The current logic would bypass the password check when the stored user information was younger than `refresh_expires_at`, which is a pretty long timeline.
