Root cause: BFF GetMyStaffProfile used ExtractUserIdFromJwt(authHeader)
which reads Authorization header — but BFF uses httpOnly cookie auth,
so authHeader was always null → userId match always failed → 404.
Fix: Extract userId/email from bff_session cookie instead. Also add
email fallback matching when userId match fails.
Additionally:
- Add "Mở POS" button on Staff Dashboard (orange, links to POS page)
- Add "Mở POS" link in StaffLayout sidebar for Cashier/Manager roles
- POS link uses shopId from staff's shopAssignment
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1b90b0119d