backend-manager 5.9.5 → 5.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (246) hide show
  1. package/package.json +8 -1
  2. package/src/manager/events/cron/runner.js +0 -1
  3. package/src/manager/libraries/email/data/disposable-domains.json +21 -0
  4. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  5. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  6. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  7. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  8. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  13. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  20. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  21. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  22. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  23. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  24. package/src/test/fixtures/firebase-project/firestore-debug.log +132 -0
  25. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  26. package/.codeclimate.yml +0 -32
  27. package/.nvmrc +0 -1
  28. package/CHANGELOG.md +0 -1440
  29. package/PROGRESS.md +0 -93
  30. package/TODO-2.md +0 -121
  31. package/TODO-CHARGEBLAST.md +0 -32
  32. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  33. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  34. package/TODO-email-auth.md +0 -14
  35. package/TODO.md +0 -187
  36. package/plans/mcp2.md +0 -247
  37. package/plans/suspended-subscription-dead-zone.md +0 -97
  38. package/scripts/test-helper-providers.js +0 -162
  39. package/scripts/update-disposable-domains.js +0 -44
  40. package/templates/_.env +0 -42
  41. package/templates/_.gitignore +0 -60
  42. package/templates/backend-manager-config.json +0 -249
  43. package/templates/database.rules.json +0 -83
  44. package/templates/firebase.json +0 -66
  45. package/templates/firestore.indexes.json +0 -4
  46. package/templates/firestore.rules +0 -112
  47. package/templates/public/404.html +0 -26
  48. package/templates/public/index.html +0 -24
  49. package/templates/remoteconfig.template.json +0 -1
  50. package/templates/storage-lifecycle-config-1-day.json +0 -9
  51. package/templates/storage-lifecycle-config-30-days.json +0 -9
  52. package/templates/storage.rules +0 -8
  53. package/test/_init/accounts-validation.js +0 -58
  54. package/test/_legacy/ai/index.js +0 -231
  55. package/test/_legacy/ai/test.jpg +0 -0
  56. package/test/_legacy/ai/test.pdf +0 -0
  57. package/test/_legacy/index.js +0 -31
  58. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  59. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  60. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  61. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  62. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  63. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  64. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  66. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  67. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  68. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  69. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  70. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  71. package/test/_legacy/payment-resolver/index.js +0 -1558
  72. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  73. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  74. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  75. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  76. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  77. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  78. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  84. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  85. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  86. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  87. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  88. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  89. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  90. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  91. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  92. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  94. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  95. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  96. package/test/_legacy/test-new +0 -1178
  97. package/test/_legacy/test.md +0 -89
  98. package/test/_legacy/usage.js +0 -175
  99. package/test/_legacy/user.js +0 -31
  100. package/test/ai/tools-live.js +0 -170
  101. package/test/boot/emulator-boots.js +0 -37
  102. package/test/content/blog-generate.js +0 -160
  103. package/test/email/campaign-send.js +0 -45
  104. package/test/email/consent-lifecycle.js +0 -257
  105. package/test/email/feedback-and-plain-send.js +0 -52
  106. package/test/email/fixtures/editorial.json +0 -30
  107. package/test/email/fixtures/field-report.json +0 -53
  108. package/test/email/marketing-lifecycle.js +0 -132
