kasy-cli 1.31.10 → 1.31.12

package/lib/commands/add.js

@@ -30,6 +30,33 @@ const { toPackageName, buildTokens } = require('../scaffold/backends/firebase/to
 
 const execAsync = promisify(exec);
 
+/**
+ * Ensure the target project's supabase/config.toml has a [functions.<name>] block
+ * with verify_jwt = false. `kasy new` already writes the full config, but a project
+ * created before 1.31.10 (or any project missing the block) needs it appended here —
+ * otherwise the deployed function keeps the platform JWT gate ON and the browser CORS
+ * preflight (OPTIONS, no auth header) is rejected => "Failed to fetch" on web. The
+ * deploy --no-verify-jwt flag is deprecated/ignored by recent CLIs, so config.toml is
+ * the authoritative setting. The function authenticates itself, so this stays secure.
+ */
+async function ensureSupabaseConfigNoVerifyJwt(projectDir, fnName) {
+  const configPath = path.join(projectDir, 'supabase', 'config.toml');
+  if (!(await fs.pathExists(configPath))) return;
+  const toml = await fs.readFile(configPath, 'utf8');
+  const safe = fnName.replace(/[.*+?^${}()|[\]\\-]/g, '\\$&');
+  const block = toml.match(new RegExp(`\\[functions\\.${safe}\\]([\\s\\S]*?)(?=\\n\\[|$)`));
+  if (block && /verify_jwt\s*=\s*false/.test(block[1])) return; // already correct
+  let next;
+  if (block && /verify_jwt\s*=\s*true/.test(block[0])) {
+    next = toml.replace(block[0], block[0].replace(/verify_jwt\s*=\s*true/, 'verify_jwt = false'));
+  } else if (block) {
+    next = toml.replace(block[0], `${block[0].replace(/\s*$/, '')}\nverify_jwt = false`);
+  } else {
+    next = `${toml.replace(/\s*$/, '')}\n\n[functions.${fnName}]\nverify_jwt = false\n`;
+  }
+  await fs.writeFile(configPath, next, 'utf8');
+}
+
 /** URL do endpoint AI no app (espelha defineUpdates de ai_chat). */
 function resolveAiChatEndpoint(answers, kitSetup) {
   if (kitSetup?.backendProvider === 'api') {
@@ -513,6 +540,10 @@ async function postAddAiChat(projectDir, kitSetup, answers, t) {
     if (backend === 'firebase') {
       await execAsync('firebase deploy --only functions:aiChat', { cwd: projectDir, timeout: 180_000 });
     } else if (backend === 'supabase') {
+      // Authoritative JWT setting lives in config.toml; ensure it before deploying so
+      // ai-chat is reachable from the web (the --no-verify-jwt flag alone is ignored
+      // by recent Supabase CLIs).
+      await ensureSupabaseConfigNoVerifyJwt(projectDir, 'ai-chat');
       await execAsync(`supabase functions deploy ai-chat --no-verify-jwt${refFlag}`, { cwd: projectDir, timeout: 180_000 });
     }
     deploySpinner.stop(t('add.ai_chat.deployed'));

package/lib/commands/new.js

@@ -575,20 +575,6 @@ async function promptSupabaseManual(tr, cancel) {
   return { supabaseUrl, supabaseAnonKey };
 }
 
-// ── Module presets ────────────────────────────────────────────────────────────
-
-function buildPresets(audience) {
-  const catalog = getVisibleFeatures({ audience });
-  const named = ['starter', 'saas', 'content', 'full'];
-  const result = { none: [], custom: null };
-  for (const name of named) {
-    result[name] = catalog.filter((f) => f.defaultInPresets.includes(name)).map((f) => f.id);
-  }
-  return result;
-}
-
-const MODULE_PRESETS = buildPresets(KASY_AUDIENCE);
-
 // ── Main wizard ───────────────────────────────────────────────────────────────
 
