# Suff – drink booking tool

Self-service drink tab for festival attendees. Lives at `/suff/`. Plain Django, no JS, no CSS yet.

## Auth

- `User.pin` field (hashed CharField) stores 3-digit PIN, separate from `password`. Lets staff keep a strong password for `/admin/` and use the same username on `/suff/` with just a PIN.
- `PinBackend` (`gaehsnitz/auth_backends.py`) authenticates by `username` + `pin` via `user.check_pin()`. Default `ModelBackend` stays first in `AUTHENTICATION_BACKENDS` so `/admin/` keeps requiring the strong password.
- Staff PINs cannot be self-set on `/suff/`. If a name matches an existing user with no PIN, the user lands on `suff/no_pin.html` explaining that an admin must set the PIN via the admin panel — otherwise anyone could claim a staff name and lock out the real owner.
- Admin convenience: User change page shows PIN status ("gesetzt"/"nicht gesetzt") + "PIN setzen" link → custom admin view `<id>/pin/` with a 3-digit form, calls `user.set_pin()`.

## Name flow

- Username = `slugify(input)` (e.g. "Flo Hä!" → "flo-ha"). Slug shown back so user can memorize it.
- POST name → check existence:
    - not found → set new PIN → create user → login
    - found, has PIN → enter PIN → login
    - found, no PIN → `no_pin.html` (ask admin)

## Booking

- `/suff/me/` shows: greeting (slug), running paid total, full consumption history with timestamps, drink buttons.
- Each drink = `+1` POST form. Server creates `Consumption(amount=1, day=current_weekday, for_free=False, created_at=auto)`.
- No undo, no delete, no edit. No special bartender role.
- History sorted newest-first, `created_at` shown as `Do 18:42` etc.

## Time gating (Berlin tz)

- Phases: `before` / `booking` / `readonly` / `closed`.
- Booking allowed Thu 2026-06-11 00:00 → Sun 2026-06-14 23:59.
- Read-only until Sun 2026-06-21 23:59.
- After: every `/suff/` URL returns 404.
- Local dev: `settings.PRODUCTION=False` forces `booking` phase always.

## Files

- `gaehsnitz/auth_backends.py` — `PinBackend`
- `gaehsnitz/suff.py` — views + phase logic
- `gaehsnitz/suff_urls.py` — routes
- `gaehsnitz/admin.py` — `SetPinForm` + `set_pin_view`
- `gaehsnitz/templates/suff/{base,name,pin,no_pin,me}.html`
- `gaehsnitz/templates/admin/gaehsnitz/user/set_pin.html`
- `gaehsnitz/migrations/0003_consumption_created_at_user_pin.py`
- Edits: `gaehsnitzproject/settings.py`, `gaehsnitzproject/urls.py`, `gaehsnitz/models.py`

## Next step

Mobile-first styling. Currently zero CSS. Big tap targets for drink buttons, sticky/large running total, dark-mode friendly for outdoor evening use. Visual feedback after booking, day-grouped history, friendlier empty state, bigger PIN input. Decide whether `/suff/` integrates into the GOA site header or stays a separate microsite.