fix: prevent admin authentication timeout during session
TaxBaik CI/CD / build-and-deploy (push) Successful in 48s

**Issues Resolved:**
1. Access Token lifetime extended 15m → 1h (better UX)
   - Users can browse admin pages for 1 hour without re-login
   - Reasonable balance between security and usability

2. Automatic pre-expiry token refresh
   - GetAuthenticationStateAsync() now checks if token expires in <5min
   - Automatically refreshes before expiry when user is still active
   - Prevents sudden logout during admin work

**Implementation:**
- Added ShouldRefreshToken() to detect imminent expiry (300s window)
- On auth state check, if token expiring soon: trigger refresh via AuthService
- Refresh happens transparently, no user interaction needed
- Maintains 7-day Refresh Token TTL for security

**Behavior:**
- User logs in with 1-hour session
- Every page load/navigation checks token status
- If <5min remaining: auto-refresh (user doesn't notice)
- If refresh fails: graceful logout with warning
- Refresh Token (7 days) allows re-login without password

This provides better UX while maintaining security through
shorter-lived access tokens and automatic renewal.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-28 12:56:44 +09:00
parent 41c8106a10
commit 804725a785
2 changed files with 41 additions and 2 deletions
+1 -1
View File
@@ -14,7 +14,7 @@ public class AuthService
private readonly ILogger<AuthService> _logger;
private readonly string _jwtSecretKey;
private readonly string? _passwordResetToken;
private readonly int _accessTokenExpirationMinutes = 15; // Access Token: 15분
private readonly int _accessTokenExpirationMinutes = 60; // Access Token: 1시간 (사용성 향상)
private readonly int _refreshTokenExpirationMinutes = 10080; // Refresh Token: 7일
public AuthService(IAdminUserRepository adminUserRepository, ILogger<AuthService> logger, IConfiguration configuration)