pokemon/nuzlocke-tracker
1
1
Fork 0
Code Issues Pull Requests 10 Actions Packages Projects Releases Wiki Activity

feat: auth-aware UI and role-based access control (#67)
All checks were successful
CI / backend-tests (push) Successful in 32s
Details
CI / frontend-tests (push) Successful in 29s
Details

Browse Source 
## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>
This commit was merged in pull request #67.
This commit is contained in:
Julian Tabel
2026-03-21 11:44:05 +01:00
committed by TheFurya
parent f7731b0497
commit e8ded9184b
27 changed files with 826 additions and 347 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
.beans/nuzlocke-tracker-2zwg--protect-frontend-routes-with-protectedroute-and-ad.md
View File

@@ -1,11 +1,11 @@
---
# nuzlocke-tracker-2zwg
title: Protect frontend routes with ProtectedRoute and AdminRoute
status: todo
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:20Z
updated_at: 2026-03-21T10:06:24Z
updated_at: 2026-03-21T10:19:41Z
parent: nuzlocke-tracker-ce4o
blocked_by:
- nuzlocke-tracker-5svj
@@ -15,14 +15,24 @@ Use the existing \`ProtectedRoute\` component (currently unused) and create an \
## Checklist
- [ ] Wrap \`/runs/new\` and \`/genlockes/new\` with \`ProtectedRoute\` (requires login)
- [ ] Create \`AdminRoute\` component that checks \`isAdmin\` from \`useAuth()\`, redirects to \`/\` with a toast/message if not admin
- [ ] Wrap all \`/admin/*\` routes with \`AdminRoute\`
- [ ] Ensure \`/runs\` and \`/runs/:runId\` remain accessible to everyone (public run viewing)
- [ ] Verify deep-linking works (e.g., visiting \`/admin/games\` while logged out redirects to login, then back to \`/admin/games\` after auth)
- [x] Wrap \`/runs/new\` and \`/genlockes/new\` with \`ProtectedRoute\` (requires login)
- [x] Create \`AdminRoute\` component that checks \`isAdmin\` from \`useAuth()\`, redirects to \`/\` with a toast/message if not admin
- [x] Wrap all \`/admin/*\` routes with \`AdminRoute\`
- [x] Ensure \`/runs\` and \`/runs/:runId\` remain accessible to everyone (public run viewing)
- [x] Verify deep-linking works (e.g., visiting \`/admin/games\` while logged out redirects to login, then back to \`/admin/games\` after auth)
## Files to change
- \`frontend/src/App.tsx\` — wrap routes
- \`frontend/src/components/ProtectedRoute.tsx\` — already exists, verify it works
- \`frontend/src/components/AdminRoute.tsx\` — new file
## Summary of Changes
Implemented frontend route protection:
- **ProtectedRoute**: Wraps `/runs/new` and `/genlockes/new` - redirects unauthenticated users to `/login` with return location preserved
- **AdminRoute**: New component that checks `isAdmin` from `useAuth()`, redirects non-admins to `/` with a toast notification
- **Admin routes**: Wrapped `AdminLayout` with `AdminRoute` to protect all `/admin/*` routes
- **Public routes**: `/runs` and `/runs/:runId` remain accessible to everyone
- **Deep-linking**: Location state preserved so users return to original route after login

20
.beans/nuzlocke-tracker-5svj--expose-admin-status-to-frontend-via-user-api.md
View File

