`secrets.compare_digest()` needs to take `bytes` or a `str` that only contains ASCII characters (the ones in English), this means it wouldn't work with characters like `á`, as in `Sebastián`.

To handle that, we first convert the `username` and `password` to `bytes` encoding them with UTF-8.

Then we can use `secrets.compare_digest()` to ensure that `credentials.username` is `"stanleyjobson"`, and that `credentials.password` is `"swordfish"`.

### Is concurrency better than parallelism?

Nope! That's not the moral of the story.

Concurrency is different than parallelism. And it is better on **specific** scenarios that involve a lot of waiting. Because of that, it generally is a lot better than parallelism for web application development. But not for everything.

So, to balance that out, imagine the following short story:

  //
  // The value of this field can be more than 100, implying that this
  // priority level can borrow a number of seats that is greater than
  // its own nominal concurrency limit (NominalCL).
  // When this field is left `nil`, the limit is effectively infinite.
  // +optional
  optional int32 borrowingLimitPercent = 4;
}

// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the

  HttpUrl baseUrl = server.url("/v1/chat/");

  // Exercise your application code, which should make those HTTP requests.
  // Responses are returned in the same order that they are enqueued.
  Chat chat = new Chat(baseUrl);

  chat.loadMore();
  assertEquals("hello, world!", chat.messages());

  chat.loadMore();
  chat.loadMore();
  assertEquals(""
      + "hello, world!\n"
      + "sup, bra?\n"

  // seLinux is the strategy that will dictate the allowable labels that may be set.
  optional SELinuxStrategyOptions seLinux = 10;

  // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
  optional RunAsUserStrategyOptions runAsUser = 11;

  // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.

Routes are declared in a single place, using functions declared in other places (instead of using decorators that can be placed right on top of the function that handles the endpoint). This is closer to how Django does it than to how Flask (and Starlette) does it. It separates in the code things that are relatively tightly coupled.

You probably want to test the external provider once, but not necessarily call it for every test that runs.

In this case, you can override the dependency that calls that provider, and use a custom dependency that returns a mock user, only for your tests.

### Use the `app.dependency_overrides` attribute

We also verify that we have a user with that username, and if not, we raise that same exception we created before.

{* ../../docs_src/security/tutorial005_an_py310.py hl[47,117:128] *}

## Verify the `scopes`

We now verify that all the scopes required, by this dependency and all the dependants (including *path operations*), are included in the scopes provided in the token received, otherwise raise an `HTTPException`.

//
// <decimalSI>       ::= m | "" | k | M | G | T | P | E
//
// 	(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
//
// <decimalExponent> ::= "e" <signedNumber> | "E" <signedNumber>
// ```
//
// No matter which of the three exponent forms is used, no quantity may represent
// a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
// places. Numbers larger or more precise will be capped or rounded up.

* `Field(index=True)` tells SQLModel that it should create a **SQL index** for this column, that would allow faster lookups in the database when reading data filtered by this column.

    SQLModel will know that something declared as `str` will be a SQL column of type `TEXT` (or `VARCHAR`, depending on the database).