.beans/nuzlocke-tracker-f4d0--add-require-admin-dependency-and-protect-admin-end.md

---
# nuzlocke-tracker-f4d0
title: Add require_admin dependency and protect admin endpoints
status: in-progress
type: task
priority: normal
created_at: 2026-03-21T10:06:19Z
updated_at: 2026-03-21T10:14:36Z
parent: nuzlocke-tracker-ce4o
blocked_by:
    - nuzlocke-tracker-dwah
---

Add a `require_admin` FastAPI dependency that checks the `is_admin` column on the `users` table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

## Checklist

- [x] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
  - Requires authentication (reuses `require_auth`)
  - Looks up the user in the `users` table by `AuthUser.id`
  - Returns 403 if `is_admin` is not `True`
- [x] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
- [x] Keep read endpoints (GET) accessible to all authenticated users
- [x] Add tests for 403 response when non-admin user hits admin endpoints

## Files to change

- `backend/src/app/core/auth.py` — add `require_admin`
- `backend/src/app/api/games.py` — replace `require_auth` with `require_admin` on mutations
- `backend/src/app/api/pokemon.py` — same
- `backend/src/app/api/evolutions.py` — same  
- `backend/src/app/api/bosses.py` — same

## Summary of Changes

Added `require_admin` FastAPI dependency to `backend/src/app/core/auth.py`:
- Depends on `require_auth` (returns 401 if not authenticated)
- Looks up user in `users` table by UUID
- Returns 403 if user not found or `is_admin` is not True

Applied `require_admin` to all admin-facing write endpoints:
- `games.py`: POST/PUT/DELETE for games and routes
- `pokemon.py`: POST/PUT/DELETE for pokemon and route encounters
- `evolutions.py`: POST/PUT/DELETE for evolutions
- `bosses.py`: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with `require_auth`)

Added tests in `test_auth.py`:
- Unit tests for `require_admin` (admin user, non-admin user, user not in DB)
- Integration tests for admin endpoint access (403 for non-admin, 201 for admin)
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`---`
			`# nuzlocke-tracker-f4d0`
			`title: Add require_admin dependency and protect admin endpoints`
feat: add require_admin dependency and protect admin endpoints Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:14:55 +01:00			`status: in-progress`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`type: task`
			`priority: normal`
			`created_at: 2026-03-21T10:06:19Z`
feat: add require_admin dependency and protect admin endpoints Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:14:55 +01:00			`updated_at: 2026-03-21T10:14:36Z`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			`parent: nuzlocke-tracker-ce4o`
			`blocked_by:`
			`- nuzlocke-tracker-dwah`
			`---`

			Add a `require_admin` FastAPI dependency that checks the `is_admin` column on the `users` table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD).

			`## Checklist`

feat: add require_admin dependency and protect admin endpoints Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:14:55 +01:00			- [x] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00			- Requires authentication (reuses `require_auth`)
			- Looks up the user in the `users` table by `AuthUser.id`
			- Returns 403 if `is_admin` is not `True`
feat: add require_admin dependency and protect admin endpoints Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:14:55 +01:00			- [x] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
			`- [x] Keep read endpoints (GET) accessible to all authenticated users`
			`- [x] Add tests for 403 response when non-admin user hits admin endpoints`
Fix local login flow, add new auth epic 2026-03-21 11:06:53 +01:00
			`## Files to change`

			- `backend/src/app/core/auth.py` — add `require_admin`
			- `backend/src/app/api/games.py` — replace `require_auth` with `require_admin` on mutations
			- `backend/src/app/api/pokemon.py` — same
			- `backend/src/app/api/evolutions.py` — same
			- `backend/src/app/api/bosses.py` — same
feat: add require_admin dependency and protect admin endpoints Add require_admin FastAPI dependency that checks is_admin column on users table. Apply it to all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected by require_auth only since they manage user's own data. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 11:14:55 +01:00
			`## Summary of Changes`

			Added `require_admin` FastAPI dependency to `backend/src/app/core/auth.py`:
			- Depends on `require_auth` (returns 401 if not authenticated)
			- Looks up user in `users` table by UUID
			- Returns 403 if user not found or `is_admin` is not True

			Applied `require_admin` to all admin-facing write endpoints:
			- `games.py`: POST/PUT/DELETE for games and routes
			- `pokemon.py`: POST/PUT/DELETE for pokemon and route encounters
			- `evolutions.py`: POST/PUT/DELETE for evolutions
			- `bosses.py`: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with `require_auth`)

			Added tests in `test_auth.py`:
			- Unit tests for `require_admin` (admin user, non-admin user, user not in DB)
			`- Integration tests for admin endpoint access (403 for non-admin, 201 for admin)`