 /**

package/lib/scaffold/CHANGELOG.json

@@ -1,4 +1,13 @@
 {
+  "1.31.12": {
+    "modules": {
+      "core": {
+        "pt": "Preview de dispositivo na web não lança mais erros no console (\"Not initialized\" / provider não encontrado) durante a inicialização — agora espera o DevicePreview montar antes de sincronizar a orientação.",
+        "en": "Web device preview no longer throws console errors (\"Not initialized\" / provider not found) during startup — it now waits for DevicePreview to mount before syncing orientation.",
+        "es": "La vista previa de dispositivo en web ya no lanza errores en consola (\"Not initialized\" / provider no encontrado) durante el arranque — ahora espera a que DevicePreview se monte antes de sincronizar la orientación."
+      }
+    }
+  },
   "1.31.10": {
     "modules": {
       "core": {

package/lib/scaffold/backends/supabase/edge-functions/admin-list-users/index.ts

@@ -14,7 +14,9 @@
  *      users — the users/subscriptions RLS exposes only a user's own row, so a
  *      non-admin can never reach other people's data.
  *
- * Deployed WITH JWT verification (the default) — see deploy.js.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; security is enforced by the two layers above (the
+ * handler verifies the caller's JWT and admin role itself). See config.toml / deploy.js.
  */
 
 import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
@@ -22,7 +24,7 @@ import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 // In-memory cap: load up to this many of the most recent users in one call.

package/lib/scaffold/backends/supabase/edge-functions/ai-chat/index.ts

@@ -30,7 +30,7 @@ const SSE_HEADERS = {
 const CORS_HEADERS = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Content-Type, Authorization",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 interface ChatMessage {

package/lib/scaffold/backends/supabase/edge-functions/delete-user-account/index.ts

@@ -19,7 +19,7 @@ import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 Deno.serve(async (req: Request) => {

package/lib/scaffold/backends/supabase/edge-functions/meta-track-event/index.ts

@@ -172,7 +172,7 @@ async function sendMetaEvent(
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 // ── Main handler ─────────────────────────────────────────────────────────────

package/lib/scaffold/backends/supabase/edge-functions/revenuecat-webhook/index.ts

@@ -261,7 +261,7 @@ Deno.serve(async (req: Request) => {
       headers: {
         "Access-Control-Allow-Origin": "*",
         "Access-Control-Allow-Methods": "POST, OPTIONS",
-        "Access-Control-Allow-Headers": "Authorization, Content-Type",
+        "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
       },
     });
   }

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-checkout-session/index.ts

@@ -6,7 +6,9 @@
  * verified JWT, never trusted from the request body, so a client cannot check
  * out on behalf of someone else.
  *
- * Deployed WITH JWT verification.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; the handler still authenticates the user via the
+ * verified JWT (getUser), so it stays secure.
  *
  * Secrets required:
  *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
@@ -21,7 +23,7 @@ import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 // Maps a Supabase auth user -> its Stripe customer id.
@@ -32,7 +34,11 @@ function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | nu
   return meta ? Number(meta) : null;
 }
 
-async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promise<string | null> {
+async function getAuthUser(
+  req: Request,
+  supabaseUrl: string,
+  anonKey: string,
+): Promise<{ id: string; email?: string } | null> {
   const authHeader = req.headers.get("Authorization");
   if (!authHeader?.startsWith("Bearer ")) return null;
   const token = authHeader.replace("Bearer ", "");
@@ -41,19 +47,30 @@ async function getUid(req: Request, supabaseUrl: string, anonKey: string): Promi
   });
   const { data: { user }, error } = await client.auth.getUser(token);
   if (error || !user) return null;
-  return user.id;
+  return { id: user.id, email: user.email ?? undefined };
 }
 
