fix(loyalty): paired-device JWT bypasses program.require_staff_pin

When the request principal is a paired POS terminal device (current_user.terminal_device_id is not None), the staff PIN is considered already-verified — the cashier bcrypt-verified locally on the tablet's lock screen against the cached hashes from /pins/for-device. Web-terminal user JWTs still require the per-action PIN as before; the strict fraud-prevention path is unchanged. Threat-model note: the device JWT is itself proof of authentication. The merchant owner paired the device, the cashier verified locally, and the JWT is revocable from /merchants/loyalty/devices. The 2-min idle auto-lock + acting_terminal_device_id audit column give us the attribution we'd otherwise get from a per-action PIN. Applied to: stamp_service.add_stamp / redeem_stamps / void_stamps; points_service.earn_points / redeem_points / void_points. adjust_points was already permissive on missing PIN. New tests in TestDevicePinBypass lock both the bypass behavior and the still-strict web-terminal path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 23:16:33 +02:00
parent d3f1c33b37
commit c1bb225228
3 changed files with 70 additions and 12 deletions
--- a/app/modules/loyalty/services/points_service.py
+++ b/app/modules/loyalty/services/points_service.py
@@ -156,9 +156,12 @@ class PointsService:
                "total_points_earned": card.total_points_earned,
            }

-        # Verify staff PIN if required
+        # Verify staff PIN if required.
+        # Paired terminal devices ARE the principal — the cashier already
+        # bcrypt-verified locally against the device's cached hash list.
+        # Web-terminal user JWTs still require the per-action PIN.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -307,9 +310,9 @@ class PointsService:
        if points_required < program.minimum_redemption_points:
            raise InvalidRewardException(reward_id)

-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see earn_points.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -428,9 +431,9 @@ class PointsService:
        if settings and not settings.allow_void_transactions:
            raise LoyaltyCardInactiveException(card.id)

-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see earn_points.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
--- a/app/modules/loyalty/services/stamp_service.py
+++ b/app/modules/loyalty/services/stamp_service.py
@@ -105,9 +105,12 @@ class StampService:
            logger.warning(f"Stamp attempted on points-only program {program.id}")
            raise LoyaltyCardInactiveException(card.id)

-        # Verify staff PIN if required
+        # Verify staff PIN if required.
+        # Paired terminal devices ARE the principal — the cashier already
+        # bcrypt-verified locally against the device's cached hash list.
+        # Web-terminal user JWTs still require the per-action PIN.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -262,9 +265,9 @@ class StampService:
        if not program.is_active:
            raise LoyaltyProgramInactiveException(program.id)

-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see add_stamp.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)
@@ -381,9 +384,9 @@ class StampService:
        if settings and not settings.allow_void_transactions:
            raise LoyaltyCardInactiveException(card.id)

-        # Verify staff PIN if required
+        # Paired-device principal bypasses the per-action PIN; see add_stamp.
        verified_pin = None
-        if program.require_staff_pin:
+        if program.require_staff_pin and acting_terminal_device_id is None:
            if not staff_pin:
                raise StaffPinRequiredException()
            verified_pin = pin_service.verify_pin(db, program.id, staff_pin, store_id=store_id)