Resume Session Without Re-authentication
When a peer mentor returns to the app within an active session window, the session resume manager checks whether the existing Supabase session token is still valid. If valid, the user is taken directly to the role-based home screen without any authentication prompt. If the session has expired (e.g., after an extended absence), the user is prompted with biometric authentication first, then falls back to BankID/Vipps if needed. The session state is managed securely in encrypted local storage.
User Story
Acceptance Criteria
- Given I have an active session and reopen the app within the session window, When the app initializes, Then I am taken directly to my home screen without any login prompt
- Given my session token has expired, When the app initializes, Then the biometric prompt is shown to re-authenticate
- Given biometric authentication succeeds on session resume, When verification completes, Then a new Supabase session is established and I am taken to my home screen
- Given the app is opened after a device restart, When the session check runs, Then the secure session storage is queried and the appropriate auth flow is triggered
- Given my auth token is corrupted or missing, When the app initializes, Then I am redirected to the auth method selector to start fresh
Business Value
Peer mentors are volunteers who use the app in short bursts throughout the day — registering an activity after a session, checking a contact record between meetings. Forcing re-authentication on every app open would create an unacceptable experience and contribute to the underreporting problem the app is designed to solve. Seamless session resumption is essential for maintaining the 'lowest possible cognitive load' design principle stated as a top priority in all three workshop sessions.
Components
- Session Resume Manager service
- Secure Session Storage data
- Supabase Session Manager infrastructure
- Auth Token Store data
- Role-Based Home Screen ui
- Secure Storage Adapter infrastructure