That’s not a bug and not an issue.
It is there for a reason, if you would like to use a different authentication method (custom policy that already sets the ctx.state.user), then this part of the code will avoid the users permissions default authentication method.
As you can see there is a comment for it: // request is already authenticated in a different way.