Ah yes, here we define public machine as shared computers. So user should have access to their information during their browser session, but session should not reactivate from refresh token if user is inactive for, say, 30 minutes.
We'll review the code and see how the Session management works. So far our main reference has been:
https://supertokens.com/blog/the-best-way-to-securely-manage-user-sessions, where it suggests session management technically has a fixed time (access token with a fixed expiry that can be refreshed from a refresh token with a long term, but still fixed expiry). But if the session management (perhaps built off the OAuth flow?) is based on usage then that's closer to our required behavior