```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

And the spec says that the fields have to be named like that. So `user-name` or `email` wouldn't work.

But don't worry, you can show it as you wish to your final users in the frontend.

And your database models can use any other names you want.

But for the login *path operation*, we need to use these names to be compatible with the spec (and be able to, for example, use the integrated API documentation system).

		t.Fatalf("No error should raise, but got %v", err)
	}

	if err := tx.First(&User{}, "name = ?", "transaction").Error; err != nil {
		t.Fatalf("Should find saved record, but got %v", err)
	}

	user1 := *GetUser("transaction1-1", Config{})

	if err := tx.Save(&user1).Error; err != nil {
		t.Fatalf("No error should raise, but got %v", err)
	}

		t.Errorf(fmt.Sprintf("Count should work, but got err %v", err))
	}
	if count1 != 1 {
		t.Errorf("Count with group should be 1, but got count: %v", count1)
	}

	var count2 int64
	if err := DB.Model(&Company{}).Where("name in ?", []string{"company_count_group_b", "company_count_group_c"}).Group("name").Count(&count2).Error; err != nil {
		t.Errorf(fmt.Sprintf("Count should work, but got err %v", err))
	}
	if count2 != 2 {

<img src="/img/tutorial/security/image02.png">

/// note

It doesn't matter what you type in the form, it won't work yet. But we'll get there.

///

This is of course not the frontend for the final users, but it's a great automatic tool to document interactively all your API.

It can be used by the frontend team (that can also be yourself).

		t.Errorf("no error should happen when find languages with code, but got %v", err)
	} else if len(langs) != 1 {
		t.Errorf("should only find only 1 languages, but got %+v", langs)
	} else if langs[0].Name != "upsert-new" {
		t.Errorf("should update name on conflict, but got name %+v", langs[0].Name)
	}

	lang = Language{Code: "upsert", Name: "Upsert-Newname"}

			if err != nil && testCase.success {
				t.Errorf("Test %d: Expected success but failed instead %s", i+1, err)
			}
			if err == nil && !testCase.success {
				t.Errorf("Test %d: Expected failure but passed instead", i+1)
			}
		})
	}
}

func TestGetDivisibleSize(t *testing.T) {
	testCases := []struct {
		totalSizes []uint64

All the dependencies we have seen are a fixed function or class.

But there could be cases where you want to be able to set parameters on the dependency, without having to declare many different functions or classes.

Let's imagine that we want to have a dependency that checks if the query parameter `q` contains some fixed content.

But we want to be able to parameterize that fixed content.

But here's the key point.

The security and dependency injection stuff is written once.

And you can make it as complex as you want. And still, have it written only once, in a single place. With all the flexibility.

But you can have thousands of endpoints (*path operations*) using the same security system.

## List fields with type parameter { #list-fields-with-type-parameter }

But Python has a specific way to declare lists with internal types, or "type parameters":

### Import typing's `List` { #import-typings-list }

In Python 3.9 and above you can use the standard `list` to declare these type annotations as we'll see below. 💡