nuzlocke-tracker/.beans/archive/nuzlocke-tracker-ce4o--auth-aware-ui-and-role-based-access-control.md

title, status, type, priority, created_at, updated_at

title	status	type	priority	created_at	updated_at
Auth-aware UI and role-based access control	completed	epic	normal	2026-03-21T10:05:52Z	2026-03-21T10:18:47Z

The app currently shows the same navigation menu to all users regardless of auth state. Logged-out users can navigate to protected pages (e.g., /runs/new, /admin) even though the backend rejects their requests. The admin interface has no role restriction — any authenticated user can access it.

Goals

1. Auth-aware navigation: Menu items change based on login state (logged-out users only see public browsing options)
2. Route protection: Protected routes redirect to login, admin routes require admin role
3. Admin role system: Define which users are admins via a database field, enforce on both frontend and backend
4. Backend admin enforcement: Admin API endpoints (games, pokemon, evolutions, bosses, routes) require admin role, not just authentication

Success Criteria

• Logged-out users see only: Home, Runs (public list), Genlockes, Stats, Sign In
• Logged-out users cannot navigate to /runs/new, /genlockes/new, or /admin/*
• Logged-in non-admin users see: New Run, My Runs, Genlockes, Stats (no Admin link)
• Admin users see the full menu including Admin
• Backend admin endpoints return 403 for non-admin authenticated users
• Admin role is stored in the users table (is_admin boolean column)
• Admin status is exposed to the frontend via the user API or auth context