## 校验 `username` 与数据形状 { #verify-the-username-and-data-shape }

我们校验是否获取到了 `username`，并提取作用域。

然后使用 Pydantic 模型验证这些数据（捕获 `ValidationError` 异常），如果读取 JWT 令牌或用 Pydantic 验证数据时出错，就抛出我们之前创建的 `HTTPException`。

为此，我们给 Pydantic 模型 `TokenData` 添加了一个新属性 `scopes`。

通过用 Pydantic 验证数据，我们可以确保确实得到了例如一个由作用域组成的 `list[str]`，以及一个 `str` 类型的 `username`。

而不是，例如得到一个 `dict` 或其它什么，这可能会在后续某个时刻破坏应用，形成安全风险。

    return item


@app.get("/items/", tags=["items"])
async def read_items():
    return [{"name": "Foo", "price": 42}]


@app.get("/users/", tags=["users"])
async def read_users():

from typing import Annotated

from fastapi import FastAPI, Form
from pydantic import BaseModel

app = FastAPI()


class FormData(BaseModel):
    username: str
    password: str
    model_config = {"extra": "forbid"}


@app.post("/login/")
async def login(data: Annotated[FormData, Form()]):

from datetime import datetime

from fastapi import FastAPI
from pydantic import BaseModel

app = FastAPI()


class Subscription(BaseModel):
    username: str
    monthly_fee: float
    start_date: datetime


@app.webhooks.post("new-subscription")
def new_subscription(body: Subscription):
    """
    When a new user subscribes to your service we'll send you a POST request with this

				<la:form styleId="login" method="post">
					<div class="input-group mb-3">
						<c:set var="ph_username">
							<la:message key="labels.login.placeholder_username" />
						</c:set>
						<la:text property="username" styleId="username"
							class="form-control" placeholder="${ph_username}" />
						<div class="input-group-append">
							<span class="input-group-text">
								<i class="fa fa-user fa-fw" aria-hidden="true"></i>

from fastapi import FastAPI
from pydantic import BaseModel, EmailStr

app = FastAPI()


class UserBase(BaseModel):
    username: str
    email: EmailStr
    full_name: str | None = None


class UserIn(UserBase):
    password: str


class UserOut(UserBase):
    pass


class UserInDB(UserBase):
    hashed_password: str


def fake_password_hasher(raw_password: str):

	return []byte{}
}

func (m *MockConnMeta) RemoteAddr() net.Addr {
	return nil
}

func (m *MockConnMeta) LocalAddr() net.Addr {
	return nil
}

func newSSHConnMock(username string) ssh.ConnMetadata {
	return &MockConnMeta{username: username}
}

func TestSFTPAuthentication(t *testing.T) {
	for i, testCase := range iamTestSuites {
		t.Run(
			fmt.Sprintf("Test: %d, ServerType: %s", i+1, testCase.ServerTypeDescription),

            "type" : "keyword"
          },
          "updatedBy" : {
            "type" : "keyword"
          },
          "updatedTime" : {
            "type" : "long"
          },
          "username" : {
            "type" : "keyword"
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "creation_date" : "1509021053135",
        "number_of_shards" : "5",

from pydantic import BaseModel

app = FastAPI()


class Item(BaseModel):
    name: str
    description: str | None = None
    price: float
    tax: float | None = None


class User(BaseModel):
    username: str
    full_name: str | None = None


@app.put("/items/{item_id}")
async def update_item(item_id: int, item: Item, user: User):
    results = {"item_id": item_id, "item": item, "user": user}

{* ../../docs_src/security/tutorial005_an_py310.py hl[106,108:116] *}

## Verifique o `username` e o formato dos dados { #verify-the-username-and-data-shape }

Nós verificamos que nós obtemos um `username`, e extraímos os escopos.