---
# nuzlocke-tracker-wwnu
title: Auth hardening, admin ownership display, and MFA
status: completed
type: epic
priority: high
created_at: 2026-03-21T12:18:09Z
updated_at: 2026-03-21T12:38:27Z
---

Harden authentication and authorization across the app after the initial auth integration went live.

## Goals

- [x] Runs are only editable by their owner (encounters, deaths, bosses, settings)
- [x] Frontend hides edit controls for non-owners and logged-out users
- [x] Admin pages show owner info for runs and genlockes
- [ ] Genlocke visibility/ownership inferred from first leg's run
- [ ] Optional TOTP MFA for email/password signups

## Context

Auth is live with Google/Discord OAuth + email/password. Backend has `require_auth` on mutations but doesn't check ownership on encounters or genlockes. Frontend `RunEncounters.tsx` has zero auth checks. Admin pages lack owner columns. Genlocke model has no `owner_id` or `visibility`.