auth.close(); // Should still not throw
        assertTrue(auth.isClosed());
    }

    /**
     * Test secure password wiping with multi-threaded access
     */
    @Test
    @DisplayName("Test secure password wiping under concurrent access")
    public void testConcurrentSecureWipe() throws InterruptedException {

            assertFalse(isValid, "Different session keys should fail verification");
        }
    }

    @Nested
    @DisplayName("Secure Key Wiping Tests")
    class SecureKeyWipingTests {

        @Test
        @DisplayName("Should securely wipe signing key")
        void testSecureWipeKey() throws GeneralSecurityException {

 *
 * Features:
 * - Secure key storage with optional KeyStore integration
 * - Automatic key cleanup on close
 * - Thread-safe key management
 * - Key derivation utilities
 * - Memory wiping capabilities
 */
public class SecureKeyManager implements AutoCloseable {

    private static final Logger log = LoggerFactory.getLogger(SecureKeyManager.class);

        // Then - Verify keys are wiped (we can't directly access private fields,
        // but we can verify the context behaves correctly after wiping)
        // After wiping, operations that require keys should fail

        // Attempting to use the context after wiping should handle gracefully
        // Note: The actual implementation might throw an exception or handle differently
    }

    @Test

 *
 * Features:
 * - Encrypts credentials at rest using AES-256-GCM
 * - Uses PBKDF2 for key derivation from master password
 * - Secure wiping of sensitive data
 * - Thread-safe operations
 * - Protection against timing attacks
 */
public class SecureCredentialStorage implements AutoCloseable, Destroyable {

    private static final Logger log = LoggerFactory.getLogger(SecureCredentialStorage.class);

    }

    /**
     * Returns the password as a secure char array. This is the preferred method
     * for accessing the password as it allows secure wiping of the password
     * from memory.
     *
     * @return the password as a char array
     */
    public char[] getPasswordAsCharArray() {
        checkNotClosed();

# Get Current User { #get-current-user }

In the previous chapter the security system (which is based on the dependency injection system) was giving the *path operation function* a `token` as a `str`:

{* ../../docs_src/security/tutorial001_an_py39.py hl[12] *}

But that is still not that useful.

Let's make it give us the current user.

## Create a user model { #create-a-user-model }

First, let's create a Pydantic user model.

4. Wait for 5 mins (as alert is configured to be firing after 5 mins), and verify that you see an entry in webhook for the alert as well as in Prometheus console as shown below

```json
{
  "receiver": "web\\.hook",
  "status": "firing",
  "alerts": [
    {
      "status": "firing",
      "labels": {
        "alertname": "MinIOClusterTolerance",
        "instance": "localhost:9000",

        // Context and credentials wiring - used by most tests
        when(cifsContext.getCredentials()).thenReturn(credentials);
        when(credentials.unwrap(CredentialsInternal.class)).thenReturn(credentialsInternal);
        when(credentialsInternal.clone()).thenReturn(credentialsInternal);

        // Transport wiring - used by most tests
        when(transport.acquire()).thenReturn(transport);

## About security, APIs, and docs { #about-security-apis-and-docs }

Hiding your documentation user interfaces in production *shouldn't* be the way to protect your API.

That doesn't add any extra security to your API, the *path operations* will still be available where they are.

If there's a security flaw in your code, it will still exist.