Fix two latent bugs in permissions and sign-in flows

PermissionsController#index compared `confirmed_*_version <
current_*_version`, where `current_version` returns nil if no row is
flagged current. `string < nil` raises ArgumentError → 500. Add a
`version_outdated?` helper that treats a missing current version as
"nothing to update".

ShopkeeperAuth::SessionsController#create unconditionally assigned
`request.headers["source"]` to current_platform and called
`save!(validate: false)`. Sign-ins without the source header
overwrote the user's stored platform with nil, bypassing the
presence/inclusion validation. Now skip the assignment when the
header is blank.

Adds regression tests for both paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: dadachi

app/controllers/api/v1/shopkeeper/permissions_controller.rb

@@ -8,8 +8,8 @@ def index
     current_privacy_version = PrivacyVersion.current_version
     current_terms_version = TermsVersion.current_version
 
-    should_update_privacy = current_shopkeeper.confirmed_privacy_version < current_privacy_version
-    should_update_terms = current_shopkeeper.confirmed_terms_version < current_terms_version
+    should_update_privacy = version_outdated?(current_shopkeeper.confirmed_privacy_version, current_privacy_version)
+    should_update_terms = version_outdated?(current_shopkeeper.confirmed_terms_version, current_terms_version)
 
     options = {}
     options[:meta] = {
@@ -25,4 +25,13 @@ def index
     permissions = current_accounts_shopkeeper.permissions
     render json: PermissionSerializer.new(permissions, options).serializable_hash
   end
+
+  private
+
+  # nil current → nothing published yet, nothing to update.
+  def version_outdated?(confirmed, current)
+    return false if current.nil?
+
+    confirmed < current
+  end
 end

app/controllers/shopkeeper_auth/sessions_controller.rb

@@ -3,7 +3,10 @@ def create
     super
     return if @resource.blank?
 
-    @resource.current_platform = request.headers["source"]
+    source = request.headers["source"]
+    return if source.blank?
+
+    @resource.current_platform = source
     @resource.save!(validate: false)
   end
 

test/controllers/api/v1/shopkeeper/permissions_controller_test.rb

@@ -64,4 +64,15 @@ class Api::V1::Shopkeeper::PermissionsControllerTest < ActionDispatch::Integrati
 
     assert_response :unauthorized
   end
+
+  test "index does not crash when there is no current published privacy or terms version" do
+    PrivacyVersion.update_all(current_type: PrivacyVersion.current_types[:uncurrent])
+    TermsVersion.update_all(current_type: TermsVersion.current_types[:uncurrent])
+
+    get api_v1_shopkeeper_permissions_url, headers: @shopkeeper.create_new_auth_token
+
+    assert_response :success
+    assert_equal false, response.parsed_body["meta"]["should_update_privacy"]
+    assert_equal false, response.parsed_body["meta"]["should_update_terms"]
+  end
 end

test/controllers/shopkeeper_auth/sessions_controller_test.rb

@@ -28,4 +28,29 @@ class ShopkeeperAuth::SessionsControllerTest < ActionDispatch::IntegrationTest
     delete destroy_shopkeeper_session_url, headers: shopkeeper.create_new_auth_token
     assert_response :success
   end
+
+  test "successful sign-in updates current_platform to the source header value" do
+    shopkeeper = shopkeepers(:one)
+    shopkeeper.create_default_account
+    shopkeeper.update_column(:current_platform, "ios")
+
+    post shopkeeper_session_url,
+      params: {email: shopkeeper.email, password: "password"},
+      headers: {source: "android"}
+
+    assert_response :success
+    assert_equal "android", shopkeeper.reload.current_platform
+  end
+
+  test "successful sign-in without source header preserves the existing current_platform" do
+    shopkeeper = shopkeepers(:one)
+    shopkeeper.create_default_account
+    shopkeeper.update_column(:current_platform, "ios")
+
+    post shopkeeper_session_url,
+      params: {email: shopkeeper.email, password: "password"}
+
+    assert_response :success
+    assert_equal "ios", shopkeeper.reload.current_platform
+  end
 end