protect_from_forgery error not manifesting in test environment

I recently added a before_action before protect_from_forgery

before_action :set_locale

protect_from_forgery with: :exception

This causes an exception when a user tries to log in with devise.

the fix is simple (protect from forgery before doing other actions)

before_action :set_locale

protect_from_forgery with: :exception, prepend: true

however - what concerns me is that the bug triggered an exception in production which was not caught in test.

steps to trigger the bug are

  1. create an account

  2. log out

  3. sign in

I test this explicitly in an rspec capybara test using chrome with javascript enabled.

In the test, I don’t get the exception.

can anyone explain why?




thank you