  109. package/test/email/newsletter-generate.js +0 -819
  110. package/test/email/newsletter-templates.js +0 -491
  111. package/test/email/templates.js +0 -207
  112. package/test/email/transactional-send.js +0 -34
  113. package/test/email/transactional.js +0 -560
  114. package/test/email/validation.js +0 -710
  115. package/test/events/auth-delete-race.js +0 -201
  116. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  117. package/test/events/payments/journey-payments-cancel.js +0 -182
  118. package/test/events/payments/journey-payments-discount.js +0 -89
  119. package/test/events/payments/journey-payments-failure.js +0 -146
  120. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  121. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  122. package/test/events/payments/journey-payments-one-time.js +0 -136
  123. package/test/events/payments/journey-payments-plan-change.js +0 -144
  124. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  125. package/test/events/payments/journey-payments-suspend.js +0 -181
  126. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  127. package/test/events/payments/journey-payments-trial.js +0 -171
  128. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  129. package/test/events/payments/journey-payments-upgrade.js +0 -135
  130. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  131. package/test/fixtures/chargebee/subscription-active.json +0 -44
  132. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  133. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  134. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  135. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  136. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  137. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  138. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  139. package/test/fixtures/paypal/order-approved.json +0 -62
  140. package/test/fixtures/paypal/order-completed.json +0 -110
  141. package/test/fixtures/paypal/subscription-active.json +0 -76
  142. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  143. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  144. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  145. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  146. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  147. package/test/fixtures/stripe/subscription-active.json +0 -161
  148. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  149. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  150. package/test/functions/admin/database-read.js +0 -134
  151. package/test/functions/admin/database-write.js +0 -159
  152. package/test/functions/admin/edit-post.js +0 -366
  153. package/test/functions/admin/firestore-query.js +0 -207
  154. package/test/functions/admin/firestore-read.js +0 -129
  155. package/test/functions/admin/firestore-write.js +0 -105
  156. package/test/functions/admin/get-stats.js +0 -115
  157. package/test/functions/admin/send-email.js +0 -119
  158. package/test/functions/admin/send-notification.js +0 -208
  159. package/test/functions/admin/write-repo-content.js +0 -223
  160. package/test/functions/general/add-marketing-contact.js +0 -335
  161. package/test/functions/general/fetch-post.js +0 -54
  162. package/test/functions/general/generate-uuid.js +0 -114
  163. package/test/functions/test/authenticate.js +0 -64
  164. package/test/functions/user/create-custom-token.js +0 -73
  165. package/test/functions/user/delete.js +0 -135
  166. package/test/functions/user/get-active-sessions.js +0 -111
  167. package/test/functions/user/get-subscription-info.js +0 -99
  168. package/test/functions/user/regenerate-api-keys.js +0 -156
  169. package/test/functions/user/resolve.js +0 -52
  170. package/test/functions/user/sign-out-all-sessions.js +0 -94
  171. package/test/functions/user/sign-up.js +0 -252
  172. package/test/functions/user/submit-feedback.js +0 -104
  173. package/test/functions/user/validate-settings.js +0 -82
  174. package/test/helpers/ai-request-payload.js +0 -300
  175. package/test/helpers/ai-test-provider.js +0 -202
  176. package/test/helpers/ai-tools-format.js +0 -383
  177. package/test/helpers/content/blog-auto-publisher.js +0 -484
  178. package/test/helpers/content/feed-parser.js +0 -528
  179. package/test/helpers/content/ghostii-blocks.js +0 -134
  180. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  181. package/test/helpers/content/ghostii-write-article.js +0 -243
  182. package/test/helpers/environment.js +0 -230
  183. package/test/helpers/infer-contact.js +0 -113
  184. package/test/helpers/merge-line-files.js +0 -271
  185. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  186. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  187. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  188. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  189. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  190. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  191. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  192. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  193. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  194. package/test/helpers/sanitize.js +0 -222
