Auth fixes, show correct cost each value on pos

inventory-server/shared/auth/middleware.js

@@ -2,6 +2,20 @@ import { extractBearerToken, verifyToken, TokenError } from './verify.js';
 
 const USER_CACHE_TTL_MS = 60_000;
 
+// Source IPs that bypass token auth — used so the office kiosk can render
+// /small without anyone having to log in daily on the device. Synthetic user
+// has no permissions, so only endpoints that don't gate on requirePermission()
+// are reachable. Requires server.js `trust proxy` setting so req.ip is the
+// real client behind Caddy, not 127.0.0.1.
+function parseKioskIps(raw) {
+  return new Set(
+    (raw || '')
+      .split(',')
+      .map((s) => s.trim())
+      .filter(Boolean)
+  );
+}
+
 function createUserCache() {
   const entries = new Map();
   return {
@@ -47,10 +61,23 @@ async function loadUser(pool, userId) {
   return user;
 }
 
-export function authenticate({ pool, secret = process.env.JWT_SECRET }) {
+export function authenticate({ pool, secret = process.env.JWT_SECRET, kioskIps = process.env.KIOSK_IPS }) {
   const cache = createUserCache();
+  const kioskIpSet = parseKioskIps(kioskIps);
 
   return async function authenticateMiddleware(req, res, next) {
+    if (kioskIpSet.size > 0 && kioskIpSet.has(req.ip)) {
+      req.user = {
+        id: 'kiosk',
+        username: 'kiosk',
+        is_admin: false,
+        is_active: true,
+        permissions: [],
+        is_kiosk: true,
+      };
+      return next();
+    }
+
     let decoded;
     try {
       const token = extractBearerToken(req.headers.authorization);