feat(web): enable activity-driven session heartbeat#1474
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR completes the activity-driven session heartbeat feature for apps/web by adding a server route that refreshes the current session and wiring the client-side useHeartbeat hook into the app’s root provider layer.
Changes:
- Add
POST /api/auth/heartbeatroute that delegates to@eventuras/fides-auth-next’shandleHeartbeat. - Invoke
useHeartbeatfromProvidersand dispatchsessionExpiredon 401 to the existingauthStore.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| apps/web/src/app/Providers.tsx | Starts the client heartbeat logic globally and connects 401 handling to authStore.sessionExpired. |
| apps/web/src/app/(auth)/api/auth/heartbeat/route.ts | Adds the heartbeat API route that performs server-side session refresh via handleHeartbeat. |
Wires the heartbeat from @eventuras/fides-auth-next into apps/web: - New `/api/auth/heartbeat` POST route that delegates to the `handleHeartbeat` factory with the app's `oauthConfig` - `useHeartbeat` hook invoked from the root `Providers` so every authenticated user benefits — dispatches `sessionExpired` to the auth store on 401 Final 3/3 of the heartbeat work. Together with #1470 and #1473, this should stop the "logged out while typing" reports for active users. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
losolio
force-pushed
the
feat/auth-heartbeat-wire
branch
from
6c7033f to
6e6399d
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires the heartbeat machinery from #1470 (activity tracker) and #1473 (hook + handler) into the web app:
POST /api/auth/heartbeatroute that delegates tohandleHeartbeat({ oauthConfig })useHeartbeatinvoked from the rootProvidersso every authenticated user benefits. On 401, dispatchessessionExpiredto the existingauthStore.Final 3/3 of the heartbeat work:
fides-auth: activity tracker primitive (merged)fides-auth-next: hook + handler (merged)apps/web: route + provider wiringWhy
Auth0's idle refresh-token lifetime cuts off active users who don't navigate — typically someone editing a long form or scribo callout. Symptom: "logged out while typing." With this in place, the client refreshes the access token every ~5 min while the user is actually interacting (mouse/keyboard/touch/focus within the last 2 min). Background tabs are skipped, and a tab regaining focus after a long away triggers an immediate refresh.
Together with the planned Auth0 lifetime adjustment (access 15 min / idle 30 min / max 8 h), this should eliminate the reports.
Test plan
pnpm devinapps/web— log in, leave a form open for >5 min while typing occasionally, confirm/api/auth/heartbeatreturns 200 and the session cookie is rotatedsessionExpiredis dispatched🤖 Generated with Claude Code