Fix: Preserve return pathname on session refresh failure

[nicknisi]

Summary

• Fixes redirect behavior when session refresh fails to preserve the user's intended destination
• Aligns behavior with authkit-nextjs implementation
• Improves user experience by maintaining context after re-authentication

Problem

When a session refresh fails (e.g., due to an expired refresh token), the current implementation redirects users to / before sending them to re-authenticate. This causes users to lose their intended destination URL.

For example:

1. User is on /protected/resource
2. Session expires and refresh fails with invalid_grant error
3. User is redirected to /
4. Then redirected to WorkOS auth
5. After authentication, user returns to / instead of /protected/resource

Solution

Changed the redirect behavior to go directly to the authorization URL with the return pathname preserved, matching how authkit-nextjs handles this scenario.

Test Plan

• Updated existing test to verify return pathname is preserved
• All tests pass
• Manually tested in example app

Breaking Changes

This changes the default behavior when session refresh fails. Apps that were relying on the redirect to / will now see users redirected directly to auth with their return path preserved. This is generally a better UX, but it is a behavior change.

Fixes the issue reported in customer feedback where users lose their place in the app when their session expires.

[greptile-apps]

Greptile Summary

This PR fixes a user experience issue in the session refresh failure flow by preserving the user's intended destination URL. Previously, when session refresh failed (typically due to expired refresh tokens), the code would redirect users to the root path / before sending them to re-authenticate, causing them to lose their original destination.

The change modifies the session refresh error handling in src/session.ts to extract the return pathname from the request URL using the existing getReturnPathname helper and pass it directly to getAuthorizationUrl. This ensures that after successful re-authentication, users are returned to their original destination rather than the homepage. The implementation leverages existing infrastructure - the getReturnPathname function already handles pathname and query parameter extraction, and getAuthorizationUrl already supports encoding the return path in the state parameter.

This change aligns the React Router implementation with the authkit-nextjs behavior, providing consistency across WorkOS authentication libraries. The modification is straightforward and uses well-established patterns within the codebase, replacing a simple redirect to / with a more sophisticated flow that maintains user context.

Confidence score: 5/5

• This PR is safe to merge with minimal risk as it improves user experience through a well-tested change
• Score reflects the use of existing helper functions, comprehensive test coverage, and alignment with established patterns from the Next.js implementation
• No files require special attention as the change is localized and well-tested

_{2 files reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}