Auth fixes, show correct cost each value on pos

inventory-server/dashboard/acot-server/server.js

@@ -66,6 +66,11 @@ if (!process.env.JWT_SECRET) {
 const app = express();
 const PORT = Number(process.env.ACOT_PORT) || 3012;
 
+// Trust X-Forwarded-* only when the immediate hop is loopback (Caddy on the same
+// host). Required for the KIOSK_IPS bypass in shared/auth/middleware.js to see
+// real client IPs instead of 127.0.0.1.
+app.set('trust proxy', 'loopback');
+
 // Postgres pool for authenticate() (user/permission lookups against inventory_db).
 // All MySQL access goes through db/connection.js (separate, ssh-tunneled).
 const pool = new Pool({