And the spec says that the fields have to be named like that. So `user-name` or `email` wouldn't work.

But don't worry, you can show it as you wish to your final users in the frontend.

And your database models can use any other names you want.

But for the login *path operation*, we need to use these names to be compatible with the spec (and be able to, for example, use the integrated API documentation system).

```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

		inputHeaderValue string

		inputQueryKey   string
		inputQueryValue string

		expectedResult bool
	}{
		// Test case - 1.
		// Test case with "X-Amz-Content-Sha256" header set, but to empty value but we can't skip.
		{"X-Amz-Content-Sha256", "", "", "", false},

		// Test case - 2.
		// Test case with "X-Amz-Content-Sha256" not set so we can skip.
		{"", "", "", "", true},

		// Test case - 3.

<img src="/img/tutorial/security/image02.png">

/// note

It doesn't matter what you type in the form, it won't work yet. But we'll get there.

///

This is of course not the frontend for the final users, but it's a great automatic tool to document interactively all your API.

It can be used by the frontend team (that can also be yourself).

But still, FastAPI got quite some inspiration from Requests.

**Requests** is a library to *interact* with APIs (as a client), while **FastAPI** is a library to *build* APIs (as a server).

They are, more or less, at opposite ends, complementing each other.

Requests has a very simple and intuitive design, it's very easy to use, with sensible defaults. But at the same time, it's very powerful and customizable.

 *       are called <i>cryptographic hash functions</i>. But, whenever it is learned that either of
 *       these feats has become computationally feasible, the function is deemed "broken" and should
 *       no longer be used for secure purposes. (This is the likely eventual fate of <i>all</i>
 *       cryptographic hashes.)
 *   <li><b>fast:</b> perhaps self-explanatory, but often the most important consideration.
 * </ul>
 *

 *       are called <i>cryptographic hash functions</i>. But, whenever it is learned that either of
 *       these feats has become computationally feasible, the function is deemed "broken" and should
 *       no longer be used for secure purposes. (This is the likely eventual fate of <i>all</i>
 *       cryptographic hashes.)
 *   <li><b>fast:</b> perhaps self-explanatory, but often the most important consideration.
 * </ul>
 *

		t.Fatalf("No error should raise, but got %v", err)
	}

	if err := tx.First(&User{}, "name = ?", "transaction").Error; err != nil {
		t.Fatalf("Should find saved record, but got %v", err)
	}

	user1 := *GetUser("transaction1-1", Config{})

	if err := tx.Save(&user1).Error; err != nil {
		t.Fatalf("No error should raise, but got %v", err)
	}

			if err != nil && testCase.success {
				t.Errorf("Test %d: Expected success but failed instead %s", i+1, err)
			}
			if err == nil && !testCase.success {
				t.Errorf("Test %d: Expected failure but passed instead", i+1)
			}
		})
	}
}

func TestGetDivisibleSize(t *testing.T) {
	testCases := []struct {
		totalSizes []uint64

	}

	keys := store.List()
	if len(keys) != 1 {
		t.Fatalf("expected len(keys)=1, but found %d", len(keys))
	}

	key := keys[0]
	if !key.Compress {
		t.Fatal("expected the item to be compressed")
	}
	if key.ItemCount != 10 {
		t.Fatalf("expected itemcount=10 but found %v", key.ItemCount)
	}

	raw, err := store.GetRaw(key)
	if err != nil {