Host account setup

Host tools live behind the `/login` route and use Firebase Authentication.

1. Visit `/login` and pick either Google sign-in or email + password. Both methods land you in the host dashboard once authentication succeeds.
2. If you register with email, verify the confirmation message Google/Firebase sends before trying to sign in again.
3. Forgotten password? Use the reset link on the login form – Avalanche sends a Firebase password-reset email immediately.
4. Hosts can choose where to go after login by adding `?next=/host/games` (or any other host path) to the login URL.

Tip: Keep a dedicated host account even if you sometimes play. Player sessions do not require authentication and share the same browser storage keys.

After authentication you should see the Host navigation shell and the default Account view.

1. Check the sidebar – links for Account, Profile, Games, Question Sets, Analytics, and Support indicate you have the required permissions (see `src/components/host/HostNavigation.tsx`).
2. Open Question Sets to ensure Firestore permissions allow you to list and create documents. A toast error here usually means the signed-in email has not been whitelisted.
3. Navigate to Games and confirm you can start a new game. When creation succeeds, the console logs the generated code and you are redirected to `/host/games/{code}`.
4. Load the host account page to verify billing and profile data read correctly; empty placeholders suggest the Firestore document has not been created yet.

Tip: If any host page immediately redirects you back to `/login`, check the browser console for `permission-denied` – you may be signed into the wrong Firebase project.

Players never need to sign in. They only require the lobby code generated when you start a game.

1. Share the six-character code (e.g. `ABX421`) or the full join URL (`/join?code=ABX421`).
2. Players enter a display name on the join screen; Avalanche stores their player ID, game ID, and code in `localStorage` so reconnects are seamless.
3. Player accounts live under `games/{gameId}/players/{playerId}`. Removing a document from this collection immediately removes the player from the lobby.
4. If a player appears twice (usually after reconnecting on a new device), delete the older record in the lobby list from the host dashboard.

Tip: Remind players to keep the join tab open while they wait. The waiting room video confirms the Firestore listener is still active.

Avalanche relies on Firebase for authentication, so apply the same safeguards you would for any Google-backed project.

1. Use a password manager or passkey for email/password accounts; Firebase rejects common or compromised passwords by default but you should still rotate them periodically.
2. Enable multi-factor authentication for your Google account if you use Google sign-in. The host dashboard has no secondary approval, so your Google login is the gatekeeper.
3. Limit who can read/write host collections in Firestore security rules (`/firestore.rules`). The default project rules already scope writes to authenticated users – keep them that way.
4. Avoid sharing raw service-account keys. Every action the dashboard performs runs through the browser SDK and respects the signed-in user permissions.

Tip: When testing locally with different accounts, use separate Chrome profiles so each session keeps its own Firebase auth state and local storage entries.