Session Monitoring¶
Floh monitors the user's session and provides proactive warnings before a session expires. This applies to OIDC-authenticated sessions when an Authifi identity provider is configured; in dev mode (no OIDC), session monitoring is disabled.
How It Works¶
Floh manages two independent session lifetimes:
- Idle timeout — The session expires if the user is inactive for a configurable period (set in the Authifi tenant). Any authenticated API call resets the idle timer.
- Maximum session lifetime — An absolute ceiling on how long a session can last, regardless of activity. When this limit is reached, the user must log out and log back in.
The Angular frontend monitors these lifetimes and displays appropriate warnings.
Server Endpoints¶
GET /api/auth/session¶
Returns the current session lifetime details. Requires authentication.
The server proxies the Authifi GET /auth/user/selfService/sessionDetails endpoint using the stored access token, and supplements the response with the local Redis session TTL.
Response:
| Property | Type | Description |
|---|---|---|
maxSessionLifetime |
number | Maximum session lifetime in seconds |
maxIdleSessionLifetime |
number | Maximum idle session lifetime in seconds |
remainingSessionLifetime |
number | Remaining session lifetime in seconds |
remainingIdleLifetime |
number | Remaining idle lifetime in seconds |
flohSessionTtl |
number | Remaining Floh Redis session TTL in seconds |
If the Authifi endpoint is unavailable (e.g., a non-Authifi OIDC provider), all fields fall back to the Redis TTL value.
POST /api/auth/session/extend¶
Extends the current session. Requires authentication.
- Resets the Redis session TTL to 24 hours
- Re-sets the
floh_sidcookie with a freshmaxAge - Calls Authifi's
GET /auth/sessions/sessionIdleLifetimeheartbeat to reset the IdP idle timer - Returns the updated
SessionInfoResponse
Frontend Behavior¶
Activity-Aware Polling¶
The SessionMonitorService polls GET /api/auth/session every 60 seconds while the user is active (mouse, keyboard, click, scroll, or touch events). Since every authenticated Authifi API call resets the idle timer, polling itself keeps the idle timer alive.
When the user becomes locally inactive (no DOM events for a sustained period), polling stops so that the Authifi idle timer can count down naturally. A local countdown timer takes over, decrementing the last known remainingIdleLifetime once per second.
Warning States¶
Idle Expiring (< 5 minutes remaining)
A modal dialog appears with: - A countdown showing the remaining idle time - A "Continue Session" button that calls the extend endpoint - A "Log Out" button
Max Lifetime Approaching (< 10 minutes remaining)
A warning banner appears at the top of the viewport:
"Your session will reach its maximum lifetime in X:XX. Please save your work, then log out and log back in to continue."
This warning is non-dismissable. The max lifetime cannot be extended — the user must re-authenticate.
Session Timed Out
A full-screen overlay blocks all interaction:
"Your session has timed out. Please log in again to continue."
With a "Log In Again" button. This state is triggered by: - Any lifetime reaching zero - A 401 response from any non-auth API call
Error Interceptor¶
The HTTP error interceptor signals the session monitor on 401 responses (instead of the previous behavior of silently calling logout()). This ensures the "session timed out" overlay is shown with a clear call to action.
Configuration¶
Session timeouts are configured on the Authifi tenant, not in the Floh application. Floh reads the current values at runtime via the Authifi API.
The Floh-side Redis session TTL is hardcoded at 24 hours (DEFAULT_TTL_SECONDS in packages/server/src/modules/auth/session.ts).
Testing¶
Server tests (packages/server/test/unit/):
- session-service.test.ts — Tests getTtl() and extend() methods on SessionService
- session-routes.test.ts — Tests GET /session and POST /session/extend routes including Authifi integration and fallback behavior
Client tests (packages/web/src/):
- core/services/session-monitor.service.spec.ts — Tests polling, signals, extend, and expiry logic
- core/components/session-timeout.component.spec.ts — Tests dialog visibility, banner rendering, overlay display, and user interactions