  195. package/test/helpers/slugify.js +0 -394
  196. package/test/helpers/storage.js +0 -194
  197. package/test/helpers/user.js +0 -755
  198. package/test/helpers/webhook-forward.js +0 -418
  199. package/test/mcp/discovery.js +0 -53
  200. package/test/mcp/oauth.js +0 -161
  201. package/test/mcp/protocol.js +0 -268
  202. package/test/mcp/roles.js +0 -188
  203. package/test/mcp/utils.js +0 -245
  204. package/test/routes/admin/create-post.js +0 -364
  205. package/test/routes/admin/database.js +0 -131
  206. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  207. package/test/routes/admin/email.js +0 -114
  208. package/test/routes/admin/firestore-query.js +0 -204
  209. package/test/routes/admin/firestore.js +0 -127
  210. package/test/routes/admin/infer-contact.js +0 -218
  211. package/test/routes/admin/notification.js +0 -198
  212. package/test/routes/admin/post-resize-image.js +0 -184
  213. package/test/routes/admin/post.js +0 -368
  214. package/test/routes/admin/repo-content.js +0 -223
  215. package/test/routes/admin/stats.js +0 -112
  216. package/test/routes/content/post.js +0 -54
  217. package/test/routes/general/uuid.js +0 -115
  218. package/test/routes/marketing/campaign.js +0 -125
  219. package/test/routes/marketing/contact.js +0 -370
  220. package/test/routes/marketing/email-preferences.js +0 -292
  221. package/test/routes/marketing/push-send.js +0 -32
  222. package/test/routes/marketing/webhook-forward.js +0 -61
  223. package/test/routes/marketing/webhook.js +0 -639
  224. package/test/routes/payments/cancel.js +0 -163
  225. package/test/routes/payments/discount.js +0 -80
  226. package/test/routes/payments/dispute-alert.js +0 -320
  227. package/test/routes/payments/intent.js +0 -336
  228. package/test/routes/payments/portal.js +0 -92
  229. package/test/routes/payments/refund.js +0 -179
  230. package/test/routes/payments/trial-eligibility.js +0 -71
  231. package/test/routes/payments/webhook.js +0 -107
  232. package/test/routes/test/authenticate.js +0 -59
  233. package/test/routes/test/schema.js +0 -554
  234. package/test/routes/test/usage.js +0 -342
  235. package/test/routes/user/api-keys.js +0 -156
  236. package/test/routes/user/delete.js +0 -136
  237. package/test/routes/user/feedback.js +0 -104
  238. package/test/routes/user/sessions.js +0 -199
  239. package/test/routes/user/settings-validate.js +0 -82
  240. package/test/routes/user/signup.js +0 -542
  241. package/test/routes/user/subscription.js +0 -99
  242. package/test/routes/user/token.js +0 -73
  243. package/test/routes/user/user.js +0 -157
  244. package/test/rules/notifications.js +0 -410
  245. package/test/rules/payments-carts.js +0 -371
  246. package/test/rules/user.js +0 -396
@@ -1,396 +0,0 @@
1
- /**
2
- * Test: Firestore Security Rules - User Documents
3
- * Tests that security rules correctly protect user data
4
- *
5
- * Rules being tested:
6
- * - Users can read their own document
7
- * - Users can write to their own document (non-protected fields only)
8
- * - Users cannot read/write other users' documents
9
- * - Protected fields (auth, roles, flags, subscription, affiliate, api, metadata, usage, consent) cannot be written by users
10
- *
11
- * @see templates/firestore.rules
12
- */
13
- module.exports = {
14
- description: 'Firestore security rules for user documents',
15
- type: 'group',
16
- timeout: 30000,
17
-
18
- tests: [
19
- // Test 1: User can read their own document
20
- {
21
- name: 'user-can-read-own-doc',
22
- auth: 'none', // We use rules context, not http auth
23
-
24
- async run({ rules, accounts }) {
25
- const uid = accounts.basic.uid;
26
- const db = rules.asAccount('basic');
27
-
28
- // Should succeed - reading own document
29
- await rules.expectSuccess(
30
- db.doc(`users/${uid}`).get()
31
- );
32
- },
33
- },
34
-
35
- // Test 2: User cannot read another user's document
36
- {
37
- name: 'user-cannot-read-other-doc',
38
- auth: 'none',
39
-
40
- async run({ rules, accounts }) {
41
- const otherUid = accounts.admin.uid;
42
- const db = rules.asAccount('basic');
43
-
44
- // Should fail - reading another user's document
45
- await rules.expectFailure(
46
- db.doc(`users/${otherUid}`).get()
47
- );
48
- },
49
- },
50
-
51
- // Test 3: Unauthenticated user cannot read any user document
52
- {
53
- name: 'anonymous-cannot-read-user-doc',
54
- auth: 'none',
55
-
56
- async run({ rules, accounts }) {
57
- const uid = accounts.basic.uid;
58
- const db = rules.asAnonymous();
59
-
60
- // Should fail - unauthenticated read
61
- await rules.expectFailure(
62
- db.doc(`users/${uid}`).get()
63
- );
64
- },
65
- },
66
-
67
