fix: return null user when access token is expired in withAuth (#32)

Author: nicknisi

src/auth.spec.ts

@@ -411,19 +411,13 @@ describe('auth', () => {
       const result = await withAuth(createMockRequest('wos-session=expired-session-data'));
 
       // Should warn about expired token
-      expect(consoleWarnSpy).toHaveBeenCalledWith('Access token expired for user');
+      expect(consoleWarnSpy).toHaveBeenCalledWith(
+        '[AuthKit] Access token expired. Ensure authkitLoader is used in a parent/root route to handle automatic token refresh.',
+      );
 
-      // Result should still contain user info
+      // Result should return null user when token is expired
       expect(result).toEqual({
-        user: mockSession.user,
-        sessionId: mockClaims.sessionId,
-        organizationId: mockClaims.organizationId,
-        role: mockClaims.role,
-        permissions: mockClaims.permissions,
-        entitlements: mockClaims.entitlements,
-        featureFlags: mockClaims.featureFlags,
-        impersonator: undefined,
-        accessToken: mockSession.accessToken,
+        user: null,
       });
 
       consoleWarnSpy.mockRestore();

src/auth.ts

@@ -57,7 +57,12 @@ export async function withAuth(args: LoaderFunctionArgs): Promise<UserInfo | NoU
   if (Date.now() >= exp * 1000) {
     // The access token is expired. This function does not handle token refresh.
     // Ensure that token refresh is implemented in the parent/root loader as documented.
-    console.warn('Access token expired for user');
+    console.warn(
+      '[AuthKit] Access token expired. Ensure authkitLoader is used in a parent/root route to handle automatic token refresh.',
+    );
+    return {
+      user: null,
+    };
   }
 
   return {