In Ruby on Rails Restful Authentication, why does current_user check the HTTP username and password?

In Restful Authentication, lib/authenticated_system.rb, why does current_user do a login_from_basic_auth, which does a authenticate_with_http_basic, which is to check the HTTP user provided login name and password?

I thought the login form is in /session/new (or /login), and then it POST to /session, which will go to the sessions controller, create action, and there, it verifies the login name and password provided by the user.

This is line 8 of lib/authenticated_system.rb

def current_<%= file_name %>
  @current_user ||= (login开发者_开发技巧_from_session 
                      || login_from_basic_auth 
                      || login_from_cookie) unless @current_user == false
end

So the question is, if the login name and password was previously verified, then why checking it in current_user?

This function indicates that there are three ways to authenticate in your system:

1. Using a POST request from /session/new or /login.
2. Using BASIC HTTP authentication (a popup or URL provided username and password).
3. Using a remember me cookie so that sessions can persist even when session cookies are destroyed or the browser is restarted.

Even though your basic login happens with a POST request from /session/new or /login, the only thing that POST request actually does is set the session user id (probably session[:user_id]). Once that session[:user_id] has been set, you no longer need to login to perform a request, because you are authenticated. From this point forward the actual authentication happens by checking the session[:user_id] to see if someone has already logged in.

Here is a more detailed authentication lifecycle (for login):

1. User visits /login.
2. User enters password and username and submits form.
3. Password is checked, if authenticated the session[:user_id] is set.
4. User visits another page.
5. To check if the user is authenticated, current_user is called.
6. login_from_session is called and the user corresponding to session[:user_id] is returned.
7. The user is considered authenticated.

Here is a more detailed authentication lifecycle (for HTTP BASIC authentication):

1. A user visits http://username:password@www.example.com.
2. To check if the user is authenticated, current_user is called.
3. login_from_session is called, but session[:user_id] is nil, so nil is returned.
4. login_from_basic_auth is called, and username:password is present, so the corresponding user is returned.
5. The user is considered authenticated.

Here is a more detailed authentication lifecycle (remember me cookie):

1. A user has previously logged in and chosen the 'remember me' option.
2. A user closes their browser and then re-opens it and visits your site.
3. login_from_session is called, but session[:user_id] is nil, so nil is returned.
4. login_from_basic_auth is called, but username and password are missing, so nil is returned.
5. login_from_cookie is called and a cookie is found and used to return a user.
6. The user is considered authenticated.