Skip to content

fix: return null user when access token is expired in withAuth #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicknisi merged 2 commits into from
Aug 5, 2025
Merged

fix: return null user when access token is expired in withAuth #32

nicknisi merged 2 commits into from
Aug 5, 2025

Conversation

@nicknisi
Copy link
Member

@nicknisi nicknisi commented Aug 4, 2025

Summary

  • Changed withAuth to return { user: null } when access token is expired
  • Updated warning message to be more descriptive with [AuthKit] prefix
  • This prevents developers from accidentally using expired tokens

Problem

Users reported that withAuth returns expired access tokens with just a console warning, making it difficult to know the token is expired without manually decoding it. This leads to confusing errors downstream when the expired token is used with WorkOS APIs.

Solution

When the access token is expired, withAuth now returns { user: null } instead of returning the expired token data. This provides:

  • Consistent API: Expired auth is treated the same as no auth
  • Safe by default: No risk of using expired tokens
  • Simple mental model: Either you have valid auth or you don't
  • Backward compatible: Code checking if (auth.user) continues to work correctly

Test plan

  • Updated test to verify new behavior
  • All existing tests pass
  • Manual testing confirms expired tokens return null user

greptile-apps[bot]
greptile-apps bot reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR modifies the withAuth function in the AuthKit React Router library to handle expired access tokens more safely. Previously, when an access token was expired, withAuth would return the expired token data along with a console warning, allowing developers to accidentally use invalid tokens downstream.

The change updates the behavior so that when an access token is expired (determined by comparing the current timestamp against the token's exp claim), the function now returns { user: null } instead of the expired token data. This aligns the behavior with cases where no session exists at all, creating a consistent API where expired authentication is treated the same as no authentication.

The warning message has also been improved with an [AuthKit] prefix and more descriptive text that guides developers to ensure authkitLoader is used in a parent/root route for automatic token refresh handling.

This change integrates well with the existing codebase architecture where authentication state is checked via if (auth.user) patterns throughout applications. The modification maintains backward compatibility since existing conditional checks will continue to work correctly, but provides a safer default by preventing the accidental use of expired tokens that could cause confusing API errors downstream.

Confidence score: 4/5

  • This PR is safe to merge with low risk as it improves security and user experience
  • Score reflects well-tested changes with clear benefits, though it's a behavioral change that could affect some edge cases
  • Pay close attention to src/auth.ts to ensure the token expiration logic is correct

2 files reviewed, no comments

Edit Code Review Bot Settings | Greptile

@nicknisi nicknisi mentioned this pull request Aug 4, 2025
Merged
3 tasks
@nicknisi nicknisi requested a review from dandorman August 4, 2025 19:17
nicknisi added 2 commits August 4, 2025 14:21
@nicknisi
fix: return null user when access token is expired in withAuth
07cd7df 
- Changed withAuth to return { user: null } when access token is expired
- Updated warning message to be more descriptive
- This prevents developers from accidentally using expired tokens
- Consistent with how missing auth is handled
@nicknisi
formatting
b21b1de
@nicknisi nicknisi force-pushed the nicknisi/withauth-expired branch from c536d03 to b21b1de Compare August 4, 2025 19:21
@nicknisi nicknisi mentioned this pull request Aug 4, 2025
Merged
@nicknisi nicknisi merged commit 570fa0e into main Aug 5, 2025
6 checks passed
@nicknisi nicknisi deleted the nicknisi/withauth-expired branch August 5, 2025 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stanleyphu stanleyphu stanleyphu approved these changes

@dandorman dandorman Awaiting requested review from dandorman

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicknisi @stanleyphu