24 lines
938 B
Markdown
24 lines
938 B
Markdown
---
|
|
# nuzlocke-tracker-wwnu
|
|
title: Auth hardening, admin ownership display, and MFA
|
|
status: completed
|
|
type: epic
|
|
priority: high
|
|
created_at: 2026-03-21T12:18:09Z
|
|
updated_at: 2026-03-21T12:38:27Z
|
|
---
|
|
|
|
Harden authentication and authorization across the app after the initial auth integration went live.
|
|
|
|
## Goals
|
|
|
|
- [x] Runs are only editable by their owner (encounters, deaths, bosses, settings)
|
|
- [x] Frontend hides edit controls for non-owners and logged-out users
|
|
- [x] Admin pages show owner info for runs and genlockes
|
|
- [ ] Genlocke visibility/ownership inferred from first leg's run
|
|
- [ ] Optional TOTP MFA for email/password signups
|
|
|
|
## Context
|
|
|
|
Auth is live with Google/Discord OAuth + email/password. Backend has `require_auth` on mutations but doesn't check ownership on encounters or genlockes. Frontend `RunEncounters.tsx` has zero auth checks. Admin pages lack owner columns. Genlocke model has no `owner_id` or `visibility`.
|