.beans/archive/nuzlocke-tracker-5svj--expose-admin-status-to-frontend-via-user-api.md

---
# nuzlocke-tracker-5svj
title: Expose admin status to frontend via user API
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:20Z
updated_at: 2026-03-21T10:23:04Z
parent: nuzlocke-tracker-ce4o
blocked_by:
    - nuzlocke-tracker-dwah
---

The frontend needs to know if the current user is an admin so it can show/hide the Admin nav link and protect admin routes client-side.

## Checklist

- [x] Add `is_admin` field to the user response schema (`/api/users/me` endpoint)
- [x] Update `AuthContext` to fetch `/api/users/me` after login and store `isAdmin` in context
- [x] Expose `isAdmin` boolean from `useAuth()` hook
- [x] Handle edge case: user exists in Supabase but not yet in local DB (first login creates user row with `is_admin=false`)

## Files to change

- `backend/src/app/schemas/user.py` or equivalent — add `is_admin` to response
- `backend/src/app/api/users.py` — ensure `/me` returns `is_admin`
- `frontend/src/contexts/AuthContext.tsx` — fetch and store admin status

## Summary of Changes

Added `isAdmin` field to frontend auth system:

- **Backend**: Added `is_admin: bool = False` to `UserResponse` schema in `backend/src/app/api/users.py`
- **Frontend**: Updated `AuthContext` to fetch `/api/users/me` after login and expose `isAdmin` boolean
- Edge case handled: `syncUserProfile` returns `false` if API call fails (new user auto-created with `is_admin=false` by backend)
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`---`
			`# nuzlocke-tracker-5svj`
			`title: Expose admin status to frontend via user API`
feat: auth-aware UI and role-based access control (#67) ## Summary - Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login - Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects - Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs - Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints ## Test plan - [x] All 252 backend tests pass - [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD) - [ ] Verify admin users can access admin endpoints normally - [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states - [ ] Verify `/admin/*` routes redirect non-admin users with a toast - [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://gitea.nerdboden.de/pokemon/nuzlocke-tracker/pulls/67 Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com> Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com> 2026-03-21 11:44:05 +01:00			`status: completed`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`type: task`
			`priority: normal`
			`created_at: 2026-03-21T10:06:20Z`
feat: auth-aware UI and role-based access control (#67) ## Summary - Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login - Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects - Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs - Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints ## Test plan - [x] All 252 backend tests pass - [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD) - [ ] Verify admin users can access admin endpoints normally - [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states - [ ] Verify `/admin/*` routes redirect non-admin users with a toast - [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://gitea.nerdboden.de/pokemon/nuzlocke-tracker/pulls/67 Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com> Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com> 2026-03-21 11:44:05 +01:00			`updated_at: 2026-03-21T10:23:04Z`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`parent: nuzlocke-tracker-ce4o`
			`blocked_by:`
			`- nuzlocke-tracker-dwah`
			`---`

			`The frontend needs to know if the current user is an admin so it can show/hide the Admin nav link and protect admin routes client-side.`

			`## Checklist`

feat: auth-aware UI and role-based access control (#67) ## Summary - Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login - Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects - Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs - Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints ## Test plan - [x] All 252 backend tests pass - [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD) - [ ] Verify admin users can access admin endpoints normally - [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states - [ ] Verify `/admin/*` routes redirect non-admin users with a toast - [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://gitea.nerdboden.de/pokemon/nuzlocke-tracker/pulls/67 Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com> Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com> 2026-03-21 11:44:05 +01:00			- [x] Add `is_admin` field to the user response schema (`/api/users/me` endpoint)
			- [x] Update `AuthContext` to fetch `/api/users/me` after login and store `isAdmin` in context
			- [x] Expose `isAdmin` boolean from `useAuth()` hook
			- [x] Handle edge case: user exists in Supabase but not yet in local DB (first login creates user row with `is_admin=false`)
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00
			`## Files to change`

			- `backend/src/app/schemas/user.py` or equivalent — add `is_admin` to response
			- `backend/src/app/api/users.py` — ensure `/me` returns `is_admin`
			- `frontend/src/contexts/AuthContext.tsx` — fetch and store admin status
feat: auth-aware UI and role-based access control (#67) ## Summary - Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD) - Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login - Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects - Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs - Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints ## Test plan - [x] All 252 backend tests pass - [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD) - [ ] Verify admin users can access admin endpoints normally - [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states - [ ] Verify `/admin/*` routes redirect non-admin users with a toast - [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://gitea.nerdboden.de/pokemon/nuzlocke-tracker/pulls/67 Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com> Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com> 2026-03-21 11:44:05 +01:00
			`## Summary of Changes`

			Added `isAdmin` field to frontend auth system:

			- Backend: Added `is_admin: bool = False` to `UserResponse` schema in `backend/src/app/api/users.py`
			- Frontend: Updated `AuthContext` to fetch `/api/users/me` after login and expose `isAdmin` boolean
			- Edge case handled: `syncUserProfile` returns `false` if API call fails (new user auto-created with `is_admin=false` by backend)