/**
     * Long file names are supported flag.
     */
    int FLAGS2_LONG_FILENAMES = 0x0001;
    /**
     * Extended attributes are supported flag.
     */
    int FLAGS2_EXTENDED_ATTRIBUTES = 0x0002;
    /**
     * Security signatures are supported flag.
     */
    int FLAGS2_SECURITY_SIGNATURES = 0x0004;
    /**
     * Security signatures are required flag.
     */

In this example we are using the OAuth2 "password" flow.

This is appropriate when we are logging in to our own application, probably with our own frontend.

Because we can trust it to receive the `username` and `password`, as we control it.

Beautiful illustrations by <a href="https://www.instagram.com/ketrinadrawsalot" class="external-link" target="_blank">Ketrina Thompson</a>. 🎨

///

---

Imagine you are the computer / program 🤖 in that story.

While you are at the line, you are just idle 😴, waiting for your turn, not doing anything very "productive". But the line is fast because the cashier is only taking the orders (not preparing them), so that's fine.

So, all these are different origins:

* `http://localhost`
* `https://localhost`
* `http://localhost:8080`

Even if they are all in `localhost`, they use different protocols or ports, so, they are different "origins".

## Steps { #steps }

### Return the error { #return-the-error }

After detecting that the credentials are incorrect, return an `HTTPException` with a status code 401 (the same returned when no credentials are provided) and add the header `WWW-Authenticate` to make the browser show the login prompt again:

/// tip

All this might seem contrived. And it might not be very clear how is it useful yet.

These examples are intentionally simple, but show how it all works.

In the chapters about security, there are utility functions that are implemented in this same way.

If you understood all this, you already know how those utility tools for security work underneath.

            "No mapping between account names and security IDs was done.", "The security ID structure is invalid.",
            "All pipe instances are busy.", "All pipe instances are busy.", "The pipe state is invalid.", "All pipe instances are busy.",
            "No process is on the other end of the pipe.", "The pipe is being closed.",

/// tip

You might remember that request bodies are also declared with Pydantic models.

Here **FastAPI** won't get confused because you are using `Depends`.

///

/// check

The way this dependency system is designed allows us to have different dependencies (different "dependables") that all return a `User` model.

We are not restricted to having only one dependency that can return that type of data.

If we had declared `-> HeroPublic`, your editor and linter would complain (rightfully so) that you are returning a `Hero` instead of a `HeroPublic`.

# Advanced Security { #advanced-security }

## Additional Features { #additional-features }

There are some extra features to handle security apart from the ones covered in the [Tutorial - User Guide: Security](../../tutorial/security/index.md){.internal-link target=_blank}.

/// tip

The next sections are **not necessarily "advanced"**.

And it's possible that for your use case, the solution is in one of them.

///