trying to redirect_to controller users/session action new as JS, but get back 422 error due to forgery protection

custom_failure.rb

class CustomFailureApp < Devise::FailureApp
  def redirect
    store_location!
    message = warden.message || warden_options[:message]
    puts("Messages from Warden: #{message}")
    case message
    when  :timeout
      redirect_to root_path
    when :unconfirmed     
      redirect_to new_user_session_path(format: :js)
    else 
      super
    end
  end
end

sessions_controller.rb

# frozen_string_literal: true

class Users::SessionsController < Devise::SessionsController
  before_action :configure_sign_in_params, only: [:create, :new]
  # Without the next line i get back err 422 due to forgery protection, 
  # with it i get the full text of javascript code rendered instead of the executed JS code
  protect_from_forgery except: :new

  # GET /resource/sign_in
  def new
    self.resource = resource_class.new(sign_in_params)
    clean_up_passwords(resource)
    respond_to do |f|
      f.js { render layout: false }
      f.html { respond_with(resource, serialize_options(resource)) }
    end
  end

  # POST /resource/sign_in
  def create
    super
  end

  protected

    # If you have extra params to permit, append them to the sanitizer.
    def configure_sign_in_params
      devise_parameter_sanitizer.permit(:sign_in) do |user_params|
        user_params.permit(:username, :password, :remember_me)
      end
    end

end