User Story #570
Updated by Islam Mansoori about 1 month ago
**Story:** As a **Citizen**, I want **my session to remain active for 30 days**, so that **I don't have to log in every time I open the app.**
- **In-Scope:**
- **BE:** Issue an Access Token (short-lived) and a Refresh Token (30 days).
- **BE:** Endpoint for "Silent Refresh" to exchange Refresh Token for a new Access Token.
- **FE:** Logic to trigger refresh on app initialization/open.
- **Out-of-Scope:** "Remember Me" checkboxes (this is the default behavior).
- **Acceptance Criteria (AC):**
1. JWT must contain the `citizen_id` and `role`.
2. Refresh tokens must be stored in an HTTP-only, Secure cookie (Web) or Secure Storage (Mobile).
3. If the app is opened and the token is expired but the refresh token is valid, the user is authenticated without seeing the login screen.
- **Validation Rules:**
- Access Token Duration: 15 minutes.
- Refresh Token Duration: 30 days.
- **Error Messages:**
- Session Expired: "Your session has expired. Please log in again."
- **Definition of Done (DoD):**
- Security audit for JWT storage completed.
- Session persistence verified after app force-close.