HMACT64 hmac = new HMACT64(key);
        hmac.engineUpdate(data, 0, data.length);
        byte[] result = hmac.engineDigest();

        // Verify it produces a valid MD5 hash (16 bytes)
        assertNotNull(result);
        assertEquals(16, result.length);

        // Calculate the same using manual HMACT64 algorithm

* The **output model** should not have a password.
* The **database model** would probably need to have a hashed password.

/// danger

Never store user's plaintext passwords. Always store a "secure hash" that you can then verify.

If you don't know, you will learn what a "password hash" is in the [security chapters](security/simple-oauth2.md#password-hashing).

///

## Multiple models { #multiple-models }

			t.Errorf("Test %d: should pass but it failed with: %v", i, err)
		}
		if err == nil && test.shouldFail {
			t.Errorf("Test %d: should fail but it passed", i)
		}
		if err == nil {
			// Verify that checksums of staleDisks
			// match expected values
			for i := range staleWriters {
				if staleWriters[i] == nil {
					continue
				}

				}
				legacyPreserved = true
			}
		}
	} else {
		// It is possible that some drives may not have `xl.meta` file
		// in such scenarios verify if at least `part.1` files exist
		// to verify for legacy version.
		if formatLegacy {
			// We only need this code if we are moving
			// from `xl.json` to `xl.meta`, we can avoid
			// one extra readdir operation here for all

   * AbstractListTester isn't enough because many tests that run on lists don't
   * extends AbstractListTester.) We could also iterate over all elements to
   * verify absence
   */
  protected void expectMissing(E... elements) {
    for (E element : elements) {
      assertFalse("Should not contain " + element, actualContents().contains(element));
    }
  }

///

## Türler ve Doğrulama { #types-and-validation }

Bu ortam değişkenleri yalnızca **metin string**’lerini taşıyabilir. Çünkü Python’un dışındadırlar ve diğer programlarla, sistemin geri kalanıyla (hatta Linux, Windows, macOS gibi farklı işletim sistemleriyle) uyumlu olmak zorundadırlar.

        mockRequest.setMethod("POST");
        mockRequest.setRequestURI("/test/uri");

        webApiRequest = new WebApiRequest(mockRequest, customPath);

        // Verify that other methods are properly delegated
        assertEquals("POST", webApiRequest.getMethod());
        assertEquals("/test/uri", webApiRequest.getRequestURI());

    }
    assertThat(actual.getBounds())
        .asList()
        .containsExactlyElementsIn(asList(expected.getBounds()))
        .inOrder();
  }

  /**
   * Working with arrays requires defensive code. Verify that we clone the type array for both input
   * and output.
   */
  public void testNewParameterizedTypeImmutability() {
    Type[] typesIn = {String.class, Integer.class};

* The API checks that `username` and `password`, and responds with a "token" (we haven't implemented any of this yet).
    * A "token" is just a string with some content that we can use later to verify this user.
    * Normally, a token is set to expire after some time.
        * So, the user will have to log in again at some point later.

- Le frontend (exécuté dans le navigateur de l'utilisateur) envoie ce `username` et ce `password` vers une URL spécifique de notre API (déclarée avec `tokenUrl="token"`).
- L'API vérifie ce `username` et ce `password`, et répond avec un « token » (nous n'avons encore rien implémenté de tout cela).