This file ./extensions/users-permissions/config/policies/permissions.js
for token, has one bug, this line…
module.exports = async (ctx, next) => {
let role;
// always undefined --> ctx.state.user
if (ctx.state.user) {
// request is already authenticated in a different way
return next();
}
(...)
It is there for a reason, if you would like to use a different authentication method (custom policy that already sets the ctx.state.user), then this part of the code will avoid the users permissions default authentication method.
As you can see there is a comment for it: // request is already authenticated in a different way.