backend-manager 5.9.5 → 5.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (246) hide show
  1. package/package.json +8 -1
  2. package/src/manager/events/cron/runner.js +0 -1
  3. package/src/manager/libraries/email/data/disposable-domains.json +21 -0
  4. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  5. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  6. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  7. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  8. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  13. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  20. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  21. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  22. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  23. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  24. package/src/test/fixtures/firebase-project/firestore-debug.log +132 -0
  25. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  26. package/.codeclimate.yml +0 -32
  27. package/.nvmrc +0 -1
  28. package/CHANGELOG.md +0 -1440
  29. package/PROGRESS.md +0 -93
  30. package/TODO-2.md +0 -121
  31. package/TODO-CHARGEBLAST.md +0 -32
  32. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  33. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  34. package/TODO-email-auth.md +0 -14
  35. package/TODO.md +0 -187
  36. package/plans/mcp2.md +0 -247
  37. package/plans/suspended-subscription-dead-zone.md +0 -97
  38. package/scripts/test-helper-providers.js +0 -162
  39. package/scripts/update-disposable-domains.js +0 -44
  40. package/templates/_.env +0 -42
  41. package/templates/_.gitignore +0 -60
  42. package/templates/backend-manager-config.json +0 -249
  43. package/templates/database.rules.json +0 -83
  44. package/templates/firebase.json +0 -66
  45. package/templates/firestore.indexes.json +0 -4
  46. package/templates/firestore.rules +0 -112
  47. package/templates/public/404.html +0 -26
  48. package/templates/public/index.html +0 -24
  49. package/templates/remoteconfig.template.json +0 -1
  50. package/templates/storage-lifecycle-config-1-day.json +0 -9
  51. package/templates/storage-lifecycle-config-30-days.json +0 -9
  52. package/templates/storage.rules +0 -8
  53. package/test/_init/accounts-validation.js +0 -58
  54. package/test/_legacy/ai/index.js +0 -231
  55. package/test/_legacy/ai/test.jpg +0 -0
  56. package/test/_legacy/ai/test.pdf +0 -0
  57. package/test/_legacy/index.js +0 -31
  58. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  59. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  60. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  61. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  62. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  63. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  64. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  66. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  67. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  68. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  69. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  70. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  71. package/test/_legacy/payment-resolver/index.js +0 -1558
  72. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  73. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  74. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  75. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  76. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  77. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  78. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  84. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  85. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  86. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  87. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  88. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  89. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  90. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  91. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  92. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  94. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  95. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  96. package/test/_legacy/test-new +0 -1178
  97. package/test/_legacy/test.md +0 -89
  98. package/test/_legacy/usage.js +0 -175
  99. package/test/_legacy/user.js +0 -31
  100. package/test/ai/tools-live.js +0 -170
  101. package/test/boot/emulator-boots.js +0 -37
  102. package/test/content/blog-generate.js +0 -160
  103. package/test/email/campaign-send.js +0 -45
  104. package/test/email/consent-lifecycle.js +0 -257
  105. package/test/email/feedback-and-plain-send.js +0 -52
  106. package/test/email/fixtures/editorial.json +0 -30
  107. package/test/email/fixtures/field-report.json +0 -53
  108. package/test/email/marketing-lifecycle.js +0 -132
