Authentication Session Manager
Component Detail
Description
Centralized Supabase session lifecycle manager shared across all authentication methods. Persists, refreshes, and invalidates Supabase JWT sessions. Exposes a stream of auth state changes consumed by the app's BLoC/Riverpod state layer.
auth-session-manager
Summaries
The Authentication Session Manager is the central trust anchor for the entire application's security model. It ensures users remain securely logged in across app restarts without requiring repeated authentication flows through BankID or Vipps, directly reducing friction and improving daily active usage. Because it is a shared component consumed by all authentication pathways — biometric, social, and standard login — it provides a single point of governance for session validity, expiry, and revocation. This centralization reduces the risk of security incidents caused by inconsistent session handling across different login flows, which is a significant liability concern in regulated fintech environments.
Properly managed JWT refresh cycles also reduce failed API calls that degrade user experience.
As a shared component consumed by every authentication feature in the application, this component sits on the critical path for all auth-related delivery. Its single dependency — the Secure Storage Adapter — must be available early in the sprint cycle. Any breaking interface changes to this component (session model, stream contract, or storage format) will require coordinated updates across all consumers, making its API contract a key design decision to lock down early. Medium complexity overall, but the JWT auto-refresh logic and stream broadcast behavior require careful integration testing under network degradation and token expiry edge cases.
Risk: if session persistence or refresh logic has a regression, all users are effectively locked out — prioritize this component for thorough QA and consider feature-flagged rollout.
Manages the full Supabase JWT session lifecycle: initial persistence via persistSession(), automatic token refresh before expiry, and propagation of auth state changes through a reactive Stream
The refreshSession() method should implement retry-with-backoff for network failures. As a shared component, it must be initialized as a singleton early in the app lifecycle (before any route guard or auth gate evaluates isAuthenticated) to avoid race conditions on cold start.
Responsibilities
- Persist and restore Supabase session across app restarts
- Refresh expired JWT tokens automatically before expiry
- Broadcast auth state changes (signed in, signed out, token refreshed) to listeners
- Invalidate session on sign-out and clear secure storage
Interfaces
getSession(): Future<Session?>
signOut(): Future<void>
refreshSession(): Future<Session>
authStateChanges(): Stream<AuthState>
getUserId(): String?
isAuthenticated(): bool
persistSession(session: Session): Future<void>
clearSession(): Future<void>
Relationships
Dependents (4)
Components that depend on this component
Related Data Entities (3)
Data entities managed by this component