Devise returns unauthorized (401) when the user has timed out, even with skip_before_action :authenticate_user!

[thaispeixoto]

Environment

• Ruby 2.5.1
• Rails 5.2.4.2
• Devise 4.7.1

Current behavior

I have a controller, which uses skip_before_action :authenticate_user! It works when no user is logged in. However, when a user is logged in and it times out, it returns unauthorized instead of skipping authentication.

Sample code:

class PagesController < ::ApiController
  skip_before_action :authenticate_user!

  def index
    @pages = policy_scope(Page)
  end
end

class ApiController < ActionController::API
  include Pundit
  before_action :authenticate_user!
  after_action :verify_authorized, except: :index
  after_action :verify_policy_scoped, only: :index
end

class User < ApplicationRecord
  devise :database_authenticatable, :omniauthable, :validatable, :timeoutable
end

And this is the spec that fails:

RSpec.describe 'Getting existing pages', type: :request do
  context 'when logged user is expired' do
    let(:user) { create(:user) }

    before do
      allow(user).to receive(:timedout?).and_return true
      login_as(user, scope: :user)
    end

    it 'returns pages' do
      get pages_path
      expect(response).to have_http_status(:ok)
    end
  end
end

Expected behavior

Always skip user authentication when skip_before_action :authenticate_user! is used, even if the user has timed out.

[tbcooney]

This issue has gone stale but it is still relevant. What do we need to get this moving?