From 97deb93ee72cd1ec0d8b299bc3bcd13deb15b7eb Mon Sep 17 00:00:00 2001
From: gsinghpal <gur_preet.singh@outlook.com>
Date: Sun, 24 May 2026 12:06:22 -0400
Subject: [PATCH] feat(shopfloor): post-migrate hook for kiosk password init
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Generates a random kiosk password on first deploy, stores in
ir.config_parameter for sysadmin retrieval. Idempotent — re-runs
on subsequent -u leave the password alone.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../migrations/19.0.33.0.0/post-migrate.py    | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 fusion_plating/fusion_plating_shopfloor/migrations/19.0.33.0.0/post-migrate.py

diff --git a/fusion_plating/fusion_plating_shopfloor/migrations/19.0.33.0.0/post-migrate.py b/fusion_plating/fusion_plating_shopfloor/migrations/19.0.33.0.0/post-migrate.py
new file mode 100644
index 00000000..ade00920
--- /dev/null
+++ b/fusion_plating/fusion_plating_shopfloor/migrations/19.0.33.0.0/post-migrate.py
@@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+"""Tablet PIN session redesign — generate kiosk password on first deploy.
+
+Runs on every -u (post_init_hook only fires on fresh install per
+CLAUDE.md rule 13d). Idempotent: only writes the password if the
+ir.config_parameter key is absent.
+
+After this hook runs, retrieve the kiosk password via:
+    odoo-shell -d admin -c "print(env['ir.config_parameter'].sudo().get_param(
+        'fp.tablet.kiosk_password'))"
+
+Then sysadmin enters that password ONCE in the tablet browser to log
+the kiosk session in. Browser cookie persists per the configured
+session_db.session_lifetime.
+"""
+import logging
+import secrets
+
+_logger = logging.getLogger(__name__)
+
+
+def migrate(cr, version):
+    from odoo import api, SUPERUSER_ID
+    env = api.Environment(cr, SUPERUSER_ID, {})
+
+    ICP = env['ir.config_parameter'].sudo()
+    KEY = 'fp.tablet.kiosk_password'
+
+    existing = ICP.get_param(KEY)
+    if existing:
+        _logger.info(
+            'fp.tablet.kiosk_password already set; leaving it alone (idempotent)'
+        )
+        return
+
+    new_pwd = secrets.token_urlsafe(32)
+    ICP.set_param(KEY, new_pwd)
+    _logger.info(
+        'fp.tablet.kiosk_password generated; retrieve via odoo-shell '
+        "env['ir.config_parameter'].sudo().get_param('%s')",
+        KEY,
+    )
+
+    # Also write the password onto the user so they can log in via /web/login.
+    user = env.ref(
+        'fusion_plating_shopfloor.user_fp_tablet_kiosk',
+        raise_if_not_found=False,
+    )
+    if user:
+        user.password = new_pwd
+        _logger.info('fp_tablet_kiosk user password set to generated value')
+    else:
+        _logger.warning(
+            'fp_tablet_kiosk user not found via xmlid; password not applied to user record'
+        )