- // Test 4: User can write non-protected fields to own document
68
- {
69
- name: 'user-can-write-non-protected-fields',
70
- auth: 'none',
71
-
72
- async run({ rules, accounts }) {
73
- const uid = accounts.basic.uid;
74
- const db = rules.asAccount('basic');
75
-
76
- // Should succeed - writing allowed fields
77
- await rules.expectSuccess(
78
- db.doc(`users/${uid}`).set({
79
- profile: {
80
- displayName: 'Test User',
81
- bio: 'This is my bio',
82
- },
83
- preferences: {
84
- theme: 'dark',
85
- notifications: true,
86
- },
87
- }, { merge: true })
88
- );
89
- },
90
- },
91
-
92
- // Test 5: User cannot write 'auth' field (protected)
93
- {
94
- name: 'user-cannot-write-auth-field',
95
- auth: 'none',
96
-
97
- async run({ rules, accounts }) {
98
- const uid = accounts.basic.uid;
99
- const db = rules.asAccount('basic');
100
-
101
- // Should fail - auth is protected
102
- await rules.expectFailure(
103
- db.doc(`users/${uid}`).set({
104
- auth: {
105
- uid: 'hacked-uid',
106
- email: 'hacked@example.com',
107
- },
108
- }, { merge: true })
109
- );
110
- },
111
- },
112
-
113
- // Test 6: User cannot write 'roles' field (protected)
114
- {
115
- name: 'user-cannot-write-roles-field',
116
- auth: 'none',
117
-
118
- async run({ rules, accounts }) {
119
- const uid = accounts.basic.uid;
120
- const db = rules.asAccount('basic');
121
-
122
- // Should fail - roles is protected
123
- await rules.expectFailure(
124
- db.doc(`users/${uid}`).set({
125
- roles: {
126
- admin: true,
127
- },
128
- }, { merge: true })
129
- );
130
- },
131
- },
132
-
133
- // Test 7: User cannot write 'subscription' field (protected)
134
- {
135
- name: 'user-cannot-write-subscription-field',
136
- auth: 'none',
137
-
138
- async run({ rules, accounts }) {
139
- const uid = accounts.basic.uid;
140
- const db = rules.asAccount('basic');
141
-
142
- // Should fail - subscription is protected
143
- await rules.expectFailure(
144
- db.doc(`users/${uid}`).set({
145
- subscription: {
146
- product: { id: 'premium' },
147
- status: 'active',
148
- },
149
- }, { merge: true })
150
- );
151
- },
152
- },
153
-
154
- // Test 8: User cannot write 'api' field (protected - contains privateKey)
155
- {
156
- name: 'user-cannot-write-api-field',
157
- auth: 'none',
158
-
159
- async run({ rules, accounts }) {
160
- const uid = accounts.basic.uid;
161
- const db = rules.asAccount('basic');
162
-
163
- // Should fail - api is protected
164
- await rules.expectFailure(
165
- db.doc(`users/${uid}`).set({
166
- api: {
167
- privateKey: 'stolen-key',
168
- clientId: 'fake-client',
169
- },
170
- }, { merge: true })
171
- );
172
- },
173
- },
174
-
175
- // Test 9: User cannot write 'flags' field (protected - system flags)
176
- {
177
- name: 'user-cannot-write-flags-field',
178
- auth: 'none',
179
-
180
- async run({ rules, accounts }) {
181
- const uid = accounts.basic.uid;
182
- const db = rules.asAccount('basic');
183
-
184
- // Should fail - flags is protected
185
- // Use a unique value to ensure isUpdatingField triggers
186
- await rules.expectFailure(
187
- db.doc(`users/${uid}`).set({
188
- flags: {
189
- hacked: true,
190
- },
191
- }, { merge: true })
192
- );
193
- },
194
- },
195
-
196
- // Test 10: User cannot write 'usage' field (protected - tracked by server)
197
- {
198
- name: 'user-cannot-write-usage-field',
199
- auth: 'none',
200
-
201
- async run({ rules, accounts }) {
202
- const uid = accounts.basic.uid;
203
- const db = rules.asAccount('basic');
204
-
205
- // Should fail - usage is protected
206
- await rules.expectFailure(
207
- db.doc(`users/${uid}`).set({
208
- usage: {
209
- requests: 0, // Try to reset usage
210
- },
211
- }, { merge: true })
212
- );
213
- },
214
- },
215
-
216
- // Test 11: User cannot write 'affiliate' field (protected)
217
- {
218
- name: 'user-cannot-write-affiliate-field',
219
- auth: 'none',
220
-
221
- async run({ rules, accounts }) {
222
- const uid = accounts.basic.uid;
223
- const db = rules.asAccount('basic');
224
-
225
- // Should fail - affiliate is protected
226
- await rules.expectFailure(
227
- db.doc(`users/${uid}`).set({
228
- affiliate: {
229
- code: 'STOLEN',
230
- referrals: [],
231
- },
232
- }, { merge: true })
233
- );
234
- },
235
- },
236
-
237
- // Test 11.5: User cannot write 'consent' field (protected - server-only)
238
- {
239
- name: 'user-cannot-write-consent-field',
240
- auth: 'none',
241
-
242
- async run({ rules, accounts }) {
243
- const uid = accounts.basic.uid;
244
- const db = rules.asAccount('basic');
245
-
246
- // Should fail - consent is protected (only signup route + webhook
247
- // processors can mutate it server-side; a client write would let a
248
- // user retroactively forge their own consent record).
249
- // Use a value that can't match any prior state — earlier tests
250
- // (email-preferences) may have set marketing.status to 'granted',
251
- // and writing the SAME value is a no-op the rules correctly allow.
