The /auth/session endpoint checks only for the presence of session.user to validate Google sessions (auth.routes.js:206-213), but never verifies that the Google access token is still valid. Google access tokens expire in ~1 hour. After expiry, a user's session stays marked as authenticated: true for the full 7-day session TTL with no way to detect or force re-authentication.
The
/auth/sessionendpoint checks only for the presence ofsession.userto validate Google sessions (auth.routes.js:206-213), but never verifies that the Google access token is still valid. Google access tokens expire in ~1 hour. After expiry, a user's session stays marked asauthenticated: truefor the full 7-day session TTL with no way to detect or force re-authentication.