* Protocol negotiation is only attempted for HTTPS URLs.
     *
     * [Protocol.HTTP_1_0] is not supported in this set. Requests are initiated with `HTTP/1.1`. If
     * the server responds with `HTTP/1.0`, that will be exposed by [Response.protocol].
     *
     * [alpn]: http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg
     * [rfc_2616]: http://www.w3.org/Protocols/rfc2616/rfc2616.html

2. **Thoughtful, honest feedback.** We will consider every contribution on its merits, regardless of whether AI was used. We may not respond quickly—our review queue is long—but we will tell you clearly what works, what needs to change, and why.

  private fun writeHttpResponse(
    socket: MockWebServerSocket,
    response: MockResponse,
  ) {
    socket.sleepWhileOpen(response.headersDelayNanos)
    socket.sink.writeUtf8(response.status)
    socket.sink.writeUtf8("\r\n")

    writeHeaders(socket.sink, response.headers)

    if (response.socketHandler != null) {
      response.socketHandler.handle(socket)
      return
    }

In this case the middleware will intercept the incoming request and respond with appropriate CORS headers, and either a `200` or `400` response for informational purposes.

### Simple requests { #simple-requests }

Any request with an `Origin` header. In this case the middleware will pass the request through as normal, but will include appropriate CORS headers on the response.

## More info { #more-info }

<img src="/img/tutorial/websockets/image01.png">

You can type messages in the input box, and send them:

<img src="/img/tutorial/websockets/image02.png">

And your **FastAPI** application with WebSockets will respond back:

<img src="/img/tutorial/websockets/image03.png">

You can send (and receive) many messages:

<img src="/img/tutorial/websockets/image04.png">

And all of them will use the same WebSocket connection.

If it doesn't see an `Authorization` header, or the value doesn't have a `Bearer ` token, it will respond with a 401 status code error (`UNAUTHORIZED`) directly.

You don't even have to check if the token exists to return an error. You can be sure that if your function is executed, it will have a `str` in that token.

  abstract class Listener {
    /**
     * Handle a new stream from this connection's peer. Implementations should respond by either
     * [replying to the stream][Http2Stream.writeHeaders] or [closing it][Http2Stream.close]. This
     * response does not need to be synchronous.
     *
     * Multiple calls to this method may be made concurrently.
     */
    @Throws(IOException::class)

When `authenticate_user` is called with a username that doesn't exist in the database, we still run `verify_password` against a dummy hash.

This ensures the endpoint takes roughly the same amount of time to respond whether the username is valid or not, preventing **timing attacks** that could be used to enumerate existing usernames.

/// note

    val response = call.execute()

    // Body contains nothing.
    assertThat(response.body.bytes().size).isEqualTo(0)
    assertThat(response.body.contentLength()).isEqualTo(0)

    // Content-Length header doesn't exist in a 204 response.
    assertThat(response.header("content-length")).isNull()
    assertThat(response.code).isEqualTo(204)
    val request = server.takeRequest()

    /**
     * Strips code fence markers from JSON response.
     *
     * @param response the response that may contain code fences
     * @return the response with code fences removed
     */
    protected String stripCodeFences(final String response) {
        if (response == null) {
            return "";
        }
        String stripped = response.trim();
        if (stripped.startsWith("```json")) {