Refresh session modal instead of Refresh page

FeRojas · 2026-02-24T13:06:54.816+00:00

In a web app, I'm using WorkOS for authentication (with Convex), and I use a refresh page to refresh the session token, inspired by the Nordbase template. I was wondering if it would be a good option to replace or complement the refresh page with a modal that has the same functionality — refreshing the token — with the goal of improving UX by not losing what the user was working on, and also being faster since we don't have to load an entire new page and then return to the original one.The specific use case is when the user navigates to an external page and comes back after a while to the app with an expired session. Instead of redirecting to the refresh page, a modal would load inline within the current protected-page-wrapper component, preserving the user's state, refresh the token and then show = false.Is anything in particular that should I worry about this approach? I am only asking because it is a security sensitive flow, so I want to be sure that it is secure approach.

FeRojas
17 days ago
In a web app, I'm using WorkOS for authentication (with Convex), and I use a refresh page to refresh the session token, inspired by the Nordbase template. I was wondering if it would be a good option to replace or complement the refresh page with a modal that has the same functionality — refreshing the token — with the goal of improving UX by not losing what the user was working on, and also being faster since we don't have to load an entire new page and then return to the original one.
The specific use case is when the user navigates to an external page and comes back after a while to the app with an expired session. Instead of redirecting to the refresh page, a modal would load inline within the current protected-page-wrapper component, preserving the user's state, refresh the token and then show = false.

Is anything in particular that should I worry about this approach? I am only asking because it is a security sensitive flow, so I want to be sure that it is secure approach.
Jay Campbell
17 days ago
When your API fails to get the user you can check if there’s a refresh token and refresh the session if there is.
FeRojas
17 days ago
Hi! The thing is that there are various API that could fail, and I need to refresh token and also Convex_setAuth, so I would need to apply all this flow to every API that fails if I dont do it with a unified component. And also because Im using WorkOS I need to trigger a special to refresh token (it seems to be I way to use an automatic refresh token also for WorkOS using Convex package and a fetchToken callback but havent implement it yet).
Jonathan Fors
13 days ago
Following this as well, would love to figure out a solution for the same use case as @FeRojas. Currently I have an interval set to refresh the page every 2 hours from first load which also refreshes the auth token (auth token expires in 3 hours).
Max
13 days ago
You can check out the nordbase template. This handles the refresh gracefully with the Supabase connect package
Jonathan Fors
13 days ago
I see, I’ll check it out. I’m using Xano though, but maybe I can get some hints from it at least
@Jonathan Fors
I see, I’ll check it out. I’m using Xano though, but maybe I can get some hints from it at least
Max
13 days ago
The mechanism is almost always the same. Not sure if Xano has a refresh token approach for sessions, though.
Jonathan Fors
13 days ago
Alright cool. It’s all built from scratch in Xano so anything is possible with auth logic, currently already have a session management system built
@Jonathan Fors
Following this as well, would love to figure out a solution for the same use case as @FeRojas. Currently I have an interval set to refresh the page every 2 hours from first load which also refreshes the auth token (auth token expires in 3 hours).
FeRojas
11 days ago
To be honest, I think that are better ways to do the refresh of the token if the user doesnt come from another page. I my case I needed a way to save new http-only-access token and authenticate the Convex Client (custom JWT using WorkOS so no automatic refresh), and all that in reusable Component so I could use it for different situations were a call fails because of authentication. For now is working well because is fast (1-2 seconds), signal the user that the token is being refresh, and acts has a fallback if other refreshing methods fail. But I think it would be better to use a proactive method so user have no interruption. Nordbase is a great inspiration to build your own auth flows (I used this and @Jay Campbell Convex template for client auth flows).
@FeRojas
To be honest, I think that are better ways to do the refresh of the token if the user doesnt come from another page. I my case I needed a way to save new http-only-access token and authenticate the Convex Client (custom JWT using WorkOS so no automatic refresh), and all that in reusable Component so I could use it for different situations were a call fails because of authentication. For now is working well because is fast (1-2 seconds), signal the user that the token is being refresh, and acts has a fallback if other refreshing methods fail. But I think it would be better to use a proactive method so user have no interruption. Nordbase is a great inspiration to build your own auth flows (I used this and @Jay Campbell Convex template for client auth flows).
Max
11 days ago
The Nordbase template does that proactively 🙂 That functionality is baked into the Supabase connect package.
FeRojas
11 days ago
Hi Max!
Do you think that I could replicate this for Convex Auth? Do you remember which part/action of the package handle this part proactively? I have the added challenge that Im not using native Convex Auth but WorkOS (which is amazing and free for 1M users by the way) so I need to make some adaptations.
@FeRojas
Hi Max!
Do you think that I could replicate this for Convex Auth? Do you remember which part/action of the package handle this part proactively? I have the added challenge that Im not using native Convex Auth but WorkOS (which is amazing and free for 1M users by the way) so I need to make some adaptations.
Max
11 days ago
Yes, that should be possible. This is the component: https://editor.nordcraft.com/projects/supabase_connect/branches/main/components/supa-protected-page-context
FeRojas
10 days ago
Thanks! 👍

Refresh session modal instead of Refresh page

FeRojas

Jay Campbell

FeRojas

Jonathan Fors

Max

Jonathan Fors

Max

Jonathan Fors

FeRojas

Max

FeRojas

Max

FeRojas