  109. package/test/email/newsletter-generate.js +0 -819
  110. package/test/email/newsletter-templates.js +0 -491
  111. package/test/email/templates.js +0 -207
  112. package/test/email/transactional-send.js +0 -34
  113. package/test/email/transactional.js +0 -560
  114. package/test/email/validation.js +0 -710
  115. package/test/events/auth-delete-race.js +0 -201
  116. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  117. package/test/events/payments/journey-payments-cancel.js +0 -182
  118. package/test/events/payments/journey-payments-discount.js +0 -89
  119. package/test/events/payments/journey-payments-failure.js +0 -146
  120. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  121. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  122. package/test/events/payments/journey-payments-one-time.js +0 -136
  123. package/test/events/payments/journey-payments-plan-change.js +0 -144
  124. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  125. package/test/events/payments/journey-payments-suspend.js +0 -181
  126. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  127. package/test/events/payments/journey-payments-trial.js +0 -171
  128. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  129. package/test/events/payments/journey-payments-upgrade.js +0 -135
  130. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  131. package/test/fixtures/chargebee/subscription-active.json +0 -44
  132. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  133. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  134. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  135. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  136. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  137. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  138. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  139. package/test/fixtures/paypal/order-approved.json +0 -62
  140. package/test/fixtures/paypal/order-completed.json +0 -110
  141. package/test/fixtures/paypal/subscription-active.json +0 -76
  142. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  143. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  144. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  145. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  146. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  147. package/test/fixtures/stripe/subscription-active.json +0 -161
  148. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  149. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  150. package/test/functions/admin/database-read.js +0 -134
  151. package/test/functions/admin/database-write.js +0 -159
  152. package/test/functions/admin/edit-post.js +0 -366
  153. package/test/functions/admin/firestore-query.js +0 -207
  154. package/test/functions/admin/firestore-read.js +0 -129
  155. package/test/functions/admin/firestore-write.js +0 -105
  156. package/test/functions/admin/get-stats.js +0 -115
  157. package/test/functions/admin/send-email.js +0 -119
  158. package/test/functions/admin/send-notification.js +0 -208
  159. package/test/functions/admin/write-repo-content.js +0 -223
  160. package/test/functions/general/add-marketing-contact.js +0 -335
  161. package/test/functions/general/fetch-post.js +0 -54
  162. package/test/functions/general/generate-uuid.js +0 -114
  163. package/test/functions/test/authenticate.js +0 -64
  164. package/test/functions/user/create-custom-token.js +0 -73
  165. package/test/functions/user/delete.js +0 -135
  166. package/test/functions/user/get-active-sessions.js +0 -111
  167. package/test/functions/user/get-subscription-info.js +0 -99
  168. package/test/functions/user/regenerate-api-keys.js +0 -156
  169. package/test/functions/user/resolve.js +0 -52
  170. package/test/functions/user/sign-out-all-sessions.js +0 -94
  171. package/test/functions/user/sign-up.js +0 -252
  172. package/test/functions/user/submit-feedback.js +0 -104
  173. package/test/functions/user/validate-settings.js +0 -82
  174. package/test/helpers/ai-request-payload.js +0 -300
  175. package/test/helpers/ai-test-provider.js +0 -202
  176. package/test/helpers/ai-tools-format.js +0 -383
  177. package/test/helpers/content/blog-auto-publisher.js +0 -484
  178. package/test/helpers/content/feed-parser.js +0 -528
  179. package/test/helpers/content/ghostii-blocks.js +0 -134
  180. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  181. package/test/helpers/content/ghostii-write-article.js +0 -243
  182. package/test/helpers/environment.js +0 -230
  183. package/test/helpers/infer-contact.js +0 -113
  184. package/test/helpers/merge-line-files.js +0 -271
