var base: String? = null
  var scheme = ""
  var username = ""
  var password: String? = null
  var host = ""
  var port = ""
  var path = ""
  var query = ""
  var fragment = ""

  fun expectParseFailure() = scheme.isEmpty()

  private operator fun set(
    name: String,
    value: String,
  ) {
    when (name) {
      "s" -> scheme = value
      "u" -> username = value
      "pass" -> password = value

    return {"username": credentials.username, "password": credentials.password}


client = TestClient(app)


def test_security_http_basic():
    response = client.get("/users/me", auth=("john", "secret"))
    assert response.status_code == 200, response.text
    assert response.json() == {"username": "john", "password": "secret"}

    /**
     * The protocol scheme (http, https).
     */
    @Size(max = 10)
    public String protocolScheme;

    /**
     * The username for authentication.
     */
    @Required
    @Size(max = 100)
    public String username;

    /**
     * The password for authentication.
     */
    @Size(max = 100)
    public String password;

    /**

    /** The protocol scheme for file access (maximum 10 characters). */
    @Size(max = 10)
    public String protocolScheme;

    /** The username for file authentication (required, maximum 100 characters). */
    @Required
    @Size(max = 100)
    public String username;

    /** The password for file authentication (maximum 100 characters). */
    @Size(max = 100)
    public String password;

        yield "Rick"
    finally:
        print("Cleanup up before response is sent")

UserNameDep = Annotated[str, Depends(get_username, scope="function")]

@app.get("/users/me")
def get_user_me(username: UserNameDep):
    return username
```

## Class Dependencies

Avoid creating class dependencies when possible.

If a class is needed, instead create a regular function dependency that returns a class instance.

Do this:

// factory receiver.  This constructor will normalize the username, password
// and authzID via the SASLprep algorithm, as recommended by RFC-5802.  If
// SASLprep fails, the method returns an error.
func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error) {
	x.Client, err = x.NewClient(userName, password, authzID)
	if err != nil {
		return err
	}

## 驗證 `username` 與資料結構 { #verify-the-username-and-data-shape }

我們先確認取得了 `username`，並取出 scopes。

接著用 Pydantic 模型驗證這些資料（捕捉 `ValidationError` 例外），若在讀取 JWT token 或用 Pydantic 驗證資料時出錯，就丟出先前建立的 `HTTPException`。

為此，我們更新了 Pydantic 模型 `TokenData`，加入新屬性 `scopes`。

透過 Pydantic 驗證資料，我們可以確保，例如，scopes 正好是 `list` 的 `str`，而 `username` 是 `str`。

否則若是 `dict` 或其他型別，可能在後續某處使應用壞掉，造成安全風險。

 * Side Public License, v 1.
 */

import org.elasticsearch.gradle.testclusters.StandaloneRestIntegTestTask

def clusterCredentials = [
        username: providers.systemProperty('tests.rest.cluster.username')
                .forUseAtConfigurationTime()
                .getOrElse('test_admin'),
        password: providers.systemProperty('tests.rest.cluster.password')

When `authenticate_user` is called with a username that doesn't exist in the database, we still run `verify_password` against a dummy hash.

This ensures the endpoint takes roughly the same amount of time to respond whether the username is valid or not, preventing **timing attacks** that could be used to enumerate existing usernames.

/// note

from fastapi import FastAPI
from pydantic import BaseModel, EmailStr

app = FastAPI()


class UserBase(BaseModel):
    username: str
    email: EmailStr
    full_name: str | None = None


class UserIn(UserBase):
    password: str


class UserOut(UserBase):
    pass


class UserInDB(UserBase):
    hashed_password: str


def fake_password_hasher(raw_password: str):