feat: add session timeout warning before JWT expiry (FE-20)

[Chris0Jeky]

Summary

• Adds a useSessionTimeout composable that monitors JWT expiry and shows a persistent warning banner 5 minutes before the token expires
• Warning includes a live countdown timer (mm:ss format), "Extend Session" button (attempts /auth/refresh, graceful fallback toast on failure), and "Dismiss" button
• Per-token deduplication prevents warning spam after dismissal
• Skips entirely in demo mode and unauthenticated states
• SessionTimeoutWarning.vue component wired into App.vue for global visibility
• authApi.refreshToken() added (backend endpoint not yet implemented; composable handles failure gracefully)

Closes #861

Test plan

• 19 vitest tests covering all composable logic paths (timer scheduling, countdown, dismiss, dedup, extend success/failure/idempotency, demo mode, logout, teardown, token reschedule)
• TypeScript typecheck passes (npm run typecheck)
• ESLint passes (npm run lint) -- 0 new warnings
• Production build passes (npm run build)
• Full test suite passes (2571 tests, 211 files)
• Manual: verify warning appears ~5min before real JWT expiry
• Manual: verify Extend Session button shows fallback toast (no backend refresh endpoint yet)
• Manual: verify Dismiss prevents re-show for same session
• Manual: verify demo mode never shows warning

[gemini-code-assist]

Code Review

This pull request implements a session timeout warning system to notify users before their JWT expires. It adds a SessionTimeoutWarning component to the main application shell, a useSessionTimeout composable for managing expiry timers and countdowns, and a refreshToken method to the authentication API. Review feedback highlights the need to refactor the session extension logic by centralizing it within the session store to prevent state synchronization issues and code duplication. Additionally, it is recommended to use existing type definitions instead of verbose inline types for better maintainability.

[gemini-code-assist]

This block manually implements session update logic that should be centralized in the store.

Issues:

1. Redundancy: useSessionStore is already available as session (initialized on line 48). The dynamic import and re-initialization of store are unnecessary.
2. Incompleteness: It only updates token and expiresAt, ignoring other user metadata returned in AuthResponse and skipping the tokenStorage.setSession call. This will cause the session metadata to be out of sync or lost upon page refresh.
3. Duplication: The expiry calculation logic is duplicated from the getTokenExpiryIso utility.

Recommendation: Move this logic into a refreshToken action within sessionStore.ts. The composable should simply call await session.refreshToken(), ensuring all state updates and persistence logic are handled centrally and correctly.

[gemini-code-assist]

The inline type definition for the refreshToken dependency is verbose and duplicates the AuthResponse structure. Using the AuthResponse type from ../types/auth would improve maintainability and ensure consistency with the store and API layers.

[Chris0Jeky]

Adversarial Self-Review

Issues found and fixed

1. Watcher leak in teardown() -- teardown() cleared timers and state but did not stop the Vue watch(). When the composable was used outside a component (tests) or teardown was called manually, the watcher would continue firing. Fixed in commit 4146d5d: teardown() now calls stopWatch().

Reviewed and acceptable

2. Multiple tabs -- Each tab has its own composable instance. If a user extends the session in one tab, other tabs will not automatically pick up the new token. This is expected behavior since there is no cross-tab sync mechanism yet (and the backend refresh endpoint does not exist). When/if refresh is implemented, a BroadcastChannel or storage event listener could sync tokens across tabs. Not blocking for this PR.

3. Token refresh during countdown -- If the token is refreshed externally (e.g., by another mechanism), the watcher catches the session.token change and reschedules the warning timer correctly. Test: "reschedules warning when token changes to a new one".

4. Demo mode -- The composable explicitly checks session.isDemo and skips entirely. Test: "does not show warning when in demo mode".

5. Backend refresh endpoint missing -- The authApi.refreshToken() call will 404 until the backend implements /auth/refresh. The composable gracefully catches the error and shows a toast: "Could not extend session. Please save your work and log in again." The warning banner remains visible so the user can still save work. Test: "extend shows toast on failure and keeps warning visible".

6. Dynamic imports in extend() -- The non-test path uses await import(...) for authApi, sessionStore, and tokenStorage to avoid circular imports. These are resolved from the same Vite bundle, so they work correctly in both dev and production builds.

7. Countdown accuracy -- Uses setInterval(1000) for display ticking but computes seconds from nowFn() vs stored tokenExpiryMs, so drift accumulation is impossible -- each tick recalculates from the real clock.

8. Accessibility -- Warning uses role="alert", aria-live="assertive" on the container and aria-live="polite" on the countdown span. Dismiss button has aria-label.

Test coverage assessment

19 tests cover all composable paths. The component (SessionTimeoutWarning.vue) does not have its own test file -- it is a thin rendering layer over the composable. Adding a component-level test would improve coverage but is not blocking.

