How does @login_required ensure that the user is actually logged in?

Question

From looking at the code:

def login_required(func):
    def decorated_view(*args, **kwargs):
        if current_app.login_manager._login_disabled:
            return func(*args, **kwargs)
        elif not current_user.is_authenticated():
            return current_app.login_manager.unauthorized()
        return func(*args, **kwargs)
    return decorated_view

it handles 3 cases:

1. the login is disabled in the login manager
2. login is enabled but the user is not authenticated (anonymous user)
3. login is enabled and the user is authenticated (which is always True for 'User').

So which part of the code actually checks whether the user is actually logged in?

Answer 1

I can answer my own question actually: it's that if the user is not logged in, current_user is an anonymous user. The is_authenticated() can return False for anonymous users (not logged in) and True for actual users.