VIA-942: Enforce Session Expiry Reliably After 10 Minutes of Inactivity

[liming-cheung-nhs]

Description

• Created cookie on logout so when session refresher comes (every 60s), it would see this and not try to refresh.
• This ensures logout action is honoured.
• The cookie created holds the session id - this ensures it does not interfere with user having logged in again as it would be under different session id.
• updated cookie text based on design spec

Testing on deployed to sandpit personal workspace

• logged out -> waited 10 mins -> remains logged out (test QA highlighted in ticket)
• logged in -> wait auto timeout 10 mins -> ignore dialogue box -> wait -> logs out as expected
• seen new cookie in browser

30/04/2026
I was getting this error on logout

{
    "level": "ERROR",
    "time": 1777563513941,
    "pid": 9,
    "hostname": "169.254.37.235",
    "module": "client-side-error-logger",
    "traceId": "1-69f37779-2e2f625e7c9d4de5065776ab",
    "nextUrl": "",
    "sessionId": "b9219a32-8e59-4386-9d20-3834b625baa1",
    "lambdaVersion": "4",
    "appVersion": "unknown",
    "context": {
        "clientSideErrorType": "UNHANDLED_PROMISE_REJECT_ERROR"
    },
    "msg": "Client side error occurred"
}

It would seem signout causes redirect - Nextjs Docs suggest redirects return as exception from next so the commit handles that on client. So added commit that seem to fix it.

Note: Existing issue under investigation: getToken will return null, but the MyVaccines app then currently tries to redirect the user to NHS App because they are not authenticated, meaning the user will never see the logout / session timeout screens. (at present this throws a cors error in the browser and the user never actually gets to NHS app but this is a quirk and the underlying issue still needs fixing; the user shouldnt be redirected at all for this part of the journey. The network tab shows the cors error and an error would be logged in our service logs).

Context

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[Copilot]

Pull request overview

Implements a short-lived “signout flag” cookie to prevent session refresh logic from re-authenticating a user immediately after logout/inactivity timeout, improving enforcement of 10-minute inactivity expiry.

Changes:

• Add __Secure-signout cookie constant and document it in the cookies policy table.
• Set the signout-flag cookie during logout and check it in the NextAuth jwt/getToken callback to return null for recently-signed-out sessions.
• Add/extend unit tests for the new logout flow, cookie setting, and token callback behavior.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/utils/constants.ts	Adds constant for the new signout-flag cookie name.
src/utils/auth/user-logout.ts	Converts logout to a server action, wraps in request-scoped storage, and sets signout-flag cookie before signing out.
src/utils/auth/user-logout.test.ts	Updates mocks and adds assertions for flag cookie + request-scoped wrapper usage.
src/utils/auth/setSignOutFlagCookie.ts	New server action to set a short-lived signout-flag cookie tied to the session id.
src/utils/auth/setSignOutFlagCookie.test.ts	New unit test validating the signout cookie is set as expected.
src/utils/auth/callbacks/get-token.ts	Reads signout-flag + session-id cookies to short-circuit and return null after recent signout.
src/utils/auth/callbacks/get-token.test.ts	Adds tests ensuring getToken returns null when signout flag matches current session.
src/app/our-policies/cookies-policy/CookiesTable.tsx	Documents the new __Secure-signout cookie and its purpose/expiry.
src/app/our-policies/cookies-policy/CookiesTable.test.tsx	Updates expectations to include the new cookie row and timing.
src/app/_components/inactivity/InactivityDialog.test.tsx	Adjusts mocking for updated logout module usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[liming-cheung-nhs]

NextJS seem to suggest it is bau to return from redirect as exception to stop rendering - this redirect being triggered by nextjs signOut. Catching this error seem to get rid of the client side error consistently that I was seeing locally and in deployed workspace. See PR description for details.

[liming-cheung-nhs]

Added to fix the client side error - see PR description and AppHeader comment.