api_controller is Accepting any authorization header

[Alexand]

Hi James.

I'm using your tutorial as reference to build a login system with rails and redis.

I've implemented it copying all of your code. I created a controller that inherits from api_controller so it's calling api_session_token_authenticate!

I'm sending post requests to this controller and I can see that it works well when it checks for the presence of an authorization header. However, if I send a request with a random authorization, it fails to retrieve the key from redis when doing _retrieve_last_seen method, then it falls on self.last_seen = Time.now then it inserts the invalid token in redis and validates it returning http status 200 to the client.

I believe it should deny the access.

Regards!