fix(loyalty): resolve critical production readiness issues

- Add pessimistic locking (SELECT FOR UPDATE) on card write operations to prevent race conditions in stamp_service and points_service - Replace 16 console.log/error/warn calls with LogConfig.createLogger() in 3 storefront JS files (dashboard, history, enroll) - Delete all stale lu.json locale files across 8 modules (lb is the correct ISO 639-1 code for Luxembourgish) - Update architecture rules and docs to reference lb.json not lu.json - Add production-readiness.md report for loyalty module Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 23:18:18 +01:00
parent 5dd5e01dc6
commit 4a1f71a312
18 changed files with 194 additions and 118 deletions
--- a/app/modules/loyalty/services/card_service.py
+++ b/app/modules/loyalty/services/card_service.py
@@ -52,6 +52,19 @@ class CardService:
            .first()
        )

+    def get_card_for_update(self, db: Session, card_id: int) -> LoyaltyCard | None:
+        """Get a loyalty card by ID with a row-level lock (SELECT ... FOR UPDATE).
+
+        Note: Does not use joinedload to avoid LEFT OUTER JOIN which is
+        incompatible with FOR UPDATE in PostgreSQL.
+        """
+        return (
+            db.query(LoyaltyCard)
+            .filter(LoyaltyCard.id == card_id)
+            .with_for_update()
+            .first()
+        )
+
    def get_card_by_qr_code(self, db: Session, qr_code: str) -> LoyaltyCard | None:
        """Get a loyalty card by QR code data."""
        return (
--- a/app/modules/loyalty/services/points_service.py
+++ b/app/modules/loyalty/services/points_service.py
@@ -140,6 +140,9 @@ class PointsService:
                "total_points_earned": card.total_points_earned,
            }

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Add points
        now = datetime.now(UTC)
        card.points_balance += points_earned
@@ -271,6 +274,9 @@ class PointsService:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Redeem points
        now = datetime.now(UTC)
        card.points_balance -= points_required
@@ -419,6 +425,9 @@ class PointsService:
                "points_balance": card.points_balance,
            }

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Void the points (can reduce balance below what was earned)
        now = datetime.now(UTC)
        actual_voided = min(points_to_void, card.points_balance)
@@ -503,6 +512,9 @@ class PointsService:
        if program.require_staff_pin and staff_pin and store_id:
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Apply adjustment
        now = datetime.now(UTC)
        card.points_balance += points_delta
--- a/app/modules/loyalty/services/stamp_service.py
+++ b/app/modules/loyalty/services/stamp_service.py
@@ -125,6 +125,9 @@ class StampService:
        if stamps_today >= program.max_daily_stamps:
            raise DailyStampLimitException(program.max_daily_stamps, stamps_today)

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Add the stamp
        card.stamp_count += 1
        card.total_stamps_earned += 1
@@ -249,6 +252,9 @@ class StampService:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Redeem stamps
        now = datetime.now(UTC)
        stamps_redeemed = program.stamps_target
@@ -383,6 +389,9 @@ class StampService:
                "stamp_count": card.stamp_count,
            }

+        # Re-fetch with row lock to prevent concurrent modification
+        card = card_service.get_card_for_update(db, card.id)
+
        # Void the stamps (can reduce balance below what was earned)
        now = datetime.now(UTC)
        actual_voided = min(stamps_to_void, card.stamp_count)