nuzlocke-tracker/.beans/archive/nuzlocke-tracker-wwnu--auth-hardening-admin-ownership-display-and-mfa.md

title, status, type, priority, created_at, updated_at

title	status	type	priority	created_at	updated_at
Auth hardening, admin ownership display, and MFA	completed	epic	high	2026-03-21T12:18:09Z	2026-03-21T12:38:27Z

Harden authentication and authorization across the app after the initial auth integration went live.

Goals

• Runs are only editable by their owner (encounters, deaths, bosses, settings)
• Frontend hides edit controls for non-owners and logged-out users
• Admin pages show owner info for runs and genlockes
• Genlocke visibility/ownership inferred from first leg's run
• Optional TOTP MFA for email/password signups

Context

Auth is live with Google/Discord OAuth + email/password. Backend has require_auth on mutations but doesn't check ownership on encounters or genlockes. Frontend RunEncounters.tsx has zero auth checks. Admin pages lack owner columns. Genlocke model has no owner_id or visibility.