Is there a way to log the user once, have a valid session for some days, then block access to app until login again?

My app should be used in the field work, where sometimes users don’t have internet connection. I already have a login system that uses JWT, and every DB requisition uses this JWT validation, but the core of my app don’t need immediate connection, all the data can be synchronized when a connection is estabilished later.

Right now when the user closes the app and reopen it, a request is sent to DB to check if the user’s JWT token is still valid, if so the user is logged in automatically. My problem is, without connection the user can’t log in. I wonder if there is a way to deal with access locally in a way that checks for the time of the last login and block access after x times, but also in a way that the user can’t mess with, i.e. edit this data. Is there a strategy to accomplish what I need?

Not directly as you describe. The user has complete control over the environment your app runs in. The only time you could make this sort of decision is when the user reconnects, but I’m unclear on what you want to happen when the user disconnects, does offline work, and then reconnects.

I will try to explain a little better, I think of a scenario like this:

1. The user logs in.
2. The user goes offline and exits the app.
3. The user enters the app again.
4. The app detects the last time the login was made, if it has been less than 2 days the user has access to the app’s features normally, if not then will have to login again.

I could not find any way to perform this functionality of item 4 in a “safe” way without the user being able to change it. I thought of a “trial edition software” mechanism, but I don’t know how it is done and unfortunately there are a lot of cracks for this kind of software depending on which one it is.

I can’t either. I have written a similar app, and when the user is offline, the app spools the work they do into on-device storage. When the user comes back online, the spooled work is uploaded to the server. It is at that point where you could theoretically require another login before the server will accept the spooled work, but there isn’t any way to prevent the user from doing offline stuff offline, because the user totally controls that environment.