Token management

• Application stores tokens in local storage so when tab (?or browser) closed token details remain.
• Token will auto refresh whenever a request is sent to backend requiring authorization
• As long as a request is made within the expiry time of the refresh token (default 30 days) user does not need to sign in again

Sign in flow

• Frontend checks for local storage copy of tokens, if exist then considers the user signed in
• If not already stored in session, frontend will request user details from backend when local storage tokens detected
• Routes that do and do not require sign in will see the tokens and render their pages as if signed in
• If tokens are not present routes that do no require sign in will render page as if not signed in
• If tokens are not present routes that require sign in will redirect to Cognito sign in page

Token usage

• tokens are only sent to backend when request is sent to protected endpoint
• when sending backend request if local storage tokens expired use refresh token to generate new id/access tokens before sending request
• if the refresh token is no longer valid remove local storage tokens and begin sign in process

Cognito cookie session

• When using the Cognito UI to sign in a cookie is saved for the Cognito domain that remembers the signin for 1 hour
• If frontend returns to the sign in page Cognito will detect the cookie and redirect back to frontend as if the user signed in, without the need to sign in
• If frontend browser has tokens in local storage there is no redirection to Cognito UI, so the Cognito cookie process does not get triggered
• If token does not exist, eg new tab or restart browser, then visiting a singin route will redirect to Cognito, which detects the cookie and returns back to frontend without needing to sign in