fix(review): drop dead redact_path entries and unreachable exp.nil? branch

REDACTED_TOKEN_PREFIXES listed /user_management/sessions/authorize and
/user_management/sessions/logout, but those URLs are built client-side
by UserManagement#get_logout_url / the OAuth authorize-URL helper and
never flow through BaseClient#execute, so redact_path is never invoked
for them. Even if they were, the URLs carry their identifiers as query
parameters, not path segments, and the start_with?("#{prefix}/") guard
requires a trailing path segment. Remove the two dead entries — the
overstated coverage in the prior commit body did not match the wire.

In Session#authenticate, decode_jwt now passes required_claims: ["exp"],
so a token missing the claim raises JWT::MissingRequiredClaim (a
JWT::DecodeError subclass) and is caught by the existing rescue. The
decoded["exp"].nil? half of the is_expired guard is therefore
unreachable; drop it so future readers aren't misled about when exp can
be absent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: gjtorikian

lib/workos/base_client.rb

@@ -193,8 +193,6 @@ def shutdown
       /user_management/magic_auth
       /user_management/password_reset
       /user_management/email_verification
-      /user_management/sessions/authorize
-      /user_management/sessions/logout
     ].freeze
     private_constant :REDACTED_TOKEN_PREFIXES
 

lib/workos/session.rb

@@ -65,7 +65,7 @@ def authenticate(include_expired: false, &claim_extractor)
         return SessionManager::AuthError.new(authenticated: false, reason: SessionManager::INVALID_JWT)
       end
 
-      is_expired = decoded["exp"].nil? || decoded["exp"] < Time.now.to_i
+      is_expired = decoded["exp"] < Time.now.to_i
 
       SessionManager::AuthSuccess.new(
         authenticated: !is_expired,