@@ -1,11 +1,11 @@
---
# nuzlocke-tracker-5svj
title: Expose admin status to frontend via user API
status: todo
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:20Z
updated_at: 2026-03-21T10:06:24Z
updated_at: 2026-03-21T10:23:04Z
parent: nuzlocke-tracker-ce4o
blocked_by:
- nuzlocke-tracker-dwah
@@ -15,13 +15,21 @@ The frontend needs to know if the current user is an admin so it can show/hide t
## Checklist
- [ ] Add `is_admin` field to the user response schema (`/api/users/me` endpoint)
- [ ] Update `AuthContext` to fetch `/api/users/me` after login and store `isAdmin` in context
- [ ] Expose `isAdmin` boolean from `useAuth()` hook
- [ ] Handle edge case: user exists in Supabase but not yet in local DB (first login creates user row with `is_admin=false`)
- [x] Add `is_admin` field to the user response schema (`/api/users/me` endpoint)
- [x] Update `AuthContext` to fetch `/api/users/me` after login and store `isAdmin` in context
- [x] Expose `isAdmin` boolean from `useAuth()` hook
- [x] Handle edge case: user exists in Supabase but not yet in local DB (first login creates user row with `is_admin=false`)
## Files to change
- `backend/src/app/schemas/user.py` or equivalent — add `is_admin` to response
- `backend/src/app/api/users.py` — ensure `/me` returns `is_admin`
- `frontend/src/contexts/AuthContext.tsx` — fetch and store admin status
## Summary of Changes
Added `isAdmin` field to frontend auth system:
- **Backend**: Added `is_admin: bool = False` to `UserResponse` schema in `backend/src/app/api/users.py`
- **Frontend**: Updated `AuthContext` to fetch `/api/users/me` after login and expose `isAdmin` boolean
- Edge case handled: `syncUserProfile` returns `false` if API call fails (new user auto-created with `is_admin=false` by backend)

50
.beans/nuzlocke-tracker-9xac--fix-stale-postgresql-enum-causing-test-failures.md Normal file
View File

@@ -0,0 +1,50 @@
---
# nuzlocke-tracker-9xac
title: Fix stale PostgreSQL enum causing test failures
status: completed
type: bug
priority: normal
created_at: 2026-03-21T10:27:53Z
updated_at: 2026-03-21T10:29:33Z
---
## Problem
The backend smoke tests fail with:
```
sqlalchemy.exc.DBAPIError: invalid input value for enum run_visibility: "public"
```
This happens during `Base.metadata.create_all` in the `engine` fixture (`backend/tests/conftest.py:27`).
## Root Cause
The `engine` fixture only calls `create_all` during setup and `drop_all` during teardown. If a previous test run was interrupted before teardown, the `run_visibility` PostgreSQL enum type persists in the test database with stale/incorrect values. On the next run, `create_all` (with `checkfirst=True` default) sees the enum exists and skips recreating it, but the existing enum lacks valid values, causing the `DEFAULT 'public'` to fail.
PostgreSQL native enum types are not automatically dropped with `DROP TABLE` — they require explicit `DROP TYPE`.
## Fix
In the `engine` fixture at `backend/tests/conftest.py:23-31`, add `Base.metadata.drop_all` before `create_all` to ensure a clean slate:
```python
@pytest.fixture(scope="session")
async def engine():
eng = create_async_engine(TEST_DATABASE_URL, echo=False)
async with eng.begin() as conn:
await conn.run_sync(Base.metadata.drop_all) # <-- add this
await conn.run_sync(Base.metadata.create_all)
yield eng
async with eng.begin() as conn:
await conn.run_sync(Base.metadata.drop_all)
await eng.dispose()
```
## Checklist
- [x] Add `drop_all` before `create_all` in the `engine` fixture (`backend/tests/conftest.py`)
- [x] Verify tests pass with `pytest backend/tests/test_smoke.py`
## Summary of Changes
Added `drop_all` before `create_all` in the test engine fixture to ensure stale PostgreSQL enum types are cleared before recreating the schema. This prevents test failures when a previous test run was interrupted before cleanup.

