Have My Session Securely Persisted So I Do Not Need to Log In Every Time I Open the App

• Given I successfully authenticate, When the session token is stored, Then it is written to encrypted secure storage (iOS Keychain or Android Keystore), never to plain SharedPreferences or localStorage
• Given a valid session is persisted, When I open the app after closing it, Then the session resume manager detects the token and either resumes silently or triggers biometric confirmation
• Given a persisted session has expired, When I open the app, Then I am redirected to the login screen with a clear message that my session has ended
• Given I log out explicitly, When logout completes, Then the session token and biometric credential are both removed from secure storage
• Given I switch organizations, When the switch completes, Then the old organization's session is cleared and the new session is stored with the correct tenant context
• Given the app is in the background for more than the configured session timeout, When I return to the app, Then I am prompted to re-authenticate via biometrics before accessing data

Secure session persistence is the technical foundation for the biometric authentication feature. Without it, every app launch requires full BankID/Vipps re-authentication, which would take 30–60 seconds per login and make the app impractical for high-frequency daily use. This directly addresses the underreporting problem by removing the largest single friction point in the activity registration workflow. Encrypted storage is also a data security obligation given that peer mentors access sensitive contact information.

• Session Resume Manager service
• Secure Session Storage data
• Supabase Session Manager infrastructure
• Auth Token Store data
• Secure Storage Adapter infrastructure
• Authentication Session Manager service
• Secure Storage Adapter infrastructure
• Tenant Session Store data
• Authentication Repository data
• Supabase Auth Client infrastructure