4.3.0 to 4.4.0 breaks secondary user persisting in sessions

[KaraAJC]

Environment

• Ruby 2.4.3
• Rails 4.2.1
• Devise 4.4.1

Current behavior

When invoking the #simulate action for our admin to assist a customer by simulating their experience, the admin user was signed out, and the customer was signed in, but the admin user is not being persisted in sessions.

# admin_user_controller.rb

  def simulate
    customer = User.find params[:id]

    sign_in(:admin,  admin_user) unless current_admin_user
    sign_out(current_user)
    bypass_sign_in(customer)

# At this point we have a current_user AND current_admin_user
    redirect_to after_sign_in_path_for(customer)
# Here we lose current_admin_user
  end

When redirecting from the customer#simulate action to the user#dashboard path, current_admin_user is lost, and the banner is therefore, not shown.

/ customer_simulation_header.html.haml

- if current_admin_user
  .l--container.background--yellow
    = "You are simulating #{ current_user.full_name }"
    = link_to "Stop simulating", destroy_user_session_path,
      class: "button button--secondary", method: :delete

Because it's not shown, the only option is to "logout" entirely, and lose the admin and the customer sessions.

Before upgrading devise from 4.3.0 to 4.4.0, We were able to persist a current_admin_user, and see the above banner on each page the admin navigated to.

Does anyone have ideas, or similar experiences?

[tegon]

Hello @KaraAJC, thanks for your report.

Maybe it's because we started validating the user inside Trackable 🤔
Can you test without the code introduced on #4674?
BTW, we are going to stop running those validations on #4796, so if that's the problem it's going to fixed soon.

[KaraAJC]

that was indeed the problem! I tested my code on commit ce04142 and it was working, then again on the commit from #4674, and it broke. It worked again when I worked with the commit from #4796.

Thanks so much for the help!
Let me know if there's any further documentation that might be useful for this case.