Generic oauth login in grafana workflow

I am work on some modificaiton on the generaic oauth flow, so I am trying to understand the workflow of the grafana generic oauth:

I have check the code, the entrance is :

func (hs *HTTPServer) registerRoutes() {

	r.Get("/login/:name", quota("session"), hs.OAuthLogin)

here the path will turn to be(for generic oauth):

And then the funciton will be called to save the oauth access token:

func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {

Correct me if i am wrong.

And what I want to confirm:

Does all authenticated user(using Grafana’s built in user authentication, LDAP (without Auth proxy) or OAuth integration) will create a intenal short-live token to verify authenticated user.

For generaic oauth, When login, it will first use auth code to get the auth access token, then using the access token to get the userinfo, use the userinfo to update the user in grafana, then, create a new build in grafana short-lived token.

And in pkg/middleware/middleware.go

The function GetContextHandler, does it always be called for each login page visit, and verify(via the inner function initContextWithXXX ) the user is still in authentication state or not.
If found the user is not authed, it will WriteSessionCookie(ctx, "", -1) which will cause the user log out.
I guess the code has somewhere will check the cookie state, if it found the -1, it will do log out, but i don’t find the code/logic location yet.

Please help check the above understanding is correct or not, thanks