Greptile Summary

This PR adds session expiry enforcement to JWT-based authentication in three code paths — console cookie auth (general.php), realtime WebSocket connections (connection.php), and HTTP request auth (request.php) — so that sessions whose expire timestamp has passed are now rejected rather than treated as valid.

• general.php: refactors the $sessionExists check to store the found session document and adds an expire >= now guard; sessions without an expire attribute remain valid.
• connection.php & request.php: apply the same pattern in the inverse form (clear $user when session not found or when expire is set and already passed), using DatabaseDateTime (same Utopia\\Database\\DateTime class, different alias).
• The expiry comparisons in all three files pass the stored attribute value through a redundant new \\DateTime() → format() → formatTz() round-trip; a direct formatTz($expire) call would be cleaner and avoids the silent "now" fallback if the attribute value is ever null.

Confidence Score: 4/5

The core logic is correct and the three changed paths are consistent with each other; the main concern is a minor implementation choice in how the expiry timestamp is normalized before comparison.

The expiry-check logic is equivalent across all three files and the auth flow correctly rejects expired sessions. The only findings are the unnecessary round-trips through new \DateTime() and format() before formatTz(), which add noise and carry a subtle null-fallback risk, but are unlikely to cause a real defect given that Appwrite stores well-formed datetime strings.

All three changed files contain the same redundant date-normalisation pattern; no single file needs special attention beyond the others.

Important Files Changed

_{Reviews (1): Last reviewed commit: "fix the controllers" | Re-trigger Greptile}