search

SloveniaEngineering / laguna-frontend

Laguna frontend source tree
Apache License 2.0
3 stars 1 forks source link

[FE] Auto-login feature based on remember-me flag #31

Open zigapovhe opened 11 months ago

zigapovhe commented 11 months ago

Description

@anzbez Unknowingly suggested auto-login feature which would work based on remember-me checkbox on Login-Screen. If user has remember-me enabled, app could auto-login him based on saved credentials (preferably encrypted in local storage).

We already automatically log-in user if his tokens are valid (not expired). In best case scenario, if user would use Laguna regularly, refresh token would never expire (every time access token expires, we get new access and refresh token). In worst case scenario, user would be logged out every time.

This is how most of web apps probably behaves. We could go beyond tokens, and keep user logged-in indefinitely. Exceptions would be if user manually logged out (we would remove tokens from storage), or if user haven't been logged in before (again, no tokens in storage).

Not sure if this is good practice or good user experience. What are your thoughts?

kenpaicat commented 11 months ago

auto-login**_ feature which would work based on remember-me checkbox on Login-Screen.

I think we don't actually need "remember me". I think that should be the default behaviour instead of "blocking" login-wall-on-expiry behaviour we have ATM. The code will likely be simpler+faster without that.

We already automatically log-in user if his tokens are valid (not expired).

On BE we have auto-refresh of tokens, so technically logging-in w/ expired x-access-token and/or x-refresh-token will result in new token pair being sent back to FE via headers.

This means that we dont actually need to ever "programmatically" logout user on FE (by checking exp field on client). New pairs are generated on-demand when expiry is due on BE. All FE really needs to do it overwrite existing pair with new pair in encryped local storage.

Exceptions would be if user manually logged out (we would remove tokens from storage), or if user haven't been logged in before (again, no tokens in storage).

Yup. This however keeps the annoying nullability on local storage service logic.

Not sure if this is good practice or good user experience. What are your thoughts?

I think its kinda common with JWTs. We don't have a concept of "backend session", we just pass tokens back and fourth without explicit invalidation (only on exp expiry field check) (which is annoying to do w/ JWTs, but the tradeoff being no DB needed). Unlike session-based-auth which has invalidation by keeping DB records of sessions.