AUTH-2: keep-me-logged-in by default (strong client session caching)#102
Merged
Conversation
Strong client-side session caching so users don't log in over and over.
- New lib/authStorage.ts: single accessor for the auth token + cached user.
keep=true → localStorage (survives browser restart; the default); keep=false
→ sessionStorage (cleared when the tab closes). Reads prefer localStorage then
fall back to sessionStorage; switching modes clears the stale copy; the keep
flag (graphdone:keepLoggedIn) defaults to true.
- Route apollo.ts (authLink, errorLink clears, wsLink) and AuthContext
(mount/login/logout + ME refresh) through authStorage instead of poking
localStorage directly.
- AuthContext.login(user, token, keepLoggedIn?) threads the choice; defaults to
the user's last preference.
- Signin: "Keep me logged in" checkbox now DEFAULT ON with clear copy
("Stay signed in on this device — uncheck on shared computers"); magic-link
sign-in keeps you logged in by default (you clicked your own link).
- Unit test (8 cases) for the storage logic. THE GATE 5/5 (login unaffected).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
🧪 Comprehensive Test Suite
Full-stack smoke gate runs in the CI workflow. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Users shouldn't have to log in over and over. This makes "keep me logged in" the default and makes it clear in the UI, with a clean session-only opt-out.
lib/authStorage.ts(new): one accessor for the auth token + cached user.keep=true→localStorage(survives browser restart — the default)keep=false→sessionStorage(cleared when the tab/window closes)graphdone:keepLoggedIndefaults totrue.apollo.ts(authLink / errorLink clears / wsLink) andAuthContext(mount, login, logout, ME refresh) now go throughauthStorageinstead of pokinglocalStoragedirectly.AuthContext.login(user, token, keepLoggedIn?)threads the choice (defaults to the user's last preference).Signin: the checkbox is now default ON, relabeled "Keep me logged in" with clear copy ("Stay signed in on this device — uncheck on shared computers"); magic-link sign-in keeps you logged in by default.Verification
authStorage.test.ts— 8/8 (persistent vs session, mode-switch clears stale copy, default-kept, localStorage-preference, token-only, clearSession).Follow-up (not here): sliding token refresh before the 30-day expiry (needs a Worker refresh endpoint).
🤖 Generated with Claude Code