--- # nuzlocke-tracker-f4d0 title: Add require_admin dependency and protect admin endpoints status: completed type: task priority: normal created_at: 2026-03-21T10:06:19Z updated_at: 2026-03-21T10:15:14Z parent: nuzlocke-tracker-ce4o blocked_by: - nuzlocke-tracker-dwah --- Add a `require_admin` FastAPI dependency that checks the `is_admin` column on the `users` table. Apply it to all admin-facing API endpoints (games CRUD, pokemon CRUD, evolutions CRUD, bosses CRUD, route CRUD). ## Checklist - [x] Add `require_admin` dependency in `backend/src/app/core/auth.py` that: - Requires authentication (reuses `require_auth`) - Looks up the user in the `users` table by `AuthUser.id` - Returns 403 if `is_admin` is not `True` - [x] Apply `require_admin` to write endpoints in: `games.py`, `pokemon.py`, `evolutions.py`, `bosses.py` (all POST/PUT/PATCH/DELETE) - [x] Keep read endpoints (GET) accessible to all authenticated users - [x] Add tests for 403 response when non-admin user hits admin endpoints ## Files to change - `backend/src/app/core/auth.py` — add `require_admin` - `backend/src/app/api/games.py` — replace `require_auth` with `require_admin` on mutations - `backend/src/app/api/pokemon.py` — same - `backend/src/app/api/evolutions.py` — same - `backend/src/app/api/bosses.py` — same ## Summary of Changes Added `require_admin` FastAPI dependency to `backend/src/app/core/auth.py`: - Depends on `require_auth` (returns 401 if not authenticated) - Looks up user in `users` table by UUID - Returns 403 if user not found or `is_admin` is not True Applied `require_admin` to all admin-facing write endpoints: - `games.py`: POST/PUT/DELETE for games and routes - `pokemon.py`: POST/PUT/DELETE for pokemon and route encounters - `evolutions.py`: POST/PUT/DELETE for evolutions - `bosses.py`: POST/PUT/DELETE for game-scoped boss operations (run-scoped endpoints kept with `require_auth`) Added tests in `test_auth.py`: - Unit tests for `require_admin` (admin user, non-admin user, user not in DB) - Integration tests for admin endpoint access (403 for non-admin, 201 for admin)