Refactor API calls in product editor and bulk edit components to use apiClient instead of axios. Enhance UploadFlow and MatchColumnsStep to support restoring previously matched columns for better user experience during back navigation. Introduce mapping signature handling in ValidationStep for improved data integrity on navigation. Update types and store management to accommodate new features.

2026-06-05 15:07:28 -04:00
parent 8c707e28ea
commit 3e38d0e5ce
14 changed files with 648 additions and 127 deletions
@@ -66,7 +66,16 @@ export function authenticate({ pool, secret = process.env.JWT_SECRET, kioskIps =
  const kioskIpSet = parseKioskIps(kioskIps);

  return async function authenticateMiddleware(req, res, next) {
-    if (kioskIpSet.size > 0 && kioskIpSet.has(req.ip)) {
+    // Kiosk IP bypass ONLY when no Authorization header was provided. A real
+    // user on the same network (e.g. logged-in staff sharing the office NAT)
+    // must keep their actual identity and permissions — otherwise this bypass
+    // silently downgrades them to the permissionless kiosk user and they get
+    // 403 on every gated route.
+    if (
+      kioskIpSet.size > 0 &&
+      kioskIpSet.has(req.ip) &&
+      !req.headers.authorization
+    ) {
      req.user = {
        id: 'kiosk',
        username: 'kiosk',