'active',
148
- },
149
- }, { merge: true })
150
- );
151
- },
152
- },
153
-
154
- // Test 8: User cannot write 'api' field (protected - contains privateKey)
155
- {
156
- name: 'user-cannot-write-api-field',
157
- auth: 'none',
158
-
159
- async run({ rules, accounts }) {
160
- const uid = accounts.basic.uid;
161
- const db = rules.asAccount('basic');
162
-
163
- // Should fail - api is protected
164
- await rules.expectFailure(
165
- db.doc(`users/${uid}`).set({
166
- api: {
167
- privateKey: 'stolen-key',
168
- clientId: 'fake-client',
169
- },
170
- }, { merge: true })
171
- );
172
- },
173
- },
174
-
175
- // Test 9: User cannot write 'flags' field (protected - system flags)
176
- {
177
- name: 'user-cannot-write-flags-field',
178
- auth: 'none',
179
-
180
- async run({ rules, accounts }) {
181
- const uid = accounts.basic.uid;
182
- const db = rules.asAccount('basic');
183
-
184
- // Should fail - flags is protected
185
- // Use a unique value to ensure isUpdatingField triggers
186
- await rules.expectFailure(
187
- db.doc(`users/${uid}`).set({
188
- flags: {
189
- hacked: true,
190
- },
191
- }, { merge: true })
192
- );
193
- },
194
- },
195
-
196
- // Test 10: User cannot write 'usage' field (protected - tracked by server)
197
- {
198
- name: 'user-cannot-write-usage-field',
199
- auth: 'none',
200
-
201
- async run({ rules, accounts }) {
202
- const uid = accounts.basic.uid;
203
- const db = rules.asAccount('basic');
204
-
205
- // Should fail - usage is protected
206
- await rules.expectFailure(
207
- db.doc(`users/${uid}`).set({
208
- usage: {
209
- requests: 0, // Try to reset usage
210
- },
211
- }, { merge: true })
212
- );
213
- },
214
- },
215
-
216
- // Test 11: User cannot write 'affiliate' field (protected)
217
- {
218
- name: 'user-cannot-write-affiliate-field',
219
- auth: 'none',
220
-
221
- async run({ rules, accounts }) {
222
- const uid = accounts.basic.uid;
223
- const db = rules.asAccount('basic');
224
-
225
- // Should fail - affiliate is protected
226
- await rules.expectFailure(
227
- db.doc(`users/${uid}`).set({
228
- affiliate: {
229
- code: 'STOLEN',
230
- referrals: [],
231
- },
232
- }, { merge: true })
233
- );
234
- },
235
- },
236
-
237
- // Test 11.5: User cannot write 'consent' field (protected - server-only)
238
- {
239
- name: 'user-cannot-write-consent-field',
240
- auth: 'none',
241
-
242
- async run({ rules, accounts }) {
243
- const uid = accounts.basic.uid;
244
- const db = rules.asAccount('basic');
245
-
246
- // Should fail - consent is protected (only signup route + webhook
247
- // processors can mutate it server-side; a client write would let a
248
- // user retroactively forge their own consent record).
249
- // Use a value that can't match any prior state — earlier tests
250
- // (email-preferences) may have set marketing.status to 'granted',
251
- // and writing the SAME value is a no-op the rules correctly allow.
