In particular, this may be a good alternative to logic in a middleware.

For example, if you want to read or manipulate the request body before it is processed by your application.

/// danger

This is an "advanced" feature.

If you are just starting with **FastAPI** you might want to skip this section.

///

## Use cases { #use-cases }

Some use cases include:

* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

      class: mermaid
      format: !!python/name:pymdownx.superfences.fence_code_format ''
  pymdownx.tilde: null
  pymdownx.blocks.admonition:
    types:
    - note
    - attention
    - caution
    - danger
    - error
    - tip
    - hint
    - warning
    - info
    - check
  pymdownx.blocks.details: null
  pymdownx.blocks.tab:
    alternate_style: true
  mdx_include: null

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger

Never store the plain password of a user or send it in a response like this, unless you know all the caveats and you know what you are doing.

///

## Add an output model { #add-an-output-model }

    val response2 = get(server.url("/"))
    assertThat(response2.body.string()).isEqualTo("A")
    assertThat(response2.header("Warning")).isNull()
  }

  @Test
  fun getHeadersRetainsCached200LevelWarnings() {
    server.enqueue(
      MockResponse
        .Builder()
        .addHeader("Warning: 299 test danger")

We are still using the same `OAuth2PasswordRequestForm`. It includes a property `scopes` with a `list` of `str`, with each scope it received in the request.

And we return the scopes as part of the JWT token.

/// danger

For simplicity, here we are just adding the scopes received directly to the token.

Und wir geben die Scopes als Teil des JWT-Tokens zurück.

/// danger | Gefahr

Der Einfachheit halber fügen wir hier die empfangenen Scopes direkt zum Token hinzu.

## 🥙 🤝 ⏮️ ↔

🔜, 🔀 🤝 *➡ 🛠️* 📨 ↔ 📨.

👥 ⚙️ 🎏 `OAuth2PasswordRequestForm`. ⚫️ 🔌 🏠 `scopes` ⏮️ `list` `str`, ⏮️ 🔠 ↔ ⚫️ 📨 📨.

& 👥 📨 ↔ 🍕 🥙 🤝.

/// danger

🦁, 📥 👥 ❎ ↔ 📨 🔗 🤝.

✋️ 👆 🈸, 💂‍♂, 👆 🔜 ⚒ 💭 👆 🕴 🚮 ↔ 👈 👩‍💻 🤙 💪 ✔️, ⚖️ 🕐 👆 ✔️ 🔁.

///

{* ../../docs_src/security/tutorial005.py hl[156] *}

## 📣 ↔ *➡ 🛠️* & 🔗

E nós retornamos os escopos como parte do token JWT.

/// danger | Cuidado

Para manter as coisas simples, aqui nós estamos apenas adicionando os escopos recebidos diretamente ao token.

Todavía estamos usando el mismo `OAuth2PasswordRequestForm`. Incluye una propiedad `scopes` con una `list` de `str`, con cada scope que recibió en el request.

Y devolvemos los scopes como parte del token JWT.

/// danger | Peligro

Para simplificar, aquí solo estamos añadiendo los scopes recibidos directamente al token.