11
.beans/nuzlocke-tracker-ce4o--auth-aware-ui-and-role-based-access-control.md
View File

@@ -1,10 +1,11 @@
---
# nuzlocke-tracker-ce4o
title: Auth-aware UI and role-based access control
status: todo
status: completed
type: epic
priority: normal
created_at: 2026-03-21T10:05:52Z
updated_at: 2026-03-21T10:05:52Z
updated_at: 2026-03-21T10:18:47Z
---
The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.
@@ -19,9 +20,9 @@ The app currently shows the same navigation menu to all users regardless of auth
## Success Criteria
- [ ] Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In
- [ ] Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
- [x] Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
- [ ] Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)
- [ ] Admin users see the full menu including Admin
- [ ] Backend admin endpoints return 403 for non-admin authenticated users
- [x] Backend admin endpoints return 403 for non-admin authenticated users
- [ ] Admin role is stored in the `users` table (`is_admin` boolean column)
- [ ] Admin status is exposed to the frontend via the user API or auth context
- [x] Admin status is exposed to the frontend via the user API or auth context

32
.beans/nuzlocke-tracker-dwah--add-is-admin-column-to-users-table.md
View File

@@ -1,10 +1,11 @@
---
# nuzlocke-tracker-dwah
title: Add is_admin column to users table
status: todo
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:19Z
updated_at: 2026-03-21T10:06:19Z
updated_at: 2026-03-21T10:10:38Z
parent: nuzlocke-tracker-ce4o
---
@@ -12,12 +13,31 @@ Add an `is_admin` boolean column (default `false`) to the `users` table via an A
## Checklist
- [ ] Create Alembic migration adding `is_admin: Mapped[bool]` column with `server_default="false"`
- [ ] Update `User` model in `backend/src/app/models/user.py`
- [ ] Run migration and verify column exists
- [ ] Seed a test admin user (or document how to set `is_admin=true` via SQL)
- [x] Create Alembic migration adding `is_admin: Mapped[bool]` column with `server_default="false"`
- [x] Update `User` model in `backend/src/app/models/user.py`
- [x] Run migration and verify column exists
- [x] Seed a test admin user (or document how to set `is_admin=true` via SQL)
## Files to change
- `backend/src/app/models/user.py` — add `is_admin` field
- `backend/src/app/alembic/versions/` — new migration
## Summary of Changes
Added `is_admin` boolean column to the `users` table:
- **Migration**: `p7e8f9a0b1c2_add_is_admin_to_users.py` adds the column with `server_default='false'`
- **Model**: Updated `User` model with `is_admin: Mapped[bool]` field
### Setting admin via SQL
To promote a user to admin:
```sql
UPDATE users SET is_admin = true WHERE email = 'admin@example.com';
```
Or by user ID:
```sql
UPDATE users SET is_admin = true WHERE id = '<uuid>';
```

29
.beans/nuzlocke-tracker-f4d0--add-require-admin-dependency-and-protect-admin-end.md
View File

@@ -1,11 +1,11 @@
---
# nuzlocke-tracker-f4d0
title: Add require_admin dependency and protect admin endpoints
status: todo
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:19Z
updated_at: 2026-03-21T10:06:24Z
updated_at: 2026-03-21T10:15:14Z
parent: nuzlocke-tracker-ce4o
blocked_by:
- nuzlocke-tracker-dwah
@@ -15,13 +15,13 @@ Add a `require_admin` FastAPI dependency that checks the `is_admin` column on th
## Checklist
- [ ] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
- [x] Add `require_admin` dependency in `backend/src/app/core/auth.py` that:
- Requires authentication (reuses `require_auth`)
- Looks up the user in the `users` table by `AuthUser.id`
- Returns 403 if `is_admin` is not `True`
- [ ] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
- [ ] Keep read endpoints (GET) accessible to all authenticated users
- [ ] Add tests for 403 response when non-admin user hits admin endpoints
- [x] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE)
- [x] Keep read endpoints (GET) accessible to all authenticated users
- [x] Add tests for 403 response when non-admin user hits admin endpoints
## Files to change
@@ -30,3 +30,20 @@ Add a `require_admin` FastAPI dependency that checks the `is_admin` column on th
- `backend/src/app/api/pokemon.py` — same
- `backend/src/app/api/evolutions.py` — same
- `backend/src/app/api/bosses.py` — same
## Summary of Changes
Added `require_admin` FastAPI dependency to `backend/src/app/core/auth.py`:
- Depends on `require_auth` (returns 401 if not authenticated)
- Looks up user in `users` table by UUID
- Returns 403 if user not found or `is_admin` is not True
Applied `require_admin` to all admin-facing write endpoints:
- `games.py`: POST/PUT/DELETE for games and routes
- `pokemon.py`: POST/PUT/DELETE for pokemon and route encounters
- `evolutions.py`: POST/PUT/DELETE for evolutions
- `bosses.py`: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with `require_auth`)
Added tests in `test_auth.py`:
- Unit tests for `require_admin` (admin user, non-admin user, user not in DB)
- Integration tests for admin endpoint access (403 for non-admin, 201 for admin)

