from datetime import datetime, timedelta, timezone
from typing import Annotated

import jwt
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from jwt.exceptions import InvalidTokenError
from pwdlib import PasswordHash
from pydantic import BaseModel

# to get a string like this run:
# openssl rand -hex 32

from datetime import datetime, timedelta, timezone

import jwt
from fastapi import Depends, FastAPI, HTTPException, Security, status
from fastapi.security import (
    OAuth2PasswordBearer,
    OAuth2PasswordRequestForm,
    SecurityScopes,
)
from jwt.exceptions import InvalidTokenError
from pwdlib import PasswordHash
from pydantic import BaseModel, ValidationError

# to get a string like this run:
# openssl rand -hex 32

これは、Facebook、Google、GitHub などでログイン時に権限を付与する際と同じ仕組みです:

<img src="/img/tutorial/security/image11.png">

## スコープ付きの JWT トークン { #jwt-token-with-scopes }

次に、トークンの path operation を修正して、要求されたスコープを返すようにします。

引き続き同じ `OAuth2PasswordRequestForm` を使用します。これには、リクエストで受け取った各スコープを含む、`str` の `list` である `scopes` プロパティが含まれます。

そして、そのスコープを JWT トークンの一部として返します。

/// danger | 警告

簡単のため、ここでは受け取ったスコープをそのままトークンに追加しています。

			Type:        "url",
			Sensitive:   true,
		},
		config.HelpKV{
			Key:         target.WebhookAuthToken,
			Description: "opaque string or JWT authorization token",
			Optional:    true,
			Type:        "string",
			Sensitive:   true,
			Secret:      true,
		},
		config.HelpKV{
			Key:         config.Comment,
			Description: config.DefaultComment,

### 2. Configure authentication type for Prometheus metrics

MinIO supports two authentication modes for Prometheus either `jwt` or `public`, by default MinIO runs in `jwt` mode. To allow public access without authentication for prometheus metrics set environment as follows.

```
export MINIO_PROMETHEUS_AUTH_TYPE="public"
minio server ~/test
```

* Configure any required permissions and roles using dependencies.
* Never store plaintext passwords, only password hashes.
* Implement and use well-known cryptographic tools, like pwdlib and JWT tokens, etc.
* Add more granular permission controls with OAuth2 scopes where needed.
* ...etc.

    - 🤖 자동으로 생성된 프론트엔드 클라이언트.
    - 🧪 End-to-End 테스트를 위한 [Playwright](https://playwright.dev).
    - 🦇 다크 모드 지원.
- 🐋 개발 환경과 프로덕션(운영)을 위한 [Docker Compose](https://www.docker.com).
- 🔒 기본으로 지원되는 안전한 비밀번호 해싱.
- 🔑 JWT (JSON Web Token) 인증.
- 📫 이메일 기반 비밀번호 복구.
- ✅ [Pytest](https://pytest.org)를 이용한 테스트.
- 📞 리버스 프록시 / 로드 밸런서로서의 [Traefik](https://traefik.io).
- 🚢 Docker Compose를 이용한 배포 지침: 자동 HTTPS 인증서를 처리하기 위한 프론트엔드 Traefik 프록시 설정 방법을 포함.

const (
	EnvPrometheusAuthType    = "MINIO_PROMETHEUS_AUTH_TYPE"
	EnvPrometheusOpenMetrics = "MINIO_PROMETHEUS_OPEN_METRICS"
)

type prometheusAuthType string

const (
	prometheusJWT    prometheusAuthType = "jwt"
	prometheusPublic prometheusAuthType = "public"
)

// registerMetricsRouter - add handler functions for metrics.
func registerMetricsRouter(router *mux.Router) {
	// metrics router

	"github.com/minio/minio/internal/hash"
	xhttp "github.com/minio/minio/internal/http"
	xjwt "github.com/minio/minio/internal/jwt"
	"github.com/minio/minio/internal/logger"
	"github.com/minio/minio/internal/mcontext"
	"github.com/minio/pkg/v3/policy"
)

// Verify if request has JWT.
func isRequestJWT(r *http.Request) bool {
	return strings.HasPrefix(r.Header.Get(xhttp.Authorization), jwtAlgorithm)
}

  - 🤖 自動產生的前端用戶端。
  - 🧪 [Playwright](https://playwright.dev) 用於端到端測試。
  - 🦇 支援深色模式。
- 🐋 [Docker Compose](https://www.docker.com) 用於開發與正式環境。
- 🔒 預設即採用安全的密碼雜湊。
- 🔑 JWT（JSON Web Token）驗證。
- 📫 以 Email 為基礎的密碼重設。
- ✅ 使用 [Pytest](https://pytest.org) 的測試。
- 📞 [Traefik](https://traefik.io) 作為反向代理／負載平衡器。
- 🚢 使用 Docker Compose 的部署指引，包含如何設定前端 Traefik 代理以自動處理 HTTPS 憑證。