 // deno-lint-ignore no-explicit-any
-async function getOrCreateCustomer(stripe: Stripe, admin: any, uid: string): Promise<string> {
+async function getOrCreateCustomer(
+  stripe: Stripe,
+  admin: any,
+  uid: string,
+  email?: string,
+): Promise<string> {
   const { data } = await admin
     .from(CUSTOMERS_TABLE)
     .select("customer_id")
     .eq("user_id", uid)
     .maybeSingle();
   const existing = data?.customer_id as string | undefined;
-  if (existing) return existing;
-  const customer = await stripe.customers.create({ metadata: { supabaseUID: uid } });
+  if (existing) {
+    // Keep the Stripe customer email in sync so Checkout pre-fills it. The
+    // payment is bound to the app user by uid (customer + metadata.supabaseUID),
+    // never by the typed email, so this is purely UX / billing hygiene.
+    if (email) await stripe.customers.update(existing, { email });
+    return existing;
+  }
+  const customer = await stripe.customers.create({ email, metadata: { supabaseUID: uid } });
   await admin.from(CUSTOMERS_TABLE).upsert({ user_id: uid, customer_id: customer.id });
   return customer.id;
 }
@@ -74,10 +91,11 @@ Deno.serve(async (req: Request) => {
     return Response.json({ error: "Server configuration error" }, { status: 500, headers: corsHeaders });
   }
 
-  const uid = await getUid(req, supabaseUrl, anonKey);
-  if (!uid) {
+  const user = await getAuthUser(req, supabaseUrl, anonKey);
+  if (!user) {
     return Response.json({ error: "Sign in required" }, { status: 401, headers: corsHeaders });
   }
+  const uid = user.id;
 
   let body: { priceId?: string; successUrl?: string; cancelUrl?: string };
   try {
@@ -95,7 +113,7 @@ Deno.serve(async (req: Request) => {
   try {
     const stripe = new Stripe(secretKey);
     const admin = createClient(supabaseUrl, serviceRoleKey);
-    const customerId = await getOrCreateCustomer(stripe, admin, uid);
+    const customerId = await getOrCreateCustomer(stripe, admin, uid, user.email);
 
     const price = await stripe.prices.retrieve(priceId, { expand: ["product"] });
     const trialDays = trialDaysFor(price, price.product as Stripe.Product);

package/lib/scaffold/backends/supabase/edge-functions/stripe-create-portal-session/index.ts

@@ -5,7 +5,9 @@
  * authenticated user and returns its URL. The user is identified by the
  * verified JWT and the Stripe customer is looked up server-side.
  *
- * Deployed WITH JWT verification.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes; the handler still authenticates the user via the
+ * verified JWT (getUser), so it stays secure.
  *
  * Secrets required:
  *   - STRIPE_SECRET_KEY
@@ -20,7 +22,7 @@ import { createClient } from "https://esm.sh/@supabase/supabase-js@2.47.10";
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 const CUSTOMERS_TABLE = "stripe_customers";

package/lib/scaffold/backends/supabase/edge-functions/stripe-list-prices/index.ts

@@ -5,8 +5,9 @@
  * contract used by the Flutter client (mirrors the Firebase `listPrices`
  * callable). The Stripe secret key never leaves the server.
  *
- * Deployed WITH JWT verification (the platform checks the caller's token), so
- * only an authenticated app user can reach it.
+ * Deployed WITHOUT the platform JWT gate (verify_jwt = false in config.toml) so the
+ * browser's CORS preflight passes. This endpoint is public by design — it only
+ * returns the active prices (no user data) — so it does NOT authenticate the caller.
  *
  * Secrets required (set via `supabase secrets set`):
  *   - STRIPE_SECRET_KEY: sk_test_... / sk_live_...
@@ -18,7 +19,7 @@ import Stripe from "npm:stripe@18";
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
   "Access-Control-Allow-Methods": "POST, OPTIONS",
-  "Access-Control-Allow-Headers": "Authorization, Content-Type",
+  "Access-Control-Allow-Headers": "authorization, x-client-info, apikey, content-type",
 };
 
 function trialDaysFor(price: Stripe.Price, product: Stripe.Product): number | null {

package/lib/scaffold/shared/generator-utils.js

@@ -369,6 +369,9 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   if (withWidget) {
     lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_home_widgets.dart';`);
   }
+  // Admin console — always shipped (settings/ui/components/admin) and always routable;
+  // access is gated inside AdminPage (admin role || debug). The settings UI links to it.
+  lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_page.dart';`);
   if (withRevenuecat) {
     lines.push(`import 'package:${pkg}/features/settings/ui/components/admin/admin_paywalls.dart';`);
   }
@@ -534,6 +537,14 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   lines.push(`        ),`);
   lines.push(`      ),`);
 
