Here’s one way I was able to do it:
>> ApplicationController.allow_forgery_protection = false
>> app.post('/sign_in', {"user"=>{"login"=>"login", "password"=>"password"}})
Then you can do:
>> app.get '/some_other_path_that_only_works_if_logged_in'
>> pp app.response.body