feat(loyalty): production readiness round 2 — 12 security, integrity & correctness fixes

Security: - Fix TOCTOU race conditions: move balance/limit checks after row lock in redeem_points, add_stamp, redeem_stamps - Add PIN ownership verification to update/delete/unlock store routes - Gate adjust_points endpoint to merchant_owner role only Data integrity: - Track total_points_voided in void_points - Add order_reference idempotency guard in earn_points Correctness: - Fix LoyaltyProgramAlreadyExistsException to use merchant_id parameter - Add StorefrontProgramResponse excluding wallet IDs from public API - Add bounds (±100000) to PointsAdjustRequest.points_delta Audit & config: - Add CARD_REACTIVATED transaction type with audit record - Improve admin audit logging with actor identity and old values - Use merchant-specific PIN lockout settings with global fallback - Guard MerchantLoyaltySettings creation with get_or_create pattern Tests: 27 new tests (265 total) covering all 12 items — unit and integration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 23:37:23 +01:00
parent b6047f5b7d
commit 7d652716bb
20 changed files with 955 additions and 28 deletions
--- a/app/modules/loyalty/tests/unit/test_schemas.py
+++ b/app/modules/loyalty/tests/unit/test_schemas.py
@@ -3,11 +3,14 @@
 from datetime import UTC, datetime

 import pytest
+from pydantic import ValidationError

 from app.modules.loyalty.schemas.card import (
    CardEnrollRequest,
    TransactionResponse,
 )
+from app.modules.loyalty.schemas.points import PointsAdjustRequest
+from app.modules.loyalty.schemas.program import StorefrontProgramResponse


@pytest.mark.unit
@@ -73,3 +76,104 @@ class TestTransactionResponse:
            created_at=now,
        )
        assert tx.customer_name == "John Doe"
+
+
+# ============================================================================
+# Item 8: PointsAdjustRequest bounds
+# ============================================================================
+
+
+@pytest.mark.unit
+@pytest.mark.loyalty
+class TestPointsAdjustRequestBounds:
+    """Tests for PointsAdjustRequest.points_delta bounds."""
+
+    def test_valid_positive_delta(self):
+        """Positive delta within bounds is valid."""
+        req = PointsAdjustRequest(points_delta=100, reason="Bonus for customer")
+        assert req.points_delta == 100
+
+    def test_valid_negative_delta(self):
+        """Negative delta within bounds is valid."""
+        req = PointsAdjustRequest(points_delta=-500, reason="Correction needed")
+        assert req.points_delta == -500
+
+    def test_max_boundary(self):
+        """Delta at max boundary (100000) is valid."""
+        req = PointsAdjustRequest(points_delta=100000, reason="Max allowed delta")
+        assert req.points_delta == 100000
+
+    def test_min_boundary(self):
+        """Delta at min boundary (-100000) is valid."""
+        req = PointsAdjustRequest(points_delta=-100000, reason="Min allowed delta")
+        assert req.points_delta == -100000
+
+    def test_exceeds_max_rejected(self):
+        """Delta exceeding 100000 is rejected."""
+        with pytest.raises(ValidationError):
+            PointsAdjustRequest(points_delta=100001, reason="Too many points")
+
+    def test_exceeds_min_rejected(self):
+        """Delta below -100000 is rejected."""
+        with pytest.raises(ValidationError):
+            PointsAdjustRequest(points_delta=-100001, reason="Too many negative")
+
+
+# ============================================================================
+# Item 7: StorefrontProgramResponse excludes wallet fields
+# ============================================================================
+
+
+@pytest.mark.unit
+@pytest.mark.loyalty
+class TestStorefrontProgramResponse:
+    """Tests for StorefrontProgramResponse excluding wallet IDs."""
+
+    def test_wallet_fields_excluded_from_serialization(self):
+        """Wallet integration IDs are excluded from JSON output."""
+        now = datetime.now(UTC)
+        response = StorefrontProgramResponse(
+            id=1,
+            merchant_id=1,
+            loyalty_type="points",
+            stamps_target=10,
+            stamps_reward_description="Free item",
+            points_per_euro=10,
+            cooldown_minutes=15,
+            max_daily_stamps=5,
+            require_staff_pin=True,
+            card_color="#4F46E5",
+            is_active=True,
+            created_at=now,
+            updated_at=now,
+        )
+
+        data = response.model_dump()
+        assert "google_issuer_id" not in data
+        assert "google_class_id" not in data
+        assert "apple_pass_type_id" not in data
+
+    def test_non_wallet_fields_present(self):
+        """Non-wallet fields are still present."""
+        now = datetime.now(UTC)
+        response = StorefrontProgramResponse(
+            id=1,
+            merchant_id=1,
+            loyalty_type="points",
+            stamps_target=10,
+            stamps_reward_description="Free item",
+            points_per_euro=10,
+            cooldown_minutes=15,
+            max_daily_stamps=5,
+            require_staff_pin=True,
+            card_color="#4F46E5",
+            is_active=True,
+            created_at=now,
+            updated_at=now,
+        )
+
+        data = response.model_dump()
+        assert data["id"] == 1
+        assert data["loyalty_type"] == "points"
+        assert data["points_per_euro"] == 10
+        assert data["card_color"] == "#4F46E5"