When `authenticate_user` is called with a username that doesn't exist in the database, we still run `verify_password` against a dummy hash.

This ensures the endpoint takes roughly the same amount of time to respond whether the username is valid or not, preventing **timing attacks** that could be used to enumerate existing usernames.

/// note

To upgrade, refer to this documentation _For core Kubernetes:_ https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster 

### Detection

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact ******@****.***

#### Additional Details

## `username`과 데이터 형태 검증하기 { #verify-the-username-and-data-shape }

`username`을 얻었는지 확인하고, 스코프를 추출합니다.

그런 다음 Pydantic 모델로 데이터를 검증합니다(`ValidationError` 예외를 잡습니다). JWT 토큰을 읽거나 Pydantic으로 데이터를 검증하는 과정에서 오류가 나면, 앞에서 만든 `HTTPException`을 raise합니다.

이를 위해 Pydantic 모델 `TokenData`에 새 속성 `scopes`를 추가합니다.

Pydantic으로 데이터를 검증하면, 예를 들어 스코프가 정확히 `str`의 `list`이고 `username`이 `str`인지 등을 보장할 수 있습니다.

        String username = null;
        FessUserNotFoundException exception = new FessUserNotFoundException(username);

        assertNotNull(exception);
        assertEquals("User is not found: null", exception.getMessage());
        assertNull(exception.getCause());
    }

    @Test
    public void test_constructor_withSpecialCharacters() {
        // Test with username containing special characters

    }

    /**
     * Get the username used to access the repository.
     *
     * @return username at repository
     */
    public String getUsername() {
        return username;
    }

    /**
     * Set username used to access the repository.
     *
     * @param userName the username used to access repository
     */
    public void setUsername(final String userName) {
        this.username = userName;
    }

    * It contains the `username` and `password` sent.

{* ../../docs_src/security/tutorial006_an_py310.py hl[4,8,12] *}

When you try to open the URL for the first time (or click the "Execute" button in the docs) the browser will ask you for your username and password:

<img src="/img/tutorial/security/image12.png">

## Check the username { #check-the-username }

Here's a more complete example.

def get_password_hash(password):
    return password_hash.hash(password)


def get_user(db, username: str):
    if username in db:
        user_dict = db[username]
        return UserInDB(**user_dict)


def authenticate_user(fake_db, username: str, password: str):
    user = get_user(fake_db, username)
    if not user:
        verify_password(password, DUMMY_HASH)
        return False

     */
    public SpnegoCredential(final String username) {
        this.username = username;
    }

    /**
     * Gets the user identifier from this credential.
     *
     * @return The username from SPNEGO authentication
     */
    @Override
    public String getUserId() {
        return username;
    }

    /**
     * Returns a string representation of this credential.
     *

labels.check_url=Please check the URL.
labels.busy_title=Service Temporarily Unavailable
labels.busy_message=The server is currently experiencing high load. Please try again later.
labels.user_name=Username
labels.login=Login
labels.login.placeholder_username=Username
labels.login.placeholder_password=Password
labels.login.title=Login
labels.index_label=Label
labels.index_lang=Preferred Language
labels.index_sort=Sort

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")


class User(BaseModel):
    username: str
    email: str | None = None
    full_name: str | None = None
    disabled: bool | None = None


class UserInDB(User):
    hashed_password: str


def get_user(db, username: str):
    if username in db:
        user_dict = db[username]
        return UserInDB(**user_dict)


def fake_decode_token(token):