🏠 Overview 👥 User Roles 📖 Maintain Secure Session Across App Restarts

Maintain Secure Session Across App Restarts

After successful BankID or Vipps authentication, the Auth Token Repository stores the Supabase access token and refresh token in Flutter Secure Storage, encrypted by the platform keychain. On subsequent app launches, the Biometric Auth Service (if biometrics are enrolled) or the session restoration logic checks whether a valid session exists. If the access token is expired, the refresh token is used to silently obtain a new access token from Supabase. If the refresh token is also expired (session lifetime exceeded), the user is directed to re-authenticate via BankID or Vipps. The session lifetime should align with security requirements for the sensitivity of data being accessed.

HIGH story-bankid-vipps-authentication-peer-mentor-008 3 pts
3
Story Points
High
Priority
BankID & Vipps Authentication
Feature

User Story

As a user
I want to remain logged in across app restarts without having to re-authenticate every time I open the app
So that So that I can quickly return to my tasks without interruption, while still having the security of biometric or BankID/Vipps re-authentication when the session expires

Acceptance Criteria

  • Given a user who authenticated within the session lifetime period, when they reopen the app, then no authentication prompt is shown and they are taken directly to the home screen (subject to biometric check if enrolled)
  • Given a user whose access token has expired but refresh token is valid, when the app restarts, then a silent token refresh is performed against Supabase before the home screen is shown, with no visible interruption to the user
  • Given a user whose refresh token has expired, when the app restarts, then they are redirected to the login screen with a message 'Your session has expired — please log in again'
  • Given a user who logs out explicitly, when they reopen the app, then all stored tokens are cleared from Secure Storage and the login screen is shown with no pre-filled state
  • Given a user who uninstalls and reinstalls the app, when the app launches, then Secure Storage is cleared and the user must complete the full BankID or Vipps authentication flow
  • Given concurrent access from multiple devices, when a session is revoked on one device (e.g., admin action), then the next API call on the other device returns a 401 and redirects to the login screen

Business Value

Persistent sessions reduce the authentication burden for daily users. Peer mentors use the app several times per week — requiring a full BankID or Vipps flow on every open would be a significant friction point leading to underuse. Secure token storage in the platform keychain ensures that session persistence does not compromise security, meeting the same standard used by banking apps. Silent token refresh prevents unexpected logouts during active use.

Components

BankID & Vipps Authentication
Related Feature
Peer Mentor (Likeperson)
User Role