252
- await rules.expectFailure(
253
- db.doc(`users/${uid}`).set({
254
- consent: {
255
- marketing: { status: 'forged' },
256
- },
257
- }, { merge: true })
258
- );
259
- },
260
- },
261
-
262
- // Test 12: User cannot write to another user's document
263
- {
264
- name: 'user-cannot-write-other-doc',
265
- auth: 'none',
266
-
267
- async run({ rules, accounts }) {
268
- const otherUid = accounts['premium-active'].uid;
269
- const db = rules.asAccount('basic');
270
-
271
- // Should fail - writing to another user's document
272
- await rules.expectFailure(
273
- db.doc(`users/${otherUid}`).set({
274
- profile: { hacked: true },
275
- }, { merge: true })
276
- );
277
- },
278
- },
279
-
280
- // Test 13: Unauthenticated user cannot write to any user document
281
- {
282
- name: 'anonymous-cannot-write-user-doc',
283
- auth: 'none',
284
-
285
- async run({ rules, accounts }) {
286
- const uid = accounts.basic.uid;
287
- const db = rules.asAnonymous();
288
-
289
- // Should fail - unauthenticated write
290
- await rules.expectFailure(
291
- db.doc(`users/${uid}`).set({
292
- profile: { displayName: 'Anonymous Hacker' },
293
- }, { merge: true })
294
- );
295
- },
296
- },
297
-
298
- // Test 14: Admin can read any user's document
299
- {
300
- name: 'admin-can-read-any-user-doc',
301
- auth: 'none',
302
-
303
- async run({ rules, accounts }) {
304
- const basicUid = accounts.basic.uid;
305
- const db = rules.asAccount('admin');
306
-
307
- // Should succeed - admin can read any user doc
308
- await rules.expectSuccess(
309
- db.doc(`users/${basicUid}`).get()
310
- );
311
- },
312
- },
313
-
314
- // Tests 15–18 exercise admin write/create/delete on a DEDICATED throwaway
315
- // doc — never the shared seeded accounts. Mutating accounts.basic here
316
- // poisons every suite that runs afterward (its api.privateKey and
317
- // subscription are live fixtures for HTTP auth across the whole run).
318
-
319
- // Test 15: Admin can create a user document
320
- {
321
- name: 'admin-can-create-user-doc',
322
- auth: 'none',
323
-
324
- async run({ rules }) {
325
- const db = rules.asAccount('admin');
326
- const newUid = '_test-new-user-by-admin';
327
-
328
- // Should succeed - admin can create any user doc. The _test. email
329
- // prefix keeps this doc blocked at the marketing validation layer
330
- // (never reaches SendGrid/Beehiiv) even though a raw rules-context
331
- // Firestore write fires no auth events anyway.
332
- await rules.expectSuccess(
333
- db.doc(`users/${newUid}`).set({
334
- auth: { uid: newUid, email: '_test.new-user-by-admin@example.com' },
335
- roles: {},
336
- subscription: { product: { id: 'basic' }, status: 'active' },
337
- })
338
- );
339
- },
340
- },
341
-
342
- // Test 16: Admin can write any user's document
343
- {
344
- name: 'admin-can-write-any-user-doc',
345
- auth: 'none',
346
-
347
- async run({ rules }) {
348
- const db = rules.asAccount('admin');
349
-
350
- // Should succeed - admin can write any user doc
351
- await rules.expectSuccess(
352
- db.doc('users/_test-new-user-by-admin').set({
353
- profile: { updatedByAdmin: true },
354
- }, { merge: true })
355
- );
356
- },
357
- },
358
-
359
- // Test 17: Admin can write protected fields
360
- {
361
- name: 'admin-can-write-protected-fields',
362
- auth: 'none',
363
-
364
- async run({ rules }) {
365
- const db = rules.asAccount('admin');
366
-
367
- // Should succeed - admin can write protected fields
368
- await rules.expectSuccess(
369
- db.doc('users/_test-new-user-by-admin').set({
370
- roles: { premium: true },
371
- subscription: { product: { id: 'pro' }, status: 'active' },
372
- }, { merge: true })
373
- );
374
- },
375
- },
376
-
377
- // Test 18: Admin can delete a user document
378
- {
379
- name: 'admin-can-delete-user-doc',
380
- auth: 'none',
381
-
382
- async run({ rules }) {
383
- const db = rules.asAccount('admin');
384
-
385
- // Should succeed - admin can delete any user doc (the throwaway
386
- // created in test 15, which also cleans it up)
387
- await rules.expectSuccess(
388
- db.doc('users/_test-new-user-by-admin').delete()
389
- );
390
- },
391
- },
392
-
393
- // Note: User create/delete tests are omitted because users don't create or delete
394
- // their own documents - that's handled by system auth triggers (on-create/on-delete)
395
- ],
396
- };