MarkUsProject · YheChen · May 21, 2026 · May 21, 2026 · May 22, 2026 · May 22, 2026
diff --git a/Changelog.md b/Changelog.md
@@ -29,6 +29,8 @@
 - Fixed `(hidden)` assignment labeling for assignments with `visible_on` and/or `visible_until` set (#7944)
 
 ### 🔧 Internal changes
+- Refactored `AuthenticationHelper#sign_in` to set session values directly instead of going through `MainController#login` (#7962)
+- Updated `MainController` specs to dispatch `post :login` directly in tests that assert on login's response, instead of relying on `sign_in`'s internal request (#7962)
 - Fixed flaky test `can bulk assign duplicated TAs to grade entry students` in `/spec/models/grade_entry_student_spec.rb` (#7958)
 - Added tests for `GroupsController` to fully cover `global_actions` (#7955)
 - Added tests for `graders_controller` to fully cover `grader_criteria_mapping` function (#7949)

diff --git a/spec/controllers/main_controller_spec.rb b/spec/controllers/main_controller_spec.rb
@@ -152,14 +152,15 @@
 
     context 'logging in during an LTI launch' do
       let(:lti) { create(:lti_deployment) }
+      let(:lti_redirect_url) { redirect_login_canvas_path }
 
       before do
-        cookies.encrypted.permanent[:lti_data] = JSON.generate({ lti_redirect: redirect_login_canvas_path })
+        cookies.encrypted.permanent[:lti_data] = JSON.generate({ lti_redirect: lti_redirect_url })
       end
 
       it 'redirects to redirect_login' do
-        sign_in instructor
-        expect(response).to redirect_to action: 'redirect_login', controller: 'canvas'
+        post :login, params: { user_login: instructor.user_name, user_password: 'a' }
+        expect(response).to redirect_to lti_redirect_url
       end
 
       context 'when logged in during lti launch' do
@@ -207,7 +208,7 @@
 
     context 'after logging in without remote user auth' do
       before do
-        sign_in student
+        post :login, params: { user_login: student.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'student tests'
@@ -217,7 +218,7 @@
       before do
         env_hash = { HTTP_X_FORWARDED_USER: student.user_name }
         request.headers.merge! env_hash
-        sign_in student
+        post :login, params: { user_login: student.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'student tests'
@@ -233,7 +234,7 @@
 
     context 'after logging in without remote user auth' do
       before do
-        sign_in ta
+        post :login, params: { user_login: ta.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'ta tests'
@@ -243,7 +244,7 @@
       before do
         env_hash = { HTTP_X_FORWARDED_USER: ta.user_name }
         request.headers.merge! env_hash
-        sign_in ta
+        post :login, params: { user_login: ta.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'ta tests'
@@ -259,7 +260,7 @@
 
     context 'after logging in without remote user auth' do
       before do
-        sign_in admin_user
+        post :login, params: { user_login: admin_user.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'admin tests'
@@ -269,7 +270,7 @@
       before do
         env_hash = { HTTP_X_FORWARDED_USER: admin_user.user_name }
         request.headers.merge! env_hash
-        sign_in admin_user
+        post :login, params: { user_login: admin_user.user_name, user_password: 'a' }
       end
 
       it_behaves_like 'admin tests'

diff --git a/spec/support/authentication_helper.rb b/spec/support/authentication_helper.rb
@@ -1,9 +1,9 @@
 module AuthenticationHelper
   def sign_in(user)
-    real_controller = @controller
-    @controller = MainController.new
-    post :login, params: { user_login: user.user_name, user_password: 'x' }
-    @controller = real_controller
+    session[:auth_type] = 'local'
+    session[:real_user_name] = user.user_name
+    session[:timeout] = Settings.session_timeout.seconds.from_now.to_s
+    session[:has_warned] = false
   end
 
   def get_as(user, action, params: {}, format: nil, session: {})