feat(loyalty): attribute transactions to the acting POS tablet
Adds acting_terminal_device_id to loyalty_transactions so the audit log can distinguish between operations performed via the web terminal (human user JWT) and operations performed via a paired tablet (device JWT). The principal-of-record stays the pairing user — existing reports keep working — and this column adds "which tablet did it" alongside. Threaded through every store-API endpoint that creates a transaction (stamp add/redeem/void, points earn/redeem/void/adjust, enrollment + welcome bonus, card deactivate/reactivate). The route reads current_user.terminal_device_id, which the bearer-auth dep populates when a device JWT is presented. User-token requests leave the column NULL, as covered by the new test. Bulk admin operations (GDPR anonymization, bulk deactivate) and Celery tasks (point expiration) are not threaded — they always come from a human admin or the scheduler, never a tablet. - Migration loyalty_011 + LoyaltyTransaction.acting_terminal_device_id - 9 service signatures gain the optional kwarg - 8 store-API routes pass it through - Integration tests: device JWT populates the column, user JWT leaves it NULL Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -184,3 +184,76 @@ class TestStoreAPIBearerAuth:
|
||||
headers={"Authorization": f"Bearer {token}"},
|
||||
)
|
||||
assert response.status_code in (400, 401)
|
||||
|
||||
|
||||
@pytest.mark.integration
|
||||
@pytest.mark.api
|
||||
@pytest.mark.loyalty
|
||||
class TestActingDeviceAudit:
|
||||
"""Transactions performed via a device JWT carry acting_terminal_device_id."""
|
||||
|
||||
def test_points_earn_via_device_stamps_audit_column(
|
||||
self, client, loyalty_merchant_headers, loyalty_store_setup, db
|
||||
):
|
||||
from app.modules.loyalty.models import LoyaltyTransaction
|
||||
from app.modules.loyalty.models.loyalty_transaction import TransactionType
|
||||
|
||||
store = loyalty_store_setup["store"]
|
||||
card = loyalty_store_setup["card"]
|
||||
|
||||
paired = client.post(
|
||||
f"{MERCHANT_BASE}/devices",
|
||||
json={"store_id": store.id, "label": "Counter 1"},
|
||||
headers=loyalty_merchant_headers,
|
||||
).json()
|
||||
device_id = paired["id"]
|
||||
token = paired["setup_token"]
|
||||
|
||||
response = client.post(
|
||||
f"{STORE_BASE}/points/earn",
|
||||
json={"card_id": card.id, "purchase_amount_cents": 1500},
|
||||
headers={"Authorization": f"Bearer {token}"},
|
||||
)
|
||||
assert response.status_code == 200, response.text
|
||||
|
||||
tx = (
|
||||
db.query(LoyaltyTransaction)
|
||||
.filter(
|
||||
LoyaltyTransaction.card_id == card.id,
|
||||
LoyaltyTransaction.transaction_type
|
||||
== TransactionType.POINTS_EARNED.value,
|
||||
)
|
||||
.order_by(LoyaltyTransaction.id.desc())
|
||||
.first()
|
||||
)
|
||||
assert tx is not None
|
||||
assert tx.acting_terminal_device_id == device_id
|
||||
|
||||
def test_user_token_leaves_audit_column_null(
|
||||
self, client, loyalty_store_headers, loyalty_store_setup, db
|
||||
):
|
||||
"""Web-terminal user JWT must NOT stamp acting_terminal_device_id."""
|
||||
from app.modules.loyalty.models import LoyaltyTransaction
|
||||
from app.modules.loyalty.models.loyalty_transaction import TransactionType
|
||||
|
||||
card = loyalty_store_setup["card"]
|
||||
|
||||
response = client.post(
|
||||
f"{STORE_BASE}/points/earn",
|
||||
json={"card_id": card.id, "purchase_amount_cents": 1500},
|
||||
headers=loyalty_store_headers,
|
||||
)
|
||||
assert response.status_code == 200, response.text
|
||||
|
||||
tx = (
|
||||
db.query(LoyaltyTransaction)
|
||||
.filter(
|
||||
LoyaltyTransaction.card_id == card.id,
|
||||
LoyaltyTransaction.transaction_type
|
||||
== TransactionType.POINTS_EARNED.value,
|
||||
)
|
||||
.order_by(LoyaltyTransaction.id.desc())
|
||||
.first()
|
||||
)
|
||||
assert tx is not None
|
||||
assert tx.acting_terminal_device_id is None
|
||||
|
||||
Reference in New Issue
Block a user