  185. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  186. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  187. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  188. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  189. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  190. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  191. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  192. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  193. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  194. package/test/helpers/sanitize.js +0 -222
  195. package/test/helpers/slugify.js +0 -394
  196. package/test/helpers/storage.js +0 -194
  197. package/test/helpers/user.js +0 -755
  198. package/test/helpers/webhook-forward.js +0 -418
  199. package/test/mcp/discovery.js +0 -53
  200. package/test/mcp/oauth.js +0 -161
  201. package/test/mcp/protocol.js +0 -268
  202. package/test/mcp/roles.js +0 -188
  203. package/test/mcp/utils.js +0 -245
  204. package/test/routes/admin/create-post.js +0 -364
  205. package/test/routes/admin/database.js +0 -131
  206. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  207. package/test/routes/admin/email.js +0 -114
  208. package/test/routes/admin/firestore-query.js +0 -204
  209. package/test/routes/admin/firestore.js +0 -127
  210. package/test/routes/admin/infer-contact.js +0 -218
  211. package/test/routes/admin/notification.js +0 -198
  212. package/test/routes/admin/post-resize-image.js +0 -184
  213. package/test/routes/admin/post.js +0 -368
  214. package/test/routes/admin/repo-content.js +0 -223
  215. package/test/routes/admin/stats.js +0 -112
  216. package/test/routes/content/post.js +0 -54
  217. package/test/routes/general/uuid.js +0 -115
  218. package/test/routes/marketing/campaign.js +0 -125
  219. package/test/routes/marketing/contact.js +0 -370
  220. package/test/routes/marketing/email-preferences.js +0 -292
  221. package/test/routes/marketing/push-send.js +0 -32
  222. package/test/routes/marketing/webhook-forward.js +0 -61
  223. package/test/routes/marketing/webhook.js +0 -639
  224. package/test/routes/payments/cancel.js +0 -163
  225. package/test/routes/payments/discount.js +0 -80
  226. package/test/routes/payments/dispute-alert.js +0 -320
  227. package/test/routes/payments/intent.js +0 -336
  228. package/test/routes/payments/portal.js +0 -92
  229. package/test/routes/payments/refund.js +0 -179
  230. package/test/routes/payments/trial-eligibility.js +0 -71
  231. package/test/routes/payments/webhook.js +0 -107
  232. package/test/routes/test/authenticate.js +0 -59
  233. package/test/routes/test/schema.js +0 -554
  234. package/test/routes/test/usage.js +0 -342
  235. package/test/routes/user/api-keys.js +0 -156
  236. package/test/routes/user/delete.js +0 -136
  237. package/test/routes/user/feedback.js +0 -104
  238. package/test/routes/user/sessions.js +0 -199
  239. package/test/routes/user/settings-validate.js +0 -82
  240. package/test/routes/user/signup.js +0 -542
  241. package/test/routes/user/subscription.js +0 -99
  242. package/test/routes/user/token.js +0 -73
  243. package/test/routes/user/user.js +0 -157
  244. package/test/rules/notifications.js +0 -410
  245. package/test/rules/payments-carts.js +0 -371
  246. package/test/rules/user.js +0 -396
@@ -1,292 +0,0 @@
1
- /**
2
- * Test: POST /marketing/email-preferences
3
- *
4
- * Two modes:
5
- * - Anonymous HMAC: from email-footer unsubscribe link. Requires email + asmId + sig.
6
- * Hits SendGrid ASM and (NEW) mirrors to user doc if email maps to a user.
7
- * - Authenticated: from account-page toggle. Requires only `action`.
8
- * Writes consent.marketing to user doc with source='account' and hits SendGrid + Beehiiv
9
- * via the email library.
10
- *
11
- * Set TEST_EXTENDED_MODE=true to hit real SendGrid + Beehiiv. Otherwise provider calls
12
- * are skipped but user-doc mutations still happen.
13
- */
14
- const crypto = require('crypto');
15
-
16
- const TEST_EMAIL = 'rachel.greene+bem-unsub@gmail.com';
17
- const TEST_ASM_ID = '24077';
18
-
19
- function generateSig(email) {
20
- return crypto.createHmac('sha256', process.env.UNSUBSCRIBE_HMAC_KEY).update(email.toLowerCase()).digest('hex');
21
- }
22
-
23
- module.exports = {
24
- description: 'Marketing email-preferences (anonymous HMAC + authenticated)',
25
- type: 'group',
26
- tests: [
27
- // ─── Anonymous HMAC flow ───
28
-
29
- {
30
- name: 'anon-unsubscribe-valid-sig-succeeds',
31
- auth: 'none',
32
- timeout: 15000,
33
- async run({ http, assert }) {
34
- const sig = generateSig(TEST_EMAIL);
35
- const response = await http.post('backend-manager/marketing/email-preferences', {
36
- email: TEST_EMAIL,
37
- asmId: TEST_ASM_ID,
38
- action: 'unsubscribe',
39
- sig,
40
- });
41
- assert.isSuccess(response, 'Unsubscribe with valid sig should succeed');
42
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
43
- },
44
- },
45
-
46
- {
47
- name: 'anon-subscribe-valid-sig-succeeds',
48
- auth: 'none',
49
- timeout: 15000,
50
- async run({ http, assert }) {
51
- const sig = generateSig(TEST_EMAIL);
52
