Whitelisting was broken in test session. When a request is whitelisted, `allow` gets called directly, but because of the `set_user` call that throws an error because the session hasn't been properly set up. I think a better place to inject the fake use is overriding `login` to use the injected user.