27
.beans/nuzlocke-tracker-h205--auth-aware-navigation-menu.md
View File

@@ -1,11 +1,11 @@
---
# nuzlocke-tracker-h205
title: Auth-aware navigation menu
status: todo
status: completed
type: task
priority: normal
created_at: 2026-03-21T10:06:20Z
updated_at: 2026-03-21T10:06:24Z
updated_at: 2026-03-21T10:22:34Z
parent: nuzlocke-tracker-ce4o
blocked_by:
- nuzlocke-tracker-5svj
@@ -15,13 +15,24 @@ Update the Layout component to show different nav links based on auth state and
## Checklist
- [ ] Replace static \`navLinks\` array with dynamic links based on \`useAuth()\` state
- [ ] **Logged out**: Home, Runs, Genlockes, Stats (no New Run, no Admin)
- [ ] **Logged in (non-admin)**: New Run, My Runs, Genlockes, Stats
- [ ] **Logged in (admin)**: New Run, My Runs, Genlockes, Stats, Admin
- [ ] Update both desktop and mobile nav (they share the same \`navLinks\` array, so this should be automatic)
- [ ] Verify menu updates reactively on login/logout
- [x] Replace static \`navLinks\` array with dynamic links based on \`useAuth()\` state
- [x] **Logged out**: Home, Runs, Genlockes, Stats (no New Run, no Admin)
- [x] **Logged in (non-admin)**: New Run, My Runs, Genlockes, Stats
- [x] **Logged in (admin)**: New Run, My Runs, Genlockes, Stats, Admin
- [x] Update both desktop and mobile nav (they share the same \`navLinks\` array, so this should be automatic)
- [x] Verify menu updates reactively on login/logout
## Files to change
- \`frontend/src/components/Layout.tsx\` — make \`navLinks\` dynamic based on auth state
## Summary of Changes
- Removed static `navLinks` array from module scope
- Added dynamic `navLinks` computation inside `Layout` component using `useMemo`
- Navigation now depends on `user` and `isAdmin` from `useAuth()`:
- Logged out: Home, Runs, Genlockes, Stats
- Logged in (non-admin): New Run, My Runs, Genlockes, Stats
- Logged in (admin): New Run, My Runs, Genlockes, Stats, Admin
- Updated `isActive` function to handle Home route (`/`) correctly
- Both desktop and mobile nav automatically use the same dynamic `navLinks` array

4
.beans/nuzlocke-tracker-he1n--add-local-gotrue-container-for-dev-auth-testing.md
View File

@@ -1,11 +1,11 @@
---
# nuzlocke-tracker-he1n
title: Add local GoTrue container for dev auth testing
status: todo
status: completed
type: feature
priority: normal
created_at: 2026-03-20T20:57:04Z
updated_at: 2026-03-20T21:13:18Z
updated_at: 2026-03-21T10:07:40Z
---
## Problem