- const response = await http.post('backend-manager/marketing/email-preferences', {
53
- email: TEST_EMAIL,
54
- asmId: TEST_ASM_ID,
55
- action: 'subscribe',
56
- sig,
57
- });
58
- assert.isSuccess(response, 'Subscribe with valid sig should succeed');
59
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
60
- },
61
- },
62
-
63
- {
64
- name: 'anon-resubscribe-rejected',
65
- auth: 'none',
66
- timeout: 15000,
67
- async run({ http, assert }) {
68
- // Old 'resubscribe' action is no longer accepted — must use 'subscribe'
69
- const sig = generateSig(TEST_EMAIL);
70
- const response = await http.post('backend-manager/marketing/email-preferences', {
71
- email: TEST_EMAIL,
72
- asmId: TEST_ASM_ID,
73
- action: 'resubscribe',
74
- sig,
75
- });
76
- assert.isError(response, 400, 'Old "resubscribe" action should be rejected');
77
- },
78
- },
79
-
80
- {
81
- name: 'anon-invalid-sig-rejected',
82
- auth: 'none',
83
- timeout: 15000,
84
- async run({ http, assert }) {
85
- const response = await http.post('backend-manager/marketing/email-preferences', {
86
- email: TEST_EMAIL,
87
- asmId: TEST_ASM_ID,
88
- action: 'unsubscribe',
89
- sig: 'invalid-signature-value',
90
- });
91
- assert.isError(response, 403, 'Invalid sig should return 403');
92
- },
93
- },
94
-
95
- {
96
- name: 'anon-missing-email-rejected',
97
- auth: 'none',
98
- timeout: 15000,
99
- async run({ http, assert }) {
100
- const response = await http.post('backend-manager/marketing/email-preferences', {
101
- asmId: TEST_ASM_ID,
102
- action: 'unsubscribe',
103
- sig: 'anything',
104
- });
105
- assert.isError(response, 400, 'Missing email should return 400');
106
- },
107
- },
108
-
109
- {
110
- name: 'anon-invalid-email-rejected',
111
- auth: 'none',
112
- timeout: 15000,
113
- async run({ http, assert }) {
114
- const sig = generateSig('not-an-email');
115
- const response = await http.post('backend-manager/marketing/email-preferences', {
116
- email: 'not-an-email',
117
- asmId: TEST_ASM_ID,
118
- action: 'unsubscribe',
119
- sig,
120
- });
121
- assert.isError(response, 400, 'Invalid email format should return 400');
122
- },
123
- },
124
-
125
- {
126
- name: 'anon-missing-asmid-rejected',
127
- auth: 'none',
128
- timeout: 15000,
129
- async run({ http, assert }) {
130
- const sig = generateSig(TEST_EMAIL);
131
- const response = await http.post('backend-manager/marketing/email-preferences', {
132
- email: TEST_EMAIL,
133
- action: 'unsubscribe',
134
- sig,
135
- });
136
- assert.isError(response, 400, 'Missing asmId should return 400');
137
- },
138
- },
139
-
140
- {
141
- name: 'anon-invalid-action-rejected',
142
- auth: 'none',
143
- timeout: 15000,
144
- async run({ http, assert }) {
145
- const sig = generateSig(TEST_EMAIL);
146
- const response = await http.post('backend-manager/marketing/email-preferences', {
147
- email: TEST_EMAIL,
148
- asmId: TEST_ASM_ID,
149
- action: 'delete',
150
- sig,
151
- });
152
- assert.isError(response, 400, 'Invalid action should return 400');
153
- },
154
- },
155
-
156
- {
157
- name: 'anon-wrong-email-sig-rejected',
158
- auth: 'none',
159
- timeout: 15000,
160
- async run({ http, assert }) {
161
- // sig generated for a different email — must not validate against TEST_EMAIL
162
- const sig = generateSig('someone-else@gmail.com');
163
- const response = await http.post('backend-manager/marketing/email-preferences', {
164
- email: TEST_EMAIL,
165
- asmId: TEST_ASM_ID,
166
- action: 'unsubscribe',
167
- sig,
168
- });
169
- assert.isError(response, 403, 'Sig for different email should return 403');
170
- },
171
- },
172
-
173
- // ─── Authenticated mode ───
174
-
175
- {
176
- name: 'auth-unsubscribe-writes-consent-and-records-source-account',
177
- auth: 'basic',
178
- timeout: 15000,
179
- async run({ http, firestore, assert, accounts }) {
180
- const uid = accounts.basic.uid;
181
-
182
- const beforeMs = Date.now();
183
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
184
- action: 'unsubscribe',
185
- });
186
- const afterMs = Date.now();
187
-
188
- assert.isSuccess(response, `Authenticated unsubscribe should succeed: ${JSON.stringify(response, null, 2)}`);
189
- assert.propertyEquals(response, 'data.success', true, 'success should be true');
190
- assert.propertyEquals(response, 'data.action', 'unsubscribe', 'action echoed in response');
191
-
192
- const userDoc = await firestore.get(`users/${uid}`);
193
-
194
- assert.equal(userDoc?.consent?.marketing?.status, 'revoked', 'consent.marketing.status should be revoked');
195
- assert.equal(userDoc?.consent?.marketing?.revokedAt?.source, 'account', 'revokedAt.source should be account');
196
- assert.ok(userDoc?.consent?.marketing?.revokedAt?.timestamp, 'revokedAt.timestamp should be set');
197
- assert.equal(typeof userDoc?.consent?.marketing?.revokedAt?.timestampUNIX, 'number', 'revokedAt.timestampUNIX should be number');
198
-
199
- // Server time used (defense against clock manipulation).
