The base_controller will actually pass in a password but it can‘t be trusted. REMOTE_USER must only be set if the web server has verified the password.

This is only called by the legacy controller and should be removed as soon as all clients have been ported.