Currently, the mobile app does not validate the stored JWT every time it opens. This is a security issue because:
• Expired or tampered tokens might still be used until an API call fails.
• There’s no proactive sign-out or feedback to the user if the token is invalid.
Expected behavior:
• On app launch or resume, the app should validate the JWT against the backend.
• If the JWT is invalid/expired, the app should:
• Clear local auth state (token, user ID, etc.)
• Redirect the user to the login screen
Steps to reproduce:
1. Kill the app with a valid JWT saved.
2. Wait until the token expires.
3. Reopen the app.
4. The app still thinks you’re logged in until you make an API call (💀).
Fix suggestion:
• Add an auth check on onAppLaunch() or onResume().
• Call a lightweight protected endpoint like GET /auth/profile or decode the token and check exp timestamp.
• If invalid → logout immediately.
Ref: https://jwt.io/
Currently, the mobile app does not validate the stored JWT every time it opens. This is a security issue because:
• Expired or tampered tokens might still be used until an API call fails.
• There’s no proactive sign-out or feedback to the user if the token is invalid.
Expected behavior:
Steps to reproduce:
Fix suggestion: