← back to index

U16 — Multi-device web login + POS single-actor enforcementPROD

Direct user request 2026-05-30: "we need to change the multi session login on nix cafe, we can login on the same account on multiple device, but NOT for the POS." Part A lifts R8.2 (drops the JWT sid vs tenant_users.active_session_token check in auth()) so web logins are multi-device. Part B extends R8.4 from PIN-only to all POS actors via a new tenant_users.active_pos_session_token column + unified lib/db/active_pos_session.ts DAO — Manager Override unlocks now kick prior terminals where the same user is active. Part C adds a KickBanner naming the kicker on the lock screen.

Summary

Status: 12/12 prod · 51/51 regression = 63/63 · shipped
Commit: nix-cafe 7b5efee + 018a79b (Hyperdrive fix) · nix-outdoor-sales-backend 5492b36 (migration)
Files: 11 modified + 2 new · 1 migration · ~400 LOC
Migration: tenant_users.active_pos_session_token UUID NULL. Mirrors commerce.pin_identities.active_session_token.

What ships

Part A — Web logins are multi-device. Dropped the R8.2 sid mismatch check in lib/auth.ts. Backend still mints the sid claim on login (dormant; no cafe-side read). tenant_users.active_session_token column kept for back-compat.
Part B — POS single-session for ALL actor kinds. New lib/db/active_pos_session.ts unified DAO dispatching on actorKind: 'pin' → commerce.pin_identities.active_session_token; 'user' → tenant_users.active_pos_session_token. readActiveCashier now performs the sid match for both kinds via the unified DAO.
Three user-actor sid mint callsites: unlockRegisterAsUserAction (Pro manager override), openStarterShift (Starter in-app open), ensureStarterCashierCookie (Starter cookie restore). Impersonation sessions skip the mint so admins don't kick real users.
Part C — KickBanner. New peekKickReason() helper re-reads the cookie + DB and returns the kicker's display name when mismatched. Lock screen pages call it server-side; kickedActorName prop flows through both Pro fullscreen and Starter lockable shells into LockScreen. KickBanner client component renders the amber banner "Logged out — {name} unlocked the POS on another device just now. Pick a cashier to continue on this terminal." + fires-and-forgets clearStaleActiveCashierCookieAction on mount so a refresh doesn't keep flashing it.

12/12 prod checks ✓

✓	Pre-flight: lumiere owner has POS PIN + active register resolves
✓	Pre-flight: force-close any pre-existing open session; zero owner POS sid
✓	Web multi-device login: terminal A reaches `/cafe/dashboard` after login
✓	Load-bearing R8.2-lifted assertion: terminal B logs in fresh + reaches `/cafe/dashboard` + terminal A is STILL authenticated (no kick)
✓	POS unlock: terminal A as Manager (active-cashier cookie set)
✓	DB: `tenant_users.active_pos_session_token` populated after terminal A unlock
✓	POS unlock: terminal B unlocks same register as Manager (kicks terminal A)
✓	DB: `active_pos_session_token` rotated by terminal B's unlock (sid differs)
✓	Kick UX: terminal A refreshes register URL → lock screen with `pos-kick-banner` visible naming "Sokha Lim"; banner copy contains "another device"
✓	Banner-mount useEffect clears the stale cookie → next refresh shows no banner
✓	No HTTP 5xx during the U16 flow on either terminal
✓	Cleanup: force-close test sessions + zero owner POS sid

Screenshots (click to enlarge)

Mid-Gate-2 burn — Hyperdrive cache hit on the kick read

First Gate 2 run: 9/12. Critical failure was "terminal A refresh → lock screen" — terminal A's refresh kept landing on preshift instead of bouncing.
Diagnostic probe confirmed DB rotated correctly to terminal B's sid, but terminal A's page rendered preshift anyway. The cookie was signature-valid + matched the active-cashier check shape; the sid mismatch should have fired.
Root cause: Hyperdrive's ~60s SELECT cache returned terminal A's OWN stale sid (cached at unlock time). Terminal B's UPDATE flowed through but didn't invalidate the cached row; terminal A's next read served sid_A → sid_A === sid_A → no kick. Matches project_hyperdrive_cache_stale_reads.
Fix in 018a79b: wrapped both SELECT paths in getActivePosSessionToken (pin + user) in db.transaction(async tx => tx.select()...) — bypasses Hyperdrive's read cache so kicks land within seconds.
Local Gate 1 missed it because local Postgres isn't behind Hyperdrive. 5th recorded burn of the same trap; the existing memo's lesson stands.
Reran Gate 2 after the fix push + CF auto-deploy → 12/12 clean.

Architectural notes

Separate column (active_pos_session_token) not reuse of active_session_token. Stale R8.2 values (from pre-U16 logins) can't accidentally match or mismatch a U16 POS sid.
Impersonation bypass on mint: admins shadowing a real user don't kick that user's actual POS terminal. Real user's active_pos_session_token stays untouched during impersonation-driven unlocks.
Lockable shell is the canonical kick surface. The Starter in-app /cafe/pos page doesn't render KickBanner — kicks there silently rotate cookies (user sees no banner). Acceptable for v1; the lockable terminal (the obvious "POS terminal" device shape) sees the banner.
Manager-PIN override (nix_manager_override from Item #3l) is OUT of scope. It's a transient backend-access override, not a persistent POS session.
Cookie clear via useEffect is fires-and-forgets; if it fails, the next user action (PIN unlock) overwrites the cookie anyway. Worst case: banner re-shows on refresh.

Regression sweep — 51/51 ✓

12/12 + 51/51 = 63/63 prod tests green on the karouna-dev branch.

test-phase1-prod.mjs	11/11
test-phase2-sso-outdoor-prod.mjs	6/6
test-m1-prod.mjs	10/10
test-r7-prod.mjs	14/14
test-r8-prod.mjs	4/4
test-phase2-cafe-multishop-prod.mjs	6/6

22nd validation of feedback_phase2_cafe_multishop_solo_retry.