fix(loyalty): paired-device JWT bypasses program.require_staff_pin

When the request principal is a paired POS terminal device (current_user.terminal_device_id is not None), the staff PIN is considered already-verified — the cashier bcrypt-verified locally on the tablet's lock screen against the cached hashes from /pins/for-device. Web-terminal user JWTs still require the per-action PIN as before; the strict fraud-prevention path is unchanged. Threat-model note: the device JWT is itself proof of authentication. The merchant owner paired the device, the cashier verified locally, and the JWT is revocable from /merchants/loyalty/devices. The 2-min idle auto-lock + acting_terminal_device_id audit column give us the attribution we'd otherwise get from a per-action PIN. Applied to: stamp_service.add_stamp / redeem_stamps / void_stamps; points_service.earn_points / redeem_points / void_points. adjust_points was already permissive on missing PIN. New tests in TestDevicePinBypass lock both the bypass behavior and the still-strict web-terminal path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 23:16:33 +02:00
parent d3f1c33b37
commit c1bb225228
3 changed files with 70 additions and 12 deletions
--- a/app/modules/loyalty/tests/integration/test_terminal_devices.py
+++ b/app/modules/loyalty/tests/integration/test_terminal_devices.py
@@ -309,3 +309,55 @@ class TestPinsForDevice:
            headers=loyalty_store_headers,
        )
        assert response.status_code == 403, response.text
+
+
+@pytest.mark.integration
+@pytest.mark.api
+@pytest.mark.loyalty
+class TestDevicePinBypass:
+    """Paired-device JWT bypasses program.require_staff_pin — the cashier
+    has already verified locally on the lock screen."""
+
+    def test_device_token_bypasses_required_staff_pin(
+        self, client, loyalty_merchant_headers, loyalty_store_setup, db
+    ):
+        store = loyalty_store_setup["store"]
+        card = loyalty_store_setup["card"]
+        program = loyalty_store_setup["program"]
+
+        # Tighten the program to require PINs.
+        program.require_staff_pin = True
+        db.commit()
+
+        paired = client.post(
+            f"{MERCHANT_BASE}/devices",
+            json={"store_id": store.id, "label": "PIN bypass test"},
+            headers=loyalty_merchant_headers,
+        ).json()
+        token = paired["setup_token"]
+
+        # No staff_pin in the body, but the device JWT counts as auth.
+        response = client.post(
+            f"{STORE_BASE}/points/earn",
+            json={"card_id": card.id, "purchase_amount_cents": 1000},
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        assert response.status_code == 200, response.text
+
+    def test_user_token_still_requires_staff_pin(
+        self, client, loyalty_store_headers, loyalty_store_setup, db
+    ):
+        """Belt-and-braces: web-terminal user JWTs must still send a PIN
+        when the program requires it."""
+        card = loyalty_store_setup["card"]
+        program = loyalty_store_setup["program"]
+        program.require_staff_pin = True
+        db.commit()
+
+        response = client.post(
+            f"{STORE_BASE}/points/earn",
+            json={"card_id": card.id, "purchase_amount_cents": 1000},
+            headers=loyalty_store_headers,
+        )
+        assert response.status_code == 400
+        assert "STAFF_PIN_REQUIRED" in response.text