twolak23
commented
2 months ago - User logs in - user name and token is in local storage.
-
After couple of minutes, user closes the card - local storage stays the same
Scenario 1. After more than an hour, user comes back to the dashboard. If there is token and user in local storage, the popup shows up asking for session restore/token refresh
User accepts refresh - calls API GW to invoke a lambda for refreshing
User denies the refresh - go to login page and removes local storage.
Scenario 2. User comes back earlier than hour after logging - does nothing. When user do some action requiring valid token after the hour, automatically refresh or show 'refresh session' popup
Solution a) Add a API GW endpoint triggering a new lambda function to refresh a token with only the user (without password because it's trusted user). OR b) Add password to the local storage (maybe encrypted) and use existing /authorize endpoint instead.
On the frontend side, there should be a 'restore session' dialog when the user enters the page an hour from the last login.