t.Fatalf("CreateInBatches failed: %v", err)
	}

	userIds := []uuid.UUID{}
	if err := gorm.G[User](DB).Select("name").Where("id in ?", []uint{users[0].ID, users[1].ID, users[2].ID}).Order("age").Scan(ctx, &userIds); err != nil || len(users) != 3 {
		t.Fatalf("Scan failed: %v, userids %v", err, userIds)
	}

<img src="/img/tutorial/security/image05.png">

### Get your own user data { #get-your-own-user-data }

Now use the operation `GET` with the path `/users/me`.

You will get your user's data, like:

```JSON
{
  "username": "johndoe",
  "email": "******@****.***",
  "full_name": "John Doe",
  "disabled": false,
  "hashed_password": "fakehashedsecret"
}
```

        cb.query().addOrderBy_Name_Asc();

        // search

    }

    /**
     * Retrieves a list of all available users in the system.
     * Returns up to the maximum configured number of users.
     *
     * @return a list of all available users
     */
    public List<User> getAvailableUserList() {
        return userBhv.selectList(cb -> {
            cb.query().matchAll();

* The browser thinks it's not sending JSON (because of the missing `Content-Type` header).

Then the malicious website could make the local AI agent send angry messages to the user's ex-boss... or worse. 😅

## Open Internet { #open-internet }

If your app is in the open internet, you wouldn't "trust the network" and let anyone send privileged requests without authentication.

### Why use password hashing { #why-use-password-hashing }

If your database is stolen, the thief won't have your users' plaintext passwords, only the hashes.

So, the thief won't be able to try to use that password in another system (as many users use the same password everywhere, this would be dangerous).

## Install `pwdlib` { #install-pwdlib }

pwdlib is a great Python package to handle password hashes.

So, let's review it from that simplified point of view:

* The user types the `username` and `password` in the frontend, and hits `Enter`.
* The frontend (running in the user's browser) sends that `username` and `password` to a specific URL in our API (declared with `tokenUrl="token"`).
* The API checks that `username` and `password`, and responds with a "token" (we haven't implemented any of this yet).

    }

    /**
     * Performs a chat request with RAG.
     *
     * @param sessionId the session ID (can be null for new sessions)
     * @param userMessage the user's message
     * @param userId the user ID (can be null for anonymous users)
     * @return the chat response including session info and sources
     */
    public ChatResult chat(final String sessionId, final String userMessage, final String userId) {

		t.Fatalf("Should find index for user's name after rename")
	}

	if err := DB.Migrator().DropIndex(&IndexStruct{}, "idx_users_name_1"); err != nil {
		t.Fatalf("Failed to drop index for user's name, got err %v", err)
	}

	if DB.Migrator().HasIndex(&IndexStruct{}, "idx_users_name_1") {
		t.Fatalf("Should not find index for user's name after delete")
	}
}

     * Detects the intent of a user message.
     *
     * @param userMessage the user's message
     * @return the detected intent with extracted keywords
     */
    IntentDetectionResult detectIntent(String userMessage);

    /**
     * Detects the intent of a user message with conversation history context.
     *
     * @param userMessage the user's message
     * @param history the conversation history for context

app.include_router(user_router, prefix="/users")
app.include_router(item_router, prefix="/items")

app.include_router(item_router, prefix="/users/{user_id}/items")


client = TestClient(app)


def test_get_users():
    """Check that /users returns expected data"""
    response = client.get("/users")
    assert response.status_code == 200, response.text