252
- await rules.expectFailure(
253
- db.doc(`users/${uid}`).set({
254
- consent: {
255
- marketing: { status: 'forged' },
256
- },
257
- }, { merge: true })
258
- );
259
- },
260
- },
261
-
262
- // Test 12: User cannot write to another user's document
263
- {
264
- name: 'user-cannot-write-other-doc',
265
- auth: 'none',
266
-
267
- async run({ rules, accounts }) {
268
- const otherUid = accounts['premium-active'].uid;
269
- const db = rules.asAccount('basic');
270
-
271
- // Should fail - writing to another user's document
272
- await rules.expectFailure(
273
- db.doc(`users/${otherUid}`).set({
274
- profile: { hacked: true },
275
- }, { merge: true })
276
- );
277
- },
278
- },
279
-
280
- // Test 13: Unauthenticated user cannot write to any user document
281
- {
282
- name: 'anonymous-cannot-write-user-doc',
283
- auth: 'none',
284
-
285
- async run({ rules, accounts }) {
286
- const uid = accounts.basic.uid;
287
- const db = rules.asAnonymous();
288
-
289
- // Should fail - unauthenticated write
290
- await rules.expectFailure(
291
- db.doc(`users/${uid}`).set({
292
- profile: { displayName: 'Anonymous Hacker' },
293
- }, { merge: true })
294
- );
295
- },
296
- },
297
-
298
- // Test 14: Admin can read any user's document
299
- {
300
- name: 'admin-can-read-any-user-doc',
301
- auth: 'none',
302
-
303
- async run({ rules, accounts }) {
304
- const basicUid = accounts.basic.uid;
305
- const db = rules.asAccount('admin');
306
-
307
- // Should succeed - admin can read any user doc
308
- await rules.expectSuccess(
309
- db.doc(`users/${basicUid}`).get()
310
- );
311
- },
312
- },
313
-
314
- // Tests 15–18 exercise admin write/create/delete on a DEDICATED throwaway
315
- // doc — never the shared seeded accounts. Mutating accounts.basic here
316
- // poisons every suite that runs afterward (its api.privateKey and
317
- // subscription are live fixtures for HTTP auth across the whole run).
318
-
319
- // Test 15: Admin can create a user document
320
- {
321
- name: 'admin-can-create-user-doc',
322
- auth: 'none',
323
-
324
- async run({ rules }) {
325
- const db = rules.asAccount('admin');
326
- const newUid = '_test-new-user-by-admin';
327
-
328
- // Should succeed - admin can create any user doc. The _test. email
329
- // prefix keeps this doc blocked at the marketing validation layer
330
- // (never reaches SendGrid/Beehiiv) even though a raw rules-context
331
- // Firestore write fires no auth events anyway.
332
- await rules.expectSuccess(
333
- db.doc(`users/${newUid}`).set({
334
- auth: { uid: newUid, email: '_test.new-user-by-admin@example.com' },
335
- roles: {},
336
- subscription: { product: { id: 'basic' }, status: 'active' },
337
- })
338
- );
339
- },
340
- },
341
-
342
- // Test 16: Admin can write any user's document
343
- {
344
- name: 'admin-can-write-any-user-doc',
345
- auth: 'none',
346
-
347
- async run({ rules }) {
348
- const db = rules.asAccount('admin');
349
-
350
- // Should succeed - admin can write any user doc
351
- await rules.expectSuccess(
352
- db.doc('users/_test-new-user-by-admin').set({
353
- profile: { updatedByAdmin: true },
354
- }, { merge: true })
355
- );
356
- },
357
- },
358
-
359
- // Test 17: Admin can write protected fields
360
- {
361
- name: 'admin-can-write-protected-fields',
362
- auth: 'none',
363
-
364
- async run({ rules }) {
365
- const db = rules.asAccount('admin');
366
-
367
- // Should succeed - admin can write protected fields
368
- await rules.expectSuccess(
369
- db.doc('users/_test-new-user-by-admin').set({
370
- roles: { premium: true },
371
- subscription: { product: { id: 'pro' }, status: 'active' },
372
- }, { merge: true })
373
- );
374
- },
375
- },
376
-
377
- // Test 18: Admin can delete a user document
378
- {
379
- name: 'admin-can-delete-user-doc',
380
- auth: 'none',
381
-
382
- async run({ rules }) {
383
- const db = rules.asAccount('admin');
384
-
385
- // Should succeed - admin can delete any user doc (the throwaway
386
- // created in test 15, which also cleans it up)
387
- await rules.expectSuccess(
388
- db.doc('users/_test-new-user-by-admin').delete()
389
- );
390
- },
391
- },
392
-
393
- // Note: User create/delete tests are omitted because users don't create or delete
394
- // their own documents - that's handled by system auth triggers (on-create/on-delete)
395
- ],
396
- };