+  // Admin console (always routable so the settings 'Admin console' tile works in
+  // release too; access is gated inside AdminPage by admin role || debug).
+  lines.push(`      GoRoute(`);
+  lines.push(`        name: 'admin',`);
+  lines.push(`        path: '/admin',`);
+  lines.push(`        builder: (context, state) => const AdminPage(),`);
+  lines.push(`      ),`);
+
   // Send push notification (admin tool — always routable; the entry point in
   // the settings admin sheet is itself debug-gated).
   lines.push(`      GoRoute(`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kasy-cli",
-  "version": "1.31.10",
+  "version": "1.31.12",
   "description": "CLI for scaffolding production-ready Flutter SaaS apps with Firebase, Supabase, or API REST backends.",
   "bin": {
     "kasy": "./bin/kasy.js"
@@ -31,7 +31,7 @@
     "access": "public"
   },
   "scripts": {
-    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js",
+    "prepack": "node scripts/check-feature-patches.js && node scripts/bundle-template.js && node test/generated-matches-kit.test.js && node test/supabase-verify-jwt.test.js && node test/supabase-cors.test.js && node test/backend-pubspec-local-reminders.test.js",
     "start": "node ./bin/kasy.js",
     "setup": "node ./bin/kasy.js setup",
     "doctor": "node ./bin/kasy.js doctor",

package/templates/firebase/functions/src/core/data/entities/subscription_entity.ts

@@ -5,6 +5,11 @@ import {Subscription} from "../../../subscriptions/models/subscriptions";
 
 export interface SubscriptionEntityData {
     id?: string,
+    // Denormalized reference to the subscriber, written as explicit fields on the
+    // Firestore doc (besides being the doc id) so a subscribers list / admin view
+    // can read who owns it and their email without a second lookup.
+    user_id?: string;
+    email?: string;
     creation_date: Timestamp;
     last_activity: Timestamp;
     expiration_date?: Timestamp;
@@ -20,6 +25,8 @@ export interface SubscriptionEntity extends SubscriptionEntityData {}
 export class SubscriptionEntity {
   constructor({
     id,
+    user_id,
+    email,
     creation_date,
     last_activity,
     expiration_date,
@@ -29,6 +36,8 @@ export class SubscriptionEntity {
   }: SubscriptionEntityData
   ) {
     this.id = id;
+    this.user_id = user_id;
+    this.email = email;
     this.creation_date = creation_date;
     this.last_activity = last_activity;
     this.expiration_date = expiration_date;
@@ -52,6 +61,8 @@ export class SubscriptionEntity {
   static from(subscription: Subscription): SubscriptionEntity {
     return new SubscriptionEntity({
       id: subscription.userId,
+      user_id: subscription.userId,
+      email: subscription.email,
       creation_date: subscription.creationDate,
       last_activity: subscription.lastUpdate,
       expiration_date: subscription.expirationDate,
@@ -70,6 +81,7 @@ export class SubscriptionEntity {
       status: this.status,
       store: this.store,
       productId: this.product_id,
+      email: this.email,
     }, subscriptionRepository);
   }
 }

package/templates/firebase/functions/src/subscriptions/models/subscriptions.ts

@@ -24,6 +24,11 @@ export interface SubscriptionData {
   expirationDate?: Timestamp;
   store: Stores;
   productId: string;
+  // Denormalized copy of the subscriber's email. Firestore is a non-relational
+  // store, so we duplicate it onto the subscription doc to list/show subscribers
+  // without a second read. (On the relational backends the user is referenced by
+  // a user_id foreign key and the email is joined from the users table instead.)
+  email?: string;
 }
 
