* @param password the password to authenticate with
     */
    public NtlmPasswordAuthentication(final CIFSContext tc, final String domain, final String username, final String password) {
        super(domain != null ? domain : tc.getConfig().getDefaultDomain(),
                username != null ? username : tc.getConfig().getDefaultUsername() != null ? tc.getConfig().getDefaultUsername() : "GUEST",

* The **input model** needs to be able to have a password.
* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing).

///

# Простий OAuth2 з паролем і Bearer { #simple-oauth2-with-password-and-bearer }

Тепер продовжимо з попереднього розділу і додамо відсутні частини, щоб отримати повний потік безпеки.

## Отримайте `username` і `password` { #get-the-username-and-password }

Ми використаємо утиліти безпеки **FastAPI**, щоб отримати `username` і `password`.

    #   o user: (Required)
    #   o password: password plainly or path to password file (with default password)
    #       e.g. foo or df:dfprop/system-password.txt|foo
    #       (NotRequired - Default '')
    #   o isSkipIfNotFoundPasswordFileAndDefault: Does it skip the user SQL statement
    #       when using password file but not found it and also default password?
    #       (NotRequired - Default false)
    #

            if (form.crudMode.intValue() == CrudMode.CREATE || StringUtil.isNotBlank(form.password)) {
                final String encodedPassword = ComponentUtil.getComponent(FessLoginAssist.class).encryptPassword(form.password);
                entity.setOriginalPassword(form.password);
                entity.setPassword(encodedPassword);
            }

     */
    void delete(User user);

    /**
     * Changes the password for the specified user.
     * @param username The username for which to change the password.
     * @param password The new password.
     * @return True if the password was successfully changed, false otherwise.
     */
    boolean changePassword(String username, String password);

    /**
     * Loads user information from the authentication chain.

* **input modeli** bir `password` içerebilmelidir.
* **output modeli** `password` içermemelidir.
* **database modeli** büyük ihtimalle hash'lenmiş bir `password` tutmalıdır.

/// danger | Tehlike

Kullanıcının düz metin (plaintext) `password`'ünü asla saklamayın. Her zaman sonradan doğrulayabileceğiniz "güvenli bir hash" saklayın.

# 簡易 OAuth2：Password 與 Bearer { #simple-oauth2-with-password-and-bearer }

現在從上一章延伸，補上缺少的部分，完成整個安全流程。

## 取得 `username` 與 `password` { #get-the-username-and-password }

我們要使用 **FastAPI** 提供的安全性工具來取得 `username` 與 `password`。

OAuth2 規範中，當使用「password flow」（我們現在使用的）時，用戶端／使用者必須以表單資料送出 `username` 與 `password` 欄位。

而且規範要求欄位名稱必須就是這兩個，所以像是 `user-name` 或 `email` 都不行。

但別擔心，你在前端要怎麼呈現給最終使用者都可以。

而你的資料庫模型也可以使用任何你想要的欄位名稱。

    }

    /**
     * Validates a password against configured password policy requirements.
     *
     * @param password The password to validate.
     * @return An empty string if the password is valid, or an error key for the validation failure.
     */
    public String validatePassword(final String password) {
        if (StringUtil.isBlank(password)) {
            return "errors.blank_password";
        }

///

## Password hashing { #password-hashing }

"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.

Whenever you pass exactly the same content (exactly the same password) you get exactly the same gibberish.

But you cannot convert from the gibberish back to the password.

### Why use password hashing { #why-use-password-hashing }