Remaining work (not in scope)

• Backend /auth/refresh endpoint (separate issue)
• Cross-tab token sync via BroadcastChannel
• Component-level test for SessionTimeoutWarning.vue

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b4f16b5d32

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bypass global 401 redirect for refresh attempt

This refreshToken call uses the shared http client, and that client's 401 interceptor unconditionally clears session storage and redirects to /login on non-auth routes (src/api/http.ts, response interceptor). Because that redirect fires before this composable's catch, a 401 from /auth/refresh (for example, expired access token or refresh not available) will navigate away immediately instead of showing the intended fallback warning/toast flow, which can interrupt unsaved work.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Update full session state after token refresh

On refresh success, the code mutates only token and expiresAt directly, so the user payload returned by AuthResponse is ignored and session metadata (username/email/defaultRole snapshot) is not synchronized through the store's canonical session update path. If user profile fields change between login and refresh, the app keeps stale identity/role data until a later restore/hydration cycle.

Useful? React with 👍 / 👎.

[Chris0Jeky]

Adversarial Review -- PR #919 (Session Timeout Warning)

I have read the full diff, all 4 bot inline comments, and done my own independent review. Summary of findings below.

---

CRITICAL: No backend /auth/refresh endpoint exists

The new authApi.refreshToken() calls POST /auth/refresh, but this endpoint does not exist in AuthController.cs (or anywhere in the backend). The "Extend Session" button will always fail -- returning either a 404 or triggering the HTTP client's 401 interceptor (see next issue). This renders the extend functionality dead-on-arrival.

Action required: Either (a) add a /auth/refresh endpoint to the backend in a separate PR that ships before or alongside this one, or (b) remove the "Extend Session" button until the endpoint exists and replace it with an informational message directing users to save their work and re-login.

---

HIGH: 401 interceptor will hijack refresh failure (agrees with chatgpt-codex-connector bot)

The bot correctly identified that http.ts response interceptor unconditionally clears tokenStorage and redirects to /login on any 401. If the refresh call fails with 401 (likely, since the endpoint doesn't exist or the token is near-expiry), the interceptor redirects before the composable's catch block can show the friendly toast. This silently interrupts the user's work -- the exact scenario the feature is supposed to prevent.

Action required: If the refresh endpoint is implemented, the refresh call should either bypass the 401 interceptor (e.g. via a skipAuth401 flag on the request config) or use a separate axios instance.

---

HIGH: Extend logic bypasses setSession, causing incomplete state updates (agrees with both bots)

Both bots correctly flagged this. In extend(), when !deps?.refreshToken (production path), the code manually sets store.token and store.expiresAt but skips: userId, username, email, defaultRole, and persistSessionSnapshot(). The store's setSession(data: AuthResponse) method handles all of this centrally, but it is not exported from the store's return block.

Fix: Add a refreshSession action to sessionStore.ts that calls authApi.refreshToken() and then passes the response through setSession(). The composable should call await session.refreshSession() instead of manually mutating store state.

---

MEDIUM: Inline type duplication (agrees with gemini-code-assist bot)

Line 45 inlines the full { token: string; user: { id: string; ... } } type instead of importing AuthResponse from ../types/auth. This creates a maintenance burden and can silently drift out of sync.

Fix: Import and use AuthResponse type for the refreshToken dependency.

---

LOW: Nested aria-live regions may cause double announcements

The container div has aria-live="assertive" and the countdown span inside it has aria-live="polite". Nested live regions can cause screen readers to announce changes at both levels. Consider removing the inner aria-live on the span since the outer container already handles it, or move the aria-live="polite" to a visually-hidden element that only contains the countdown text.

---

Observations (no fix needed now)

1. Timer cleanup is solid. The watcher properly calls resetState() on token change, onUnmounted is correctly guarded by getCurrentInstance(), and teardown() stops the watcher. No timer leak risk.
2. JWT parsing is safe for this use case. The atob concern is a non-issue here -- the code correctly normalizes base64url to base64 before calling atob, and JWT payloads only contain ASCII JSON for standard claims like exp.
3. Test coverage is good for the composable logic (timer scheduling, countdown, dismiss, extend, teardown, token change, demo mode). Missing: a test for the production !deps?.refreshToken branch, and a test for the extend() error path checking that the warning remains visible AND a toast was shown.
4. COUNTDOWN_TICK_MS is declared and used correctly -- no dead constant.

---

Summary

The core timing/warning/dismiss logic is well-implemented and well-tested. However, the "Extend Session" feature is non-functional because the backend endpoint does not exist, and even if it did, the HTTP interceptor would hijack the error path. The extend logic also bypasses the store's centralized state management.

Recommendation: Before merging, either implement the backend refresh endpoint or remove the extend button. Fix the store state bypass and interceptor interaction regardless.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5670ca33d7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use non-assertive live region for ticking expiry timer

This warning container is marked as role="alert" with aria-live="assertive", but its text updates every second via the countdown, so screen readers can repeatedly interrupt users for up to several minutes while the banner is visible. In practice this creates a noisy, disruptive accessibility regression for keyboard/screen-reader users on any session nearing expiry; the countdown text should not be announced assertively on every tick.

Useful? React with 👍 / 👎.