 export interface Subscription extends SubscriptionData {}
@@ -38,6 +43,7 @@ export class Subscription {
       expirationDate,
       store,
       productId,
+      email,
     }: SubscriptionData,
     private subscriptionRepository: SubscriptionsRepository,
   ) {
@@ -48,6 +54,7 @@ export class Subscription {
     this.expirationDate = expirationDate;
     this.store = store;
     this.productId = productId;
+    this.email = email;
   }
 
   static async fromRevenueCat({
@@ -76,6 +83,7 @@ export class Subscription {
                 ? Stores.APPLE_STORE
                 : Stores.PLAY_STORE,
             productId: event.product_id,
+            email: user.email,
         }, subscriptionRepository);
     }
     return new Subscription({
@@ -88,6 +96,7 @@ export class Subscription {
             ? Stores.APPLE_STORE
             : Stores.PLAY_STORE,
         productId: event.product_id,
+        email: user.email,
       }, subscriptionRepository);
   }
 
@@ -106,6 +115,7 @@ export class Subscription {
       expirationDate: entity.expiration_date,
       store: entity.store,
       productId: entity.product_id,
+      email: entity.email,
     }, subscriptionRepository);
   }
 

package/templates/firebase/functions/src/subscriptions/stripe_functions.ts

@@ -5,7 +5,7 @@ import * as admin from "firebase-admin";
 import {Timestamp} from "firebase-admin/firestore";
 import Stripe from "stripe";
 import {Subscription} from "./models/subscriptions";
-import {subscriptionsRepository} from "../core/data/repositories/repositories";
+import {subscriptionsRepository, usersRepository} from "../core/data/repositories/repositories";
 import {Stores, SubscriptionStatus} from "./models/subscription_status";
 
 // Server-side only. Never exposed to the client.
@@ -21,13 +21,27 @@ function stripeClient(): Stripe {
   return new Stripe(stripeSecretKey.value());
 }
 
-async function getOrCreateCustomer(stripe: Stripe, uid: string): Promise<string> {
+async function getOrCreateCustomer(
+  stripe: Stripe,
+  uid: string,
+  email?: string,
+): Promise<string> {
   const db = admin.firestore();
   const ref = db.collection(CUSTOMERS_COLLECTION).doc(uid);
   const snap = await ref.get();
   const existing = snap.data()?.customerId as string | undefined;
-  if (existing) return existing;
-  const customer = await stripe.customers.create({metadata: {firebaseUID: uid}});
+  if (existing) {
+    // Keep the Stripe customer email in sync so Checkout pre-fills it and the
+    // receipts carry the right address. The payment is bound to the app user by
+    // UID (customer + metadata.firebaseUID), never by the typed email, so this
+    // is purely UX / billing hygiene.
+    if (email) await stripe.customers.update(existing, {email});
+    return existing;
+  }
+  const customer = await stripe.customers.create({
+    email,
+    metadata: {firebaseUID: uid},
+  });
   await ref.set({customerId: customer.id, created_at: Timestamp.now()});
   return customer.id;
 }
@@ -86,9 +100,26 @@ export const createCheckoutSession = onCall(
     if (!priceId) throw new HttpsError("invalid-argument", "priceId is required");
     const successUrl = (request.data?.successUrl as string | undefined) ?? "";
     const cancelUrl = (request.data?.cancelUrl as string | undefined) ?? successUrl;
+    // Pre-fill Checkout with the signed-in user's email (UX only; the user is
+    // identified by uid, so paying with a different email still updates them).
+    const email = request.auth?.token?.email as string | undefined;
+    // Persist the app language on the user so server-side notifications (e.g.
+    // the "subscription saved" message) are sent in the right language. On web
+    // there is no registered device to read the locale from, so we capture it
+    // here at purchase time.
+    const locale = (request.data?.locale as string | undefined)
+      ?.substring(0, 2)
+      .toLowerCase();
+    if (locale) {
+      await admin
+        .firestore()
+        .collection("users")
+        .doc(uid)
+        .set({locale}, {merge: true});
+    }
 
