Samir Boulahtit
c1bb225228
When the request principal is a paired POS terminal device (current_user.terminal_device_id is not None), the staff PIN is considered already-verified — the cashier bcrypt-verified locally on the tablet's lock screen against the cached hashes from /pins/for-device. Web-terminal user JWTs still require the per-action PIN as before; the strict fraud-prevention path is unchanged. Threat-model note: the device JWT is itself proof of authentication. The merchant owner paired the device, the cashier verified locally, and the JWT is revocable from /merchants/loyalty/devices. The 2-min idle auto-lock + acting_terminal_device_id audit column give us the attribution we'd otherwise get from a per-action PIN. Applied to: stamp_service.add_stamp / redeem_stamps / void_stamps; points_service.earn_points / redeem_points / void_points. adjust_points was already permissive on missing PIN. New tests in TestDevicePinBypass lock both the bypass behavior and the still-strict web-terminal path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
16 KiB
16 KiB