🏠 Overview ✅ Implementation Tasks ✅ epic-biometric-session-authentication-core-services-task-001

Define BiometricAuthResult domain types

epic-biometric-session-authentication-core-services-task-001 — Create typed domain result objects for all biometric authentication outcomes: BiometricAuthSuccess, BiometricAuthFailure, BiometricAuthCancelled, BiometricAuthUnavailable, and BiometricAuthFallbackRequired. These sealed classes/enums form the typed contract returned by BiometricAuthService to UI callers and enable exhaustive pattern matching in Bloc consumers.

critical priority low complexity backend pending backend specialist Tier 0

Acceptance Criteria

A sealed class BiometricAuthResult is defined in lib/domain/auth/biometric_auth_result.dart with exactly five subtypes: BiometricAuthSuccess, BiometricAuthFailure, BiometricAuthCancelled, BiometricAuthUnavailable, BiometricAuthFallbackRequired
BiometricAuthSuccess carries no additional data (unit type) or an optional session token placeholder
BiometricAuthFailure carries a required String errorMessage and an optional int? platformErrorCode for diagnostic logging
BiometricAuthCancelled carries no data — represents explicit user cancellation
BiometricAuthUnavailable carries a required BiometricUnavailableReason enum (values: hardwareNotSupported, notEnrolled, osVersionTooOld) for downstream routing logic
BiometricAuthFallbackRequired carries no data — signals that the caller must offer PIN/password fallback
All subtypes are const-constructable where applicable
A switch expression on BiometricAuthResult is exhaustive without a default case, confirmed by Dart analyzer (no warnings)
No flutter_local_auth or platform types leak into this domain layer — the file has zero imports from the local_auth package
Unit tests assert that pattern matching on all five subtypes compiles and dispatches to the correct branch

Technical Requirements

frameworks
Flutter
Dart (sealed classes, Dart 3.0+)
performance requirements
Domain types are pure value objects — no I/O, no async, instantiation under 1ms
security requirements
BiometricAuthResult must never carry raw biometric data, authentication tokens, or national identity numbers
BiometricAuthFailure.errorMessage must be sanitized — no system paths or internal error stack traces exposed to UI callers

Execution Context

Execution Tier
Tier 0

Tier 0 - 440 tasks

Implementation Notes

Use Dart 3 sealed classes (`sealed class BiometricAuthResult`) with `final class` subtypes — this enables exhaustive switch without a default case and gives compile-time safety to all Bloc consumers. Define BiometricUnavailableReason as a separate enum in the same file for cohesion. Keep this file in the domain layer (lib/domain/auth/) with zero dependencies on Flutter widgets, platform plugins, or Supabase. This type contract must be stable before implementing BiometricAuthService — downstream tasks depend on it.

If the team uses Freezed for union types elsewhere in the project, consider using @freezed here for consistency, but a plain sealed class is sufficient and avoids code generation overhead for such a simple type.

Testing Requirements

Unit tests in test/domain/auth/biometric_auth_result_test.dart must verify: (1) each subtype can be instantiated; (2) switch expression on all five subtypes is exhaustive and returns the expected string/value from each branch; (3) BiometricAuthFailure stores errorMessage and platformErrorCode correctly; (4) BiometricAuthUnavailable stores reason correctly for all three enum values. No mocking needed — these are pure data classes. Run with `flutter test test/domain/auth/biometric_auth_result_test.dart`.

Component
Biometric Authentication Service
service medium
Epic Risks (3)
high impact medium prob technical

Multiple concurrent callers (e.g., SessionResumeManager and a background sync service) could simultaneously detect a near-expired token and each invoke SupabaseSessionManager.refreshSession(), causing duplicate refresh API calls and potentially a token invalidation race condition on the Supabase Auth server. This can result in one caller receiving a valid refreshed token while another receives a 401, causing intermittent authentication failures.

Mitigation & Contingency

Mitigation: Implement a single-flight pattern inside SupabaseSessionManager so that concurrent refresh calls coalesce into one in-flight request. Use a Dart Completer or AsyncMemoizer to ensure all waiters receive the same refreshed token. Write a concurrent integration test to validate the single-flight behaviour.

Contingency: If the single-flight pattern introduces deadlocks or timeout complexity, fall back to a mutex-based lock with a 10-second timeout, logging a warning if the lock is held longer than expected, and triggering a full re-login if the refresh ultimately fails.

high impact low prob security

Supabase Row-Level Security policies evaluate the JWT claims (user_id, role, org_id) on every query. If the refreshed token contains stale or changed claims — for example if a coordinator's role was updated server-side — RLS may silently block data access even though the session appears valid from the client's perspective, causing confusing empty screens rather than an authentication error.

Mitigation & Contingency

Mitigation: After every token refresh, decode the new JWT and compare key claims (role, org_id) with the cached values. If claims have changed, emit a session-claims-changed event that triggers a role re-resolution and navigation reset. Document this behaviour in the SupabaseSessionManager API contract.

Contingency: If claims drift is detected in production and causes data visibility issues, provide a force-refresh mechanism in the UI (pull-to-refresh on home screen) that clears cached role state and re-fetches from Supabase, accompanied by a user-visible toast indicating the session was refreshed.

medium impact medium prob security

Allowing session resumption from cached local token when offline introduces a window where a revoked or invalidated session can still grant app access. For example, if a coordinator deactivates a peer mentor's account while the mentor is offline, the mentor continues to have access until connectivity is restored and the token is validated server-side.

Mitigation & Contingency

Mitigation: Set a maximum offline grace period (e.g., 24 hours) stored alongside the token in SecureSessionStorage. If the grace period is exceeded, force a full credential re-login regardless of connectivity status. Scope offline access to read-only operations only, requiring connectivity for any write that reaches Supabase.

Contingency: If the offline grace period logic is found to be insufficient for compliance, implement remote session invalidation via a lightweight push notification that clears SecureSessionStorage even when the app is backgrounded, using FCM with a data-only message.

Quick Links
All Tasks Execution Plan