It's very nice that the gapi api is able to keep a user signed in but I would like to understand how it does it.
In the developer docs it states that
Then, if the user has already signed in, the GoogleAuth object restores the user's sign-in state from the previous session.
The only way I know of doing this is by using a refresh token which is insecure if stored on the client.
How does the gapi-api acheive this?
I would refer to the sources, but I don't think they are open.
it calls the OAuth endpoint with prompt=none in a hidden iframe.
You're right that the libs are closed source, which is great reason to not use them. It's not difficult to write your own OAuth implementation.