     const stripe = stripeClient();
-    const customerId = await getOrCreateCustomer(stripe, uid);
+    const customerId = await getOrCreateCustomer(stripe, uid, email);
 
     const price = await stripe.prices.retrieve(priceId, {expand: ["product"]});
     const trialDays = trialDaysFor(price, price.product as Stripe.Product);
@@ -159,6 +190,9 @@ async function upsertFromStripeSubscription(sub: Stripe.Subscription): Promise<v
   }
   const now = Timestamp.now();
   const existing = await subscriptionsRepository.getFromUserId(uid);
+  // Denormalize the subscriber's email onto the Firestore subscription doc (see
+  // SubscriptionData.email) so a subscribers list reads it without a second hop.
+  const user = await usersRepository.getFromId(uid);
   // In Stripe API v18 the billing period lives on each subscription item.
   const item = sub.items.data[0];
   const priceId = item?.price?.id ?? "";
@@ -176,6 +210,7 @@ async function upsertFromStripeSubscription(sub: Stripe.Subscription): Promise<v
       expirationDate: expiration,
       store: Stores.STRIPE,
       productId: priceId,
+      email: user?.email,
     },
     subscriptionsRepository,
   );

package/templates/firebase/functions/src/subscriptions/triggers.ts

@@ -1,9 +1,38 @@
 import { Logger } from "../core/logger/logger";
-import {usersRepository} from "../core/data/repositories/repositories";
+import {usersRepository, userDevicesRepository} from "../core/data/repositories/repositories";
 import {notificationsApi} from "../notifications/notifications_api";
 import {SystemNotificationParams} from "../notifications/models/notification";
 import {onDocumentCreated} from "firebase-functions/v2/firestore";
 
+/// Localized copy for the "subscription saved" notification.
+function subscriptionSavedText(locale: string): {title: string; body: string} {
+  switch (locale) {
+    case "pt":
+      return {title: "Assinatura confirmada", body: "Obrigado pela sua confiança!"};
+    case "es":
+      return {title: "Suscripción confirmada", body: "¡Gracias por tu confianza!"};
+    default:
+      return {title: "Subscription confirmed", body: "Thank you for your trust!"};
+  }
+}
+
+/// Resolves the user's language: the locale persisted on the user (set on web at
+/// checkout), then the device locale (native), then English.
+async function resolveUserLocale(
+  userId: string,
+  userLocale: string | undefined,
+): Promise<string> {
+  if (userLocale) return userLocale.substring(0, 2).toLowerCase();
+  try {
+    const devices = await userDevicesRepository.getDevices([userId]);
+    const raw = devices[0]?.extra_data?.["deviceLocale"] as string | undefined;
+    if (raw) return raw.substring(0, 2).toLowerCase();
+  } catch {
+    // Fall through to the default below.
+  }
+  return "en";
+}
+
 export const onNewSubscription = onDocumentCreated(
   "subscriptions/{userId}",
   async (event) => {
@@ -12,7 +41,7 @@ export const onNewSubscription = onDocumentCreated(
     }
     const userId = event.params.userId;
     const logger = new Logger("onNewSubscription");
-    
+
     try {
       logger.info(`New subscription for user ${userId}`);
       const user = await usersRepository.getFromId(userId);
@@ -20,11 +49,13 @@ export const onNewSubscription = onDocumentCreated(
         logger.error(`User ${userId} not found`);
         return;
       }
+      const locale = await resolveUserLocale(userId, user.locale);
+      const {title, body} = subscriptionSavedText(locale);
       await notificationsApi.notify(
         [userId],
         <SystemNotificationParams> {
-          title: "Subscription saved",
-          body: "Thank you",
+          title,
+          body,
         },
       );
     } catch (error) {