200
- // Server uses Math.round, so the stamped value can be 1 second past Math.floor(afterMs/1000)
201
- // when the request takes >500ms. Use Math.round on the upper bound + a small fudge.
202
- const revokedUNIX = userDoc.consent.marketing.revokedAt.timestampUNIX;
203
- const beforeUNIX = Math.floor(beforeMs / 1000);
204
- const afterUNIX = Math.round(afterMs / 1000) + 1;
205
- assert.ok(
206
- revokedUNIX >= beforeUNIX && revokedUNIX <= afterUNIX,
207
- `revokedAt.timestampUNIX (${revokedUNIX}) should be server time, between ${beforeUNIX} and ${afterUNIX}`
208
- );
209
- },
210
- },
211
-
212
- {
213
- name: 'auth-subscribe-after-unsubscribe-flips-status-keeps-prior-revokedAt',
214
- auth: 'basic',
215
- timeout: 15000,
216
- async run({ http, firestore, assert, accounts }) {
217
- const uid = accounts.basic.uid;
218
-
219
- // Capture revokedAt from the previous test
220
- const beforeDoc = await firestore.get(`users/${uid}`);
221
- const priorRevokedAt = beforeDoc?.consent?.marketing?.revokedAt;
222
- assert.ok(priorRevokedAt?.timestamp, 'Prior test should have left a revokedAt timestamp');
223
-
224
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
225
- action: 'subscribe',
226
- });
227
-
228
- assert.isSuccess(response, `Authenticated subscribe should succeed: ${JSON.stringify(response, null, 2)}`);
229
-
230
- const userDoc = await firestore.get(`users/${uid}`);
231
-
232
- // status flips
233
- assert.equal(userDoc?.consent?.marketing?.status, 'granted', 'status should flip to granted');
234
-
235
- // grantedAt populated with new server time + source=account
236
- assert.equal(userDoc?.consent?.marketing?.grantedAt?.source, 'account', 'grantedAt.source should be account');
237
- assert.ok(userDoc?.consent?.marketing?.grantedAt?.timestamp, 'grantedAt.timestamp should be set');
238
-
239
- // revokedAt UNTOUCHED — still reflects the most recent revoke
240
- assert.equal(
241
- userDoc?.consent?.marketing?.revokedAt?.timestamp,
242
- priorRevokedAt.timestamp,
243
- 'revokedAt.timestamp should be preserved from prior revoke'
244
- );
245
- assert.equal(
246
- userDoc?.consent?.marketing?.revokedAt?.source,
247
- priorRevokedAt.source,
248
- 'revokedAt.source should be preserved from prior revoke'
249
- );
250
- },
251
- },
252
-
253
- {
254
- name: 'auth-invalid-action-rejected',
255
- auth: 'basic',
256
- timeout: 15000,
257
- async run({ http, assert }) {
258
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
259
- action: 'delete',
260
- });
261
- assert.isError(response, 400, 'Invalid action should return 400');
262
- },
263
- },
264
-
265
- {
266
- name: 'auth-opt-in-old-name-rejected',
267
- auth: 'basic',
268
- timeout: 15000,
269
- async run({ http, assert }) {
270
- // Old proposed 'opt-in' is NOT accepted — must use 'subscribe'
271
- const response = await http.as('basic').post('backend-manager/marketing/email-preferences', {
272
- action: 'opt-in',
273
- });
274
- assert.isError(response, 400, 'Old "opt-in" name should be rejected (use "subscribe")');
275
- },
276
- },
277
-
278
- {
279
- name: 'unauthenticated-without-sig-rejected',
280
- auth: 'none',
281
- timeout: 15000,
282
- async run({ http, assert }) {
283
- // Unauthenticated + no sig → email field is required for HMAC path → 400.
284
- // (No auth means we hit the anonymous path; no email/asmId means missing-required.)
285
- const response = await http.post('backend-manager/marketing/email-preferences', {
286
- action: 'unsubscribe',
287
- });
288
- assert.isError(response, 400, 'Unauthenticated request without HMAC fields should 400');
289
- },
290
- },
291
- ],
292
- };
@@ -1,32 +0,0 @@
1
- /**
2
- * Test: Push notification send
3
- * Sends a test push notification to a specific FCM token.
