class OAuth2PasswordRequestForm:
    """
    This is a dependency class to collect the `username` and `password` as form data
    for an OAuth2 password flow.

    The OAuth2 specification dictates that for a password flow the data should be
    collected using form data (instead of JSON) and that it should have the specific
    fields `username` and `password`.

    All the initialization parameters are extracted from the request.

from docs_src.security.tutorial005_an import (
    app,
    create_access_token,
    fake_users_db,
    get_password_hash,
    verify_password,
)

client = TestClient(app)


def get_access_token(username="johndoe", password="secret", scope=None):
    data = {"username": username, "password": password}
    if scope:
        data["scope"] = scope
    response = client.post("/token", data=data)

            raise invalid_user_credentials_exc  # noqa: B904
        username, separator, password = data.partition(":")
        if not separator:
            raise invalid_user_credentials_exc
        return HTTPBasicCredentials(username=username, password=password)


class HTTPBearer(HTTPBase):
    """
    HTTP Bearer token authentication.

    ## Usage

    ```

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

!!! danger

    response = client.post(
        "/login",
        data={"username": "johndoe", "password": "secret", "grant_type": "password"},
    )
    assert response.status_code == 200
    assert response.json() == {
        "grant_type": "password",
        "username": "johndoe",
        "password": "secret",
        "scopes": [],
        "client_id": None,
        "client_secret": None,
    }

@needs_py39
def test_verify_password():
    from docs_src.security.tutorial005_py39 import fake_users_db, verify_password

    assert verify_password("secret", fake_users_db["johndoe"]["hashed_password"])


@needs_py39
def test_get_password_hash():
    from docs_src.security.tutorial005_py39 import get_password_hash

    assert get_password_hash("secretalice")


@needs_py39

## Password hashing

"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.

Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.

But you cannot convert from the gibberish back to the password.

### Why use password hashing

### 创建初始 Pydantic*模型*/模式

创建一个`ItemBase`和`UserBase`Pydantic*模型*（或者我们说“schema”）以及在创建或读取数据时具有共同的属性。

`ItemCreate`为 创建一个`UserCreate`继承自它们的所有属性（因此它们将具有相同的属性），以及创建所需的任何其他数据（属性）。

因此在创建时也应当有一个`password`属性。

但是为了安全起见，`password`不会出现在其他同类 Pydantic*模型*中，例如用户请求时不应该从 API 返回响应中包含它。

=== "Python 3.10+"

    ```Python hl_lines="1  4-6  9-10  21-22  25-26"
    {!> ../../../docs_src/sql_databases/sql_app_py310/schemas.py!}
    ```

                "UserCreate": {
                    "title": "UserCreate",
                    "required": ["email", "password"],
                    "type": "object",
                    "properties": {
                        "email": {"title": "Email", "type": "string"},
                        "password": {"title": "Password", "type": "string"},
                    },
                },
                "ValidationError": {

                "UserCreate": {
                    "title": "UserCreate",
                    "required": ["email", "password"],
                    "type": "object",
                    "properties": {
                        "email": {"title": "Email", "type": "string"},
                        "password": {"title": "Password", "type": "string"},
                    },
                },
                "ValidationError": {