If a token ever expires, I don't see any code that would handle gracefully cleaning up and logging out. OauthClient will still load the expired token and act as if it is valid. An end user would have to recognize that requests to the backend were not authenticating, and then manually log out of the site and log back in again.

As the symptoms of an expired or revoked token are implementation specific, this might be a problem that has to be solved individually by each consumer of this library.

If it's expired at the time of calling maybeRestoreLogin, I think this library can detect that and use the refresh token (which we also possess) to get a new access token (the one needed for REST API access) before the function returns.

If the token expires while the app is in use (e.g. someone left the site open in a tab overnight), I don't think this library can directly prevent an error from occurring, but it should provide a better API to force a refresh.

This is higher priority, I'll try to address it soon.