4
- * Requires TEST_EXTENDED_MODE=true and TEST_FCM_TOKEN env var.
5
- */
6
- module.exports = {
7
- description: 'Push notification send',
8
- auth: 'admin',
9
- skip: !process.env.TEST_EXTENDED_MODE
10
- ? 'TEST_EXTENDED_MODE not set'
11
- : !process.env.TEST_FCM_TOKEN
12
- ? 'TEST_FCM_TOKEN env var not set'
13
- : false,
14
- timeout: 30000,
15
-
16
- async run({ http, assert, config }) {
17
- const response = await http.post('backend-manager/marketing/campaign', {
18
- name: '[TEST] Push notification',
19
- subject: 'This is a test push notification from BEM',
20
- type: 'push',
21
- test: true,
22
- sendAt: 'now',
23
- filters: { token: process.env.TEST_FCM_TOKEN },
24
- });
25
-
26
- assert.isSuccess(response, 'Should create and send push campaign');
27
- assert.ok(response.data.id, 'Should have campaign ID');
28
- assert.equal(response.data.status, 'sent', 'Should be sent immediately');
29
- assert.ok(response.data.providers?.push, 'Should have push result');
30
- assert.equal(response.data.providers.push.sent, 1, 'Should have sent to 1 token');
31
- },
32
- };
@@ -1,61 +0,0 @@
1
- /**
2
- * Test: POST /marketing/webhook/forward (parent forwarder)
3
- *
4
- * This route is gated to only work when Manager.config.parent === 'self'.
5
- * Most test runs happen on a CHILD brand (e.g. Somiibo's backend-manager-config.json
6
- * has `parent: 'https://api.itwcreativeworks.com'`), so the route should return 404.
7
- *
8
- * The actual fan-out behavior (reading brands collection, derive API URLs,
9
- * POST to each child) is verified by unit-style tests in test/helpers/webhook-forward.js
10
- * which exercise the forwarder logic against a mock admin + mock fetch — no emulator
11
- * round-trip required.
12
- *
13
- * This file only verifies the GATE: on a non-parent BEM, the route is invisible.
14
- */
15
- module.exports = {
16
- description: 'Marketing webhook forwarder gating (parent-only)',
17
- type: 'group',
18
- timeout: 15000,
19
-
20
- tests: [
21
- {
22
- name: 'forwarder-returns-404-on-non-parent-brand',
23
- auth: 'none',
24
- async run({ http, assert, config, skip }) {
25
- // This gate only applies to CHILD brands. If this brand IS the parent
26
- // (config.parent === 'self'), the forwarder route is visible by design,
27
- // so there's nothing to assert here — skip rather than fail.
28
- if (!config.parent || config.parent === 'self') {
29
- skip('Brand is its own parent (config.parent === "self") — forwarder gate does not apply');
30
- }
31
-
32
- const response = await http.as('none').post(
33
- `backend-manager/marketing/webhook/forward?provider=sendgrid&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
34
- [{ sg_event_id: 'should-not-process', event: 'group_unsubscribe', email: 'test@example.com' }]
35
- );
36
-
37
- assert.isError(response, 404, 'Forwarder should be invisible (404) on non-parent BEMs');
38
- },
39
- },
40
-
41
- {
42
- name: 'forwarder-returns-404-even-with-valid-key',
43
- auth: 'none',
44
- async run({ http, assert, config, skip }) {
45
- // Only meaningful on a CHILD brand. On the parent itself the forwarder is
46
- // visible by design, so skip rather than fail.
47
- if (!config.parent || config.parent === 'self') {
48
- skip('Brand is its own parent (config.parent === "self") — forwarder gate does not apply');
49
- }
50
-
51
- // A valid key shouldn't unlock the forwarder — gate is on config.parent, not key.
52
- const response = await http.as('none').post(
53
- `backend-manager/marketing/webhook/forward?provider=beehiiv&key=${process.env.BACKEND_MANAGER_WEBHOOK_KEY}`,
54
- { id: 'should-not-process', event: 'subscription.unsubscribed', email: 'test@example.com' }
55
- );
56
-
57
- assert.isError(response, 404, 'Even with valid key, non-parent returns 404');
58
- },
59
- },
60
- ],
61
- };