@jsdalton gave an awesome report of the issue present in test_mode in #1033
The current implementation of mock_call was verifying the token for all requests, regardless of whether the current path is on the omniauth request path. The change was introduced recently in 1b784ff. See #1032 for details.
This creates two problems:
- When test mode is on, the authenticity verification logic is run inappropriately against requests where this may not even be wanted.
- The behavior varies from actual production behavior, potentially allowing bugs to be introduced by unwary developers.
Note that this bug was only present when OmniAuth was configured for test_mode and using the mock_call phases.