## Obtener el `username` y `password` { #get-the-username-and-password }

Vamos a usar las utilidades de seguridad de **FastAPI** para obtener el `username` y `password`.

OAuth2 especifica que cuando se utiliza el "password flow" (que estamos usando), el cliente/usuario debe enviar campos `username` y `password` como form data.

                    },
                    "ModelB": {
                        "title": "ModelB",
                        "required": ["username"],
                        "type": "object",
                        "properties": {
                            "username": {"title": "Username", "type": "string"}
                        },
                    },
                    "ValidationError": {

        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username = payload.get("sub")
        if username is None:
            raise credentials_exception
        token_data = TokenData(username=username)
    except InvalidTokenError:
        raise credentials_exception
    user = get_user(fake_users_db, username=token_data.username)
    if user is None:
        raise credentials_exception
    return user

        }
    }

    @Test
    @DisplayName("Test password stored as char array")
    void testPasswordStoredAsCharArray() throws Exception {
        authenticator = new NtlmPasswordAuthenticator("DOMAIN", "username", "password123");

        // Use reflection to verify password is stored as char[]
        Field passwordField = NtlmPasswordAuthenticator.class.getDeclaredField("password");
        passwordField.setAccessible(true);

        String username = "resetuser";
        String ip = "192.168.1.5";

        // Two failures
        assertTrue(rateLimiter.checkAttempt(username, ip));
        rateLimiter.recordFailure(username, ip);

        assertTrue(rateLimiter.checkAttempt(username, ip));
        rateLimiter.recordFailure(username, ip);

        // Success should reset counter
        assertTrue(rateLimiter.checkAttempt(username, ip));

def get_password_hash(password):
    return password_hash.hash(password)


def get_user(db, username: str):
    if username in db:
        user_dict = db[username]
        return UserInDB(**user_dict)


def authenticate_user(fake_db, username: str, password: str):
    user = get_user(fake_db, username)
    if not user:
        verify_password(password, DUMMY_HASH)
        return False

            }

            userCode = getUserCodeFromCookie(request);
            if (StringUtil.isBlank(userCode)) {
                userCode = getUserCodeFromUserBean(request);
                if (StringUtil.isBlank(userCode)) {
                    userCode = getId();
                }
            }

            if (StringUtil.isNotBlank(userCode)) {
                updateUserSessionId(userCode);
            }

# 簡易 OAuth2：Password 與 Bearer { #simple-oauth2-with-password-and-bearer }

現在從上一章延伸，補上缺少的部分，完成整個安全流程。

## 取得 `username` 與 `password` { #get-the-username-and-password }

我們要使用 **FastAPI** 提供的安全性工具來取得 `username` 與 `password`。

OAuth2 規範中，當使用「password flow」（我們現在使用的）時，用戶端／使用者必須以表單資料送出 `username` 與 `password` 欄位。

而且規範要求欄位名稱必須就是這兩個，所以像是 `user-name` 或 `email` 都不行。

但別擔心，你在前端要怎麼呈現給最終使用者都可以。

而你的資料庫模型也可以使用任何你想要的欄位名稱。

from fastapi import FastAPI

app = FastAPI(swagger_ui_parameters={"syntaxHighlight": {"theme": "obsidian"}})


@app.get("/users/{username}")
async def read_user(username: str):

            this.domain = domain;
            this.authType = authType;
            this.timestamp = System.currentTimeMillis();
            this.clientAddress = clientAddress;
            this.serverAddress = serverAddress;
        }

        public String getUsername() {
            return username;
        }

        public String getDomain() {
            return domain;
        }