Project

General

Profile

Actions
Copy link

User Story #570

open
« Previous | 48 of 91 | Next »

Feature #533: Authentication Hum Rahi

EPIC #569: ## Epic: Citizen Login & Session Management

User Story 3 (BE & FE): JWT Session & 30-Day Silent Refresh

Added by Islam Mansoori about 1 month ago. Updated 27 days ago.

Status:
To Do
Priority:
low
Assignee:
-
Target version:
Humrahi MVP
Start date:
Due date:
% Done:

100%

Estimated time:
(Total: 0:00 h)
Reviewer:
Islam Mansoori

Description

Story: As a Citizen, I want my session to remain active for 30 days, so that I don't have to log in every time I open the app.

  • In-Scope:
    • BE: Issue an Access Token (short-lived) and a Refresh Token (30 days).
    • BE: Endpoint for "Silent Refresh" to exchange Refresh Token for a new Access Token.
    • FE: Logic to trigger refresh on app initialization/open.
  • Out-of-Scope: "Remember Me" checkboxes (this is the default behavior).
  • Acceptance Criteria (AC):
    1. JWT must contain the citizen_id and role.
    2. Refresh tokens must be stored in an HTTP-only, Secure cookie (Web) or Secure Storage (Mobile).
    3. If the app is opened and the token is expired but the refresh token is valid, the user is authenticated without seeing the login screen.
  • Validation Rules:
    • Access Token Duration: 15 minutes.
    • Refresh Token Duration: 30 days.
  • Error Messages:
    • Session Expired: "Your session has expired. Please log in again."
  • Definition of Done (DoD):
    • Security audit for JWT storage completed.
    • Session persistence verified after app force-close.

Subtasks 1 (0 open1 closed)

Task #600: Issue a refresh token and an access tokenBackend completedzaid ali

Actions
Actions
Copy link

Also available in: Atom PDF