* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing){.internal-link target=_blank}.

//// tab | Linux, macOS

```plaintext
/home/user/code/awesome-project/.venv/bin:/usr/bin:/bin:/usr/sbin:/sbin
```

시스템은 가장 먼저 다음 경로에서 프로그램을 찾기 시작합니다:

```plaintext
/home/user/code/awesome-project/.venv/bin
```

그 후에 다른 디렉터리들을 탐색합니다.

따라서 터미널에 `python`을 입력하면, 시스템은 다음 위치에 있는 Python 프로그램을 찾게 됩니다:

```plaintext
/home/user/code/awesome-project/.venv/bin/python
```

##### Figure 1 - Secure Channel construction

```
plaintext   := chunk_0          ||       chunk_1          ||       chunk_2          ||       ...

At this point we have the user data from our database, but we haven't checked the password.

Let's put that data in the Pydantic `UserInDB` model first.

You should never save plaintext passwords, so, we'll use the (fake) password hashing system.

If the passwords don't match, we return the same error.

#### Password hashing { #password-hashing }

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like Passlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

      assertThat(recorded.headers["Content-Length"]).isEqualTo("0")
    }
    assertThat(recorded.headers["HTTP2-Settings"]).isNotNull()
    assertThat(recorded.headers["Upgrade"]).isEqualTo("h2c") // HTTP/2 over plaintext!
    assertThat(recorded.headers["User-Agent"]!!).matches(Regex("Java-http-client/.*"))
  }

仮想環境を有効にすると、 `PATH` 変数は次のようになります。

//// tab | Linux, macOS

```plaintext
/home/user/code/awesome-project/.venv/bin:/usr/bin:/bin:/usr/sbin:/sbin
```

これは、OSが他のディレクトリを探すより前に、最初に以下のディレクトリ中でプログラムを探し始めることを意味します：

```plaintext
/home/user/code/awesome-project/.venv/bin
```

そのため、ターミナルで `python` と入力した際に、OSはPythonプログラムを以下のパスで発見し、使用します。

```plaintext
/home/user/code/awesome-project/.venv/bin/python
```

////

			AssociatedData: kms.Context{bucket: path.Join(bucket, object)},
		})
		if err != nil {
			return crypto.ObjectKey{}, err
		}

		objectKey := crypto.GenerateKey(key.Plaintext, rand.Reader)
		sealedKey = objectKey.Seal(key.Plaintext, crypto.GenerateIV(rand.Reader), crypto.S3.String(), bucket, object)
		crypto.S3.CreateMetadata(metadata, key.KeyID, key.Ciphertext, sealedKey)
		return objectKey, nil
	case crypto.S3KMS:

## Return the same input data { #return-the-same-input-data }

Here we are declaring a `UserIn` model, it will contain a plaintext password:

{* ../../docs_src/response_model/tutorial002_py310.py hl[7,9] *}

/// info

But you cannot convert from the gibberish back to the password.

### Why use password hashing { #why-use-password-hashing }

If your database is stolen, the thief won't have your users' plaintext passwords, only the hashes.

So, the thief won't be able to try to use that password in another system (as many users use the same password everywhere, this would be dangerous).

## Install `passlib` { #install-passlib }