web-manager 4.1.36 → 4.1.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +9 -0
- package/CLAUDE.md +8 -2
- package/dist/index.js +4 -0
- package/dist/modules/auth.js +28 -1
- package/dist/modules/utilities.js +20 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -15,6 +15,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|
|
15
15
|
- `Security` in case of vulnerabilities.
|
|
16
16
|
|
|
17
17
|
---
|
|
18
|
+
## [4.1.38] - 2026-04-08
|
|
19
|
+
### Added
|
|
20
|
+
- Added `sanitizeURL()` utility method that validates URLs against dangerous URI schemes (javascript:, data:, etc.), allowing only http: and https: protocols.
|
|
21
|
+
|
|
22
|
+
## [4.1.37] - 2026-04-05
|
|
23
|
+
### Added
|
|
24
|
+
- Added `_resolveUsage()` to auth module that merges account usage data with plan limits from config, exposed as a top-level `usage` binding context.
|
|
25
|
+
- Added `payment.processors` and `payment.plans` defaults to configuration.
|
|
26
|
+
|
|
18
27
|
## [4.1.36] - 2026-04-02
|
|
19
28
|
### Fixed
|
|
20
29
|
- Fixed mocha binary path preventing `npm test` from running.
|
package/CLAUDE.md
CHANGED
|
@@ -152,7 +152,8 @@ document.body.addEventListener('click', (e) => {
|
|
|
152
152
|
### Auth (`auth.js`)
|
|
153
153
|
- **Class**: `Auth`
|
|
154
154
|
- **Key Methods**: `listen(options, callback)`, `isAuthenticated()`, `getUser()`, `signInWithEmailAndPassword()`, `signOut()`, `getIdToken()`, `resolveSubscription(account?)`
|
|
155
|
-
- **Bindings**: Updates `auth
|
|
155
|
+
- **Bindings**: Updates `auth` and `usage` context on auth settle
|
|
156
|
+
- **Usage Resolution**: `_resolveUsage(state)` merges `account.usage` (Firestore) with plan limits from `config.payment.plans` to produce the `usage` bindings key (e.g., `{ credits: { monthly: 5, limit: 100 } }`)
|
|
156
157
|
|
|
157
158
|
#### resolveSubscription(account?)
|
|
158
159
|
Derives calculated subscription fields from raw account data. Returns only fields that require derivation logic — raw data (product.id, status, trial, cancellation) lives on `account.subscription` directly.
|
|
@@ -268,9 +269,14 @@ Current test coverage is minimal - focuses on configuration and storage.
|
|
|
268
269
|
|
|
269
270
|
### Modifying Configuration Defaults
|
|
270
271
|
1. Edit `_processConfiguration()` in `src/index.js`
|
|
271
|
-
2. Add to `defaults` object
|
|
272
|
+
2. Add to `defaults` object (e.g., `payment: { processors: {}, plans: [] }`)
|
|
272
273
|
3. Document in README.md Configuration section
|
|
273
274
|
|
|
275
|
+
### Payment Configuration
|
|
276
|
+
Payment config is set in `_config.yml` under `web_manager.payment` and includes:
|
|
277
|
+
- `processors`: Stripe, PayPal, etc. (publishable keys)
|
|
278
|
+
- `plans`: Array of `{ id, limits: { feature: N } }` used to resolve usage limits on the frontend
|
|
279
|
+
|
|
274
280
|
### Adding a Data Binding Action
|
|
275
281
|
1. Edit `_executeAction()` in `src/modules/bindings.js`
|
|
276
282
|
2. Add case for new action (e.g., `@class`)
|
package/dist/index.js
CHANGED
package/dist/modules/auth.js
CHANGED
|
@@ -164,8 +164,12 @@ class Auth {
|
|
|
164
164
|
|
|
165
165
|
// Update bindings and storage once per auth state change
|
|
166
166
|
if (!this._hasProcessedStateChange) {
|
|
167
|
-
this.manager.bindings().update({
|
|
167
|
+
this.manager.bindings().update({
|
|
168
|
+
auth: state,
|
|
169
|
+
usage: this._resolveUsage(state),
|
|
170
|
+
});
|
|
168
171
|
this.manager.storage().set('auth', state);
|
|
172
|
+
|
|
169
173
|
this._hasProcessedStateChange = true;
|
|
170
174
|
}
|
|
171
175
|
|
|
@@ -252,6 +256,29 @@ class Auth {
|
|
|
252
256
|
};
|
|
253
257
|
}
|
|
254
258
|
|
|
259
|
+
// Resolve usage bindings from account data + plan limits from config.
|
|
260
|
+
// Returns: { credits: { monthly: 5, limit: 100 }, ... }
|
|
261
|
+
_resolveUsage(state) {
|
|
262
|
+
const accountUsage = state.account?.usage || {};
|
|
263
|
+
const plan = state.resolved?.plan || 'basic';
|
|
264
|
+
const plans = this.manager.config.payment?.plans || [];
|
|
265
|
+
const planConfig = plans.find(p => p.id === plan) || {};
|
|
266
|
+
const limits = planConfig.limits || {};
|
|
267
|
+
|
|
268
|
+
// Merge current usage with limits for each feature
|
|
269
|
+
const usage = {};
|
|
270
|
+
const keys = new Set([...Object.keys(accountUsage), ...Object.keys(limits)]);
|
|
271
|
+
|
|
272
|
+
for (const key of keys) {
|
|
273
|
+
usage[key] = {
|
|
274
|
+
...(accountUsage[key] || {}),
|
|
275
|
+
limit: limits[key] || 0,
|
|
276
|
+
};
|
|
277
|
+
}
|
|
278
|
+
|
|
279
|
+
return usage;
|
|
280
|
+
}
|
|
281
|
+
|
|
255
282
|
// Get ID token for the current user
|
|
256
283
|
async getIdToken(forceRefresh = false) {
|
|
257
284
|
try {
|
|
@@ -81,6 +81,26 @@ class Utilities {
|
|
|
81
81
|
return input;
|
|
82
82
|
}
|
|
83
83
|
|
|
84
|
+
// Sanitize URL to prevent javascript:, data:, and other dangerous URI schemes
|
|
85
|
+
// Returns the original URL if safe, or '' if rejected
|
|
86
|
+
sanitizeURL(url) {
|
|
87
|
+
if (!url || typeof url !== 'string') {
|
|
88
|
+
return '';
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
try {
|
|
92
|
+
const parsed = new URL(url, window.location.origin);
|
|
93
|
+
|
|
94
|
+
if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
|
|
95
|
+
return '';
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
return url;
|
|
99
|
+
} catch (e) {
|
|
100
|
+
return '';
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
|
|
84
104
|
// Show notification
|
|
85
105
|
showNotification(message, options = {}) {
|
|
86
106
|
// Handle different input types
|
package/package.json
CHANGED