"user$name" // invalid character
    })
    void testInvalidUsernames(String username) {
        assertThrows(IllegalArgumentException.class, () -> InputValidator.validateUsername(username));
    }

    @Test
    @DisplayName("Test username length validation")
    void testUsernameLengthValidation() {
        String longUsername = "a".repeat(InputValidator.MAX_USERNAME_LENGTH + 1);

    return {"username": credentials.username, "password": credentials.password}


client = TestClient(app)


def test_security_http_basic():
    response = client.get("/users/me", auth=("john", "secret"))
    assert response.status_code == 200, response.text
    assert response.json() == {"username": "john", "password": "secret"}

        yield "Rick"
    finally:
        print("Cleanup up before response is sent")

UserNameDep = Annotated[str, Depends(get_username, scope="function")]

@app.get("/users/me")
def get_user_me(username: UserNameDep):
    return username
```

## Class Dependencies

Avoid creating class dependencies when possible.

If a class is needed, instead create a regular function dependency that returns a class instance.

Do this:

    /**
     * The protocol scheme (http, https).
     */
    @Size(max = 10)
    public String protocolScheme;

    /**
     * The username for authentication.
     */
    @Required
    @Size(max = 100)
    public String username;

    /**
     * The password for authentication.
     */
    @Size(max = 100)
    public String password;

    /**

    /** The protocol scheme for file access (maximum 10 characters). */
    @Size(max = 10)
    public String protocolScheme;

    /** The username for file authentication (required, maximum 100 characters). */
    @Required
    @Size(max = 100)
    public String username;

    /** The password for file authentication (maximum 100 characters). */
    @Size(max = 100)
    public String password;

// factory receiver.  This constructor will normalize the username, password
// and authzID via the SASLprep algorithm, as recommended by RFC-5802.  If
// SASLprep fails, the method returns an error.
func (x *XDGSCRAMClient) Begin(userName, password, authzID string) (err error) {
	x.Client, err = x.NewClient(userName, password, authzID)
	if err != nil {
		return err
	}

## 驗證 `username` 與資料結構 { #verify-the-username-and-data-shape }

我們先確認取得了 `username`，並取出 scopes。

接著用 Pydantic 模型驗證這些資料（捕捉 `ValidationError` 例外），若在讀取 JWT token 或用 Pydantic 驗證資料時出錯，就丟出先前建立的 `HTTPException`。

為此，我們更新了 Pydantic 模型 `TokenData`，加入新屬性 `scopes`。

透過 Pydantic 驗證資料，我們可以確保，例如，scopes 正好是 `list` 的 `str`，而 `username` 是 `str`。

否則若是 `dict` 或其他型別，可能在後續某處使應用壞掉，造成安全風險。

 * Side Public License, v 1.
 */

import org.elasticsearch.gradle.testclusters.StandaloneRestIntegTestTask

def clusterCredentials = [
        username: providers.systemProperty('tests.rest.cluster.username')
                .forUseAtConfigurationTime()
                .getOrElse('test_admin'),
        password: providers.systemProperty('tests.rest.cluster.password')

				<la:form styleId="login" method="post">
					<div class="input-group mb-3">
						<c:set var="ph_username">
							<la:message key="labels.login.placeholder_username" />
						</c:set>
						<la:text property="username" styleId="username"
							class="form-control" placeholder="${ph_username}" />
						<div class="input-group-append">
							<span class="input-group-text">
								<i class="fa fa-user fa-fw" aria-hidden="true"></i>

        }
        final String username = getUserBean().get().getUserId();
        try {
            userService.changePassword(username, form.newPassword);
            saveInfo(messages -> messages.addSuccessChangedPassword(GLOBAL));
        } catch (final Exception e) {
            logger.warn("Failed to change password for {}", username, e);