Zero chance this was an issue of an entire team not being smart enough to check - everyone who touched this would immediately understand it wasn't in the authenticated flow. This smells like bad requirements being delivered to the implementers.