Logging user out on time expiry

I’m working on a nodejs(express) server and a react FE utilising API’s. The original developer used custom authentication and not JWT, etc.
When an account is created a token (userId) and secret is generated and stored in a db. The secret gets refreshed when the user logs out. When the user logs in (using their email and password), the stored secret and token are returned to the client (react). React stores this data in local storage and when it needs to make a secure api call, it also sends the token and secret. The server api then authenticates and processes the request.

I have potentially 2 problems

  1. If the user fails to logout from the front end then they remain logged in indefinitely, anyone accessing their browser can access the site.
  2. Currently there is no mechanism on the server to expire the secret.

The above problems seem the higher priority, however, if possible I would also like to build in a way for the user to keep the session open. i.e. if there is no interaction on the FE, I want a count-down to appear on the FE prompting the user to keep the session open.
Any views on a way forward please?

code snippet here:


schemaObj.customerToken = crypto.createHash('sha1').update(uuidv4()).update(config.hidden.salt).digest('hex');
schemaObj.customerSecret = crypto.createHash('sha256').update(uuidv4()).update(config.hidden.secret).digest('hex');
schemaObj.password = bcrypt.hashSync(password, bcrypt.genSaltSync(10));

on all secure api’s middleware exists that authenticates the secret:

productRoute.post('/updateProduct', customerAuth, (req, res) => {....} 


axios.post('/api/login', formData)
let { customerToken, customerSecret, isVerified } = res.data.data;

localStorage.setItem("customerData", JSON.stringify({ customerToken, customerSecret }));

I think the second point is the answer to the first point. Seems like there should be a way to invalidate the secret after some conditions are met. What those should be exactly and how to do that I’m going to leave to you because those policies aren’t up to me to decide and I’m not familiar with the code.