🏠 Overview 👥 User Roles 📖 Resume Session Without Re-authentication

Resume Session Without Re-authentication

When a peer mentor returns to the app within an active session window, the session resume manager checks whether the existing Supabase session token is still valid. If valid, the user is taken directly to the role-based home screen without any authentication prompt. If the session has expired (e.g., after an extended absence), the user is prompted with biometric authentication first, then falls back to BankID/Vipps if needed. The session state is managed securely in encrypted local storage.

HIGH story-bankid-vipps-login-peer-mentor-006 5 pts
5
Story Points
High
Priority
BankID and Vipps Login
Feature

User Story

As a Peer Mentor (Likeperson)
I want to return to the app and have my session automatically resumed if I was recently active
So that I can pick up where I left off without being interrupted by login screens during normal daily use

Audience Summaries

Seamless session resumption is a foundational requirement for peer mentor adoption and sustained platform engagement. Peer mentors are unpaid volunteers operating in high-context social environments — registering activities between conversations, checking contact records on the move. Any friction from unnecessary re-authentication directly discourages timely data entry, which is the core behavior the platform depends on for accurate Bufdir reporting. This story eliminates a major adoption barrier, keeping cognitive load minimal as prioritized across all three product design workshops.

By enabling instant access for users with valid sessions while enforcing biometric re-authentication only on expiry, the platform delivers both convenience and security — a measurable competitive advantage for volunteer-facing tools that must earn consistent daily use.

This story covers three distinct authentication recovery states — active session resume, expired session with biometric fallback, and corrupted or missing token recovery — each requiring separate development effort and QA test scenarios. A hard dependency exists on story-bankid-vipps-login-peer-mentor-005. Delivery requires close coordination between the authentication team and mobile engineers to implement encrypted local session storage and integrate with native biometric APIs on both iOS and Android. Testing effort is substantial: all three flows must be verified across both platforms including device restart scenarios and token corruption edge cases.

A phased rollout starting with internal testers is strongly recommended before broader release. Encrypted storage implementation carries a one-time setup cost but establishes the security foundation for all future session management work.

Implementation requires a session resume manager that executes during app initialization. It must read the existing Supabase session token from encrypted local storage (e.g., expo-secure-store), then validate expiry status via Supabase's session refresh API. Three distinct code paths are required: (1) valid token — navigate directly to the role-based home screen without any UI prompt; (2) expired token — invoke the native biometric API (Face ID, Touch ID, or Android fingerprint), and on success refresh the Supabase session before navigating home; (3) missing or corrupted token — clear storage state and redirect to the auth method selector to restart the full auth flow. The BankID and Vipps fallback must be wired into the biometric failure path.

Session tokens must never be stored in unencrypted AsyncStorage. The initialization path is on the critical render path so all storage reads must be non-blocking where possible, with graceful error boundaries wrapping storage failures.

Acceptance Criteria

  • Given I have an active session and reopen the app within the session window, When the app initializes, Then I am taken directly to my home screen without any login prompt
  • Given my session token has expired, When the app initializes, Then the biometric prompt is shown to re-authenticate
  • Given biometric authentication succeeds on session resume, When verification completes, Then a new Supabase session is established and I am taken to my home screen
  • Given the app is opened after a device restart, When the session check runs, Then the secure session storage is queried and the appropriate auth flow is triggered
  • Given my auth token is corrupted or missing, When the app initializes, Then I am redirected to the auth method selector to start fresh

Business Value

Peer mentors are volunteers who use the app in short bursts throughout the day — registering an activity after a session, checking a contact record between meetings. Forcing re-authentication on every app open would create an unacceptable experience and contribute to the underreporting problem the app is designed to solve. Seamless session resumption is essential for maintaining the 'lowest possible cognitive load' design principle stated as a top priority in all three workshop sessions.

Components

Dependencies

BankID and Vipps Login
Related Feature
Peer Mentor (Likeperson)
User Role