Actions
User Story #570
openFeature #533: Authentication Hum Rahi
EPIC #569: ## Epic: Citizen Login & Session Management
User Story 3 (BE & FE): JWT Session & 30-Day Silent Refresh
Start date:
Due date:
% Done:
100%
Estimated time:
(Total: 0:00 h)
Reviewer:
Description
Story: As a Citizen, I want my session to remain active for 30 days, so that I don't have to log in every time I open the app.
-
In-Scope:
- BE: Issue an Access Token (short-lived) and a Refresh Token (30 days).
- BE: Endpoint for "Silent Refresh" to exchange Refresh Token for a new Access Token.
- FE: Logic to trigger refresh on app initialization/open.
- Out-of-Scope: "Remember Me" checkboxes (this is the default behavior).
-
Acceptance Criteria (AC):
- JWT must contain the
citizen_idandrole. - Refresh tokens must be stored in an HTTP-only, Secure cookie (Web) or Secure Storage (Mobile).
- If the app is opened and the token is expired but the refresh token is valid, the user is authenticated without seeing the login screen.
- JWT must contain the
-
Validation Rules:
- Access Token Duration: 15 minutes.
- Refresh Token Duration: 30 days.
-
Error Messages:
- Session Expired: "Your session has expired. Please log in again."
-
Definition of Done (DoD):
- Security audit for JWT storage completed.
- Session persistence verified after app force-close.
Updated by Islam Mansoori about 1 month ago
- Tracker changed from EPIC to User Story
- Subject changed from Phase 1: OTP Login Sequence to User Story 3 (BE & FE): JWT Session & 30-Day Silent Refresh
- Description updated (diff)
Actions