That way, you can create a token with an expiration of, let's say, 1 week. And then when the user comes back the next day with the token, you know that user is still logged in to your system.

<img src="/img/tutorial/sql-databases/image01.png">
</div>

## Update the App with Multiple Models { #update-the-app-with-multiple-models }

Now let's **refactor** this app a bit to increase **security** and **versatility**.

If you check the previous app, in the UI you can see that, up to now, it lets the client decide the `id` of the `Hero` to create. 😱

    // moving elements when remove() is called). Stop before 'from' because
    // we already know that should be kept.
    for (int n = list.size() - 1; n > from; n--) {
      if (predicate.apply(list.get(n))) {
        list.remove(n);
      }
    }
    // And now remove everything in the range [to, from) (going backwards).
    for (int n = from - 1; n >= to; n--) {
      list.remove(n);
    }

              // it's unnecessary to waste cycles looking at them. This check is built on the
              // observation that the header entries we care about are in adjacent pairs, and we
              // always know the first index of the pair.
              if (STATIC_HEADER_TABLE[headerNameIndex - 1].value == value) {
                headerIndex = headerNameIndex
              } else if (STATIC_HEADER_TABLE[headerNameIndex].value == value) {

// so they are only valid until the next bufio read.
func readChunkLine(b *bufio.Reader) ([]byte, []byte, error) {
	buf, err := b.ReadSlice('\n')
	if err != nil {
		// We always know when EOF is coming.
		// If the caller asked for a line, there should be a line.
		switch err {
		case io.EOF:
			err = io.ErrUnexpectedEOF
		case bufio.ErrBufferFull:
			err = errLineTooLong
		}

   * remaining 7.0 permits, and the remaining 3.0, we serve them by fresh permits produced by the
   * rate limiter.
   *
   * We already know how much time it takes to serve 3 fresh permits: if the rate is
   * "1 token per second", then this will take 3 seconds. But what does it mean to serve 7 stored

	_, width := utf8.DecodeRune(data)
	if width > 1 {
		// It's a valid encoding. Width cannot be one for a correctly encoded
		// non-ASCII rune.
		return width, data[0:width], nil
	}

	// We know it's an error: we have width==1 and implicitly r==utf8.RuneError.
	// Is the error because there wasn't a full rune to be decoded?
	// FullRune distinguishes correctly between erroneous and incomplete encodings.

func Enabled(kvs config.KVS) bool {
	return kvs.Get(ConfigURL) != ""
}

// GetSettings - fetches OIDC settings for site-replication related validation.
// NOTE that region must be populated by caller as this package does not know.
func (r *Config) GetSettings() madmin.OpenIDSettings {
	res := madmin.OpenIDSettings{}
	if !r.Enabled {
		return res
	}
	h := sha256.New()
	hashedSecret := ""

   * is evolving (b/381065164, b/458160722), but this class is @J2ktIncompatible.
   *
   * 2. The superclass toArray() method declares the more general return type `@Nullable Object[]`,
   * but we know that our values will never be `null`.
   */

  @Override
  public Object[] toArray() {
    return snapshotElementsToList().toArray();
  }

  @Override

      requestBody.close()
      assertThat(responseBody.readUtf8Line()).isNull()
    }
    body.awaitSuccess()
  }

  /**
   * Duplex calls that have follow-ups are weird. By the time we know there's a follow-up we've
   * already split off another thread to stream the request body. Because we permit at most one
   * exchange at a time we break the request stream out from under that writer.
   */
  @Test