Bunun yerine, plaintext password içeren bir input modeli ve password’ü içermeyen bir output modeli oluşturabiliriz:

{* ../../docs_src/response_model/tutorial003_py310.py hl[9,11,16] *}

Burada *path operation function* password içeren aynı input user’ı döndürüyor olsa bile:

{* ../../docs_src/response_model/tutorial003_py310.py hl[24] *}

...`response_model` olarak, password’ü içermeyen `UserOut` modelimizi declare ettik:

                        throw new RuntimeException("Plain text passwords are disabled");
                    } else {
                        // plain text
                        final String password = a.getPassword();
                        this.lmHash = new byte[(password.length() + 1) * 2];
                        this.ntHash = new byte[0];
                        writeString(password, this.lmHash, 0);
                    }
                }

* Make sure you have well defined Pydantic models for your request bodies and responses.
* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like pwdlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

         */
        public int current_uses;
        /**
         * The local path of the share.
         */
        public String path;
        /**
         * The share password (if any).
         */
        public String password;
        /**
         * The size of the security descriptor.
         */
        public int sd_size;
        /**
         * The security descriptor bytes.
         */

## Log Message Guidelines

- Logger: `LogManager.getLogger(ClassName.class)`
- Format: `key=value` (e.g., `userId={}`, `url={}`)
- Prefix with `[name]` when context identification is needed
- Mask sensitive values (passwords, tokens)

## i18n / Localization

        Type3Message type3 =
                new Type3Message(createMockContext(), type2, null, "password", mixedCaseDomain, mixedCaseUser, "WORKSTATION", 0);

        // Then
        assertEquals(mixedCaseDomain, type3.getDomain());
        assertEquals(mixedCaseUser, type3.getUser());
    }

    @Test
    @DisplayName("Should handle long passwords")
    void testLongPasswords() throws Exception {
        // Given

        return ntResponse;
    }

    /**
     * Generates the NTOWFv1 hash for the given password.
     *
     * @param password the password to hash
     * @return the NTOWFv1 hash bytes
     */
    public static byte[] nTOWFv1(final String password) {
        if (password == null) {
            throw new RuntimeException("Password parameter is required");
        }
        try {
            final MD4 md4 = new MD4();

    /**
     * Security mode flags.
     */
    public int securityMode;
    /**
     * Security settings for the session.
     */
    public int security;
    /**
     * Whether the server requires encrypted passwords.
     */
    public boolean encryptedPasswords;
    /**
     * Whether message signing is enabled.
     */
    public boolean signaturesEnabled;
    /**
     * Whether message signing is required.
     */

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger

# OAuth2 con Password (y hashing), Bearer con tokens JWT { #oauth2-with-password-and-hashing-bearer-with-jwt-tokens }

Ahora que tenemos todo el flujo de seguridad, hagamos que la aplicación sea realmente segura, usando tokens <abbr title="JSON Web Tokens">JWT</abbr> y hashing de contraseñas seguras.

Este código es algo que puedes usar realmente en tu aplicación, guardar los hashes de las contraseñas en tu base de datos, etc.