.beans/nuzlocke-tracker-ce4o--auth-aware-ui-and-role-based-access-control.md

---
# nuzlocke-tracker-ce4o
title: Auth-aware UI and role-based access control
status: completed
type: epic
priority: normal
created_at: 2026-03-21T10:05:52Z
updated_at: 2026-03-21T10:18:47Z
---

The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.

## Goals

1. **Auth-aware navigation**: Menu items change based on login state (logged-out users only see public browsing options)
2. **Route protection**: Protected routes redirect to login, admin routes require admin role
3. **Admin role system**: Define which users are admins via a database field, enforce on both frontend and backend
4. **Backend admin enforcement**: Admin API endpoints (games, pokemon, evolutions, bosses, routes) require admin role, not just authentication

## Success Criteria

- [ ] Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In
- [x] Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
- [ ] Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)
- [ ] Admin users see the full menu including Admin
- [x] Backend admin endpoints return 403 for non-admin authenticated users
- [ ] Admin role is stored in the `users` table (`is_admin` boolean column)
- [x] Admin status is exposed to the frontend via the user API or auth context
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`---`
			`# nuzlocke-tracker-ce4o`
			`title: Auth-aware UI and role-based access control`
feat: add is_admin column to users table Add `is_admin` boolean column (default false) via Alembic migration for role-based access control. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:10:29 +01:00			`status: completed`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`type: epic`
feat: add is_admin column to users table Add `is_admin` boolean column (default false) via Alembic migration for role-based access control. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:10:29 +01:00			`priority: normal`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`created_at: 2026-03-21T10:05:52Z`
feat: protect frontend routes with ProtectedRoute and AdminRoute - Wrap /runs/new and /genlockes/new with ProtectedRoute (requires login) - Create AdminRoute component that checks isAdmin, redirects non-admins with a toast notification - Wrap all /admin/* routes with AdminRoute - Deep-linking preserved: unauthenticated users redirect to login, then back to the original protected route after auth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:19:16 +01:00			`updated_at: 2026-03-21T10:18:47Z`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`---`

			`The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.`

			`## Goals`

			`1. Auth-aware navigation: Menu items change based on login state (logged-out users only see public browsing options)`
			`2. Route protection: Protected routes redirect to login, admin routes require admin role`
			`3. Admin role system: Define which users are admins via a database field, enforce on both frontend and backend`
			`4. Backend admin enforcement: Admin API endpoints (games, pokemon, evolutions, bosses, routes) require admin role, not just authentication`

			`## Success Criteria`

			`- [ ] Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In`
feat: protect frontend routes with ProtectedRoute and AdminRoute - Wrap /runs/new and /genlockes/new with ProtectedRoute (requires login) - Create AdminRoute component that checks isAdmin, redirects non-admins with a toast notification - Wrap all /admin/* routes with AdminRoute - Deep-linking preserved: unauthenticated users redirect to login, then back to the original protected route after auth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:19:16 +01:00			`- [x] Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`- [ ] Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)`
			`- [ ] Admin users see the full menu including Admin`
feat: protect frontend routes with ProtectedRoute and AdminRoute - Wrap /runs/new and /genlockes/new with ProtectedRoute (requires login) - Create AdminRoute component that checks isAdmin, redirects non-admins with a toast notification - Wrap all /admin/* routes with AdminRoute - Deep-linking preserved: unauthenticated users redirect to login, then back to the original protected route after auth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:19:16 +01:00			`- [x] Backend admin endpoints return 403 for non-admin authenticated users`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			- [ ] Admin role is stored in the `users` table (`is_admin` boolean column)
feat: protect frontend routes with ProtectedRoute and AdminRoute - Wrap /runs/new and /genlockes/new with ProtectedRoute (requires login) - Create AdminRoute component that checks isAdmin, redirects non-admins with a toast notification - Wrap all /admin/* routes with AdminRoute - Deep-linking preserved: unauthenticated users redirect to login, then back to the original protected route after auth Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:19:16 +01:00			`- [x] Admin status is exposed to the frontend via the user API or auth context`