## Pegue o `username` (nome de usuário) e `password` (senha)

É utilizado o utils de segurança da **FastAPI** para obter o `username` e a `password`.

OAuth2 especifica que ao usar o "password flow" (fluxo de senha), que estamos usando, o cliente/usuário deve enviar os campos `username` e `password` como dados do formulário.

    if (args.length != 4) {
      System.out.println("Usage: SampleServer <keystore> <password> <root file> <port>");
      return;
    }

    String keystoreFile = args[0];
    String password = args[1];
    String root = args[2];
    int port = Integer.parseInt(args[3]);

    SSLContext sslContext = sslContext(keystoreFile, password);
    SampleServer server = new SampleServer(sslContext, root, port);
    server.run();

        final String username = fessConfig.getFesenUsername();
        final String password = fessConfig.getFesenPassword();
        if (StringUtil.isNotBlank(username) && StringUtil.isNotBlank(password)) {
            builder.put(Constants.FESEN_USERNAME, username);
            builder.put(Constants.FESEN_PASSWORD, password);
        }
        final String authorities = fessConfig.getFesenHttpSslCertificateAuthorities();

Now, whenever a browser is creating a user with a password, the API will return the same password in the response.

In this case, it might not be a problem, because it's the same user sending the password.

But if we use the same model for another *path operation*, we could be sending our user's passwords to every client.

/// danger

    public void setPassword_Terms(ConditionOptionCall<TermsAggregationBuilder> opLambda) {
        setPassword_Terms("password", opLambda, null);
    }

    public void setPassword_Terms(ConditionOptionCall<TermsAggregationBuilder> opLambda, OperatorCall<BsWebAuthenticationCA> aggsLambda) {
        setPassword_Terms("password", opLambda, aggsLambda);
    }

    @Test
    public void testEncryptDecryptLongPassword() throws Exception {
        // Test with very long password
        char[] plaintext = new char[10000];
        Arrays.fill(plaintext, 'X');

        byte[] encrypted = storage.encryptCredentials(plaintext);
        assertNotNull(encrypted, "Encrypted long password should not be null");

        assertTrue(testLdapManager.changePasswordCalled);
    }

    public void test_changePassword_withNullPassword() {
        // Test password change with null password
        testLdapManager.changePasswordResult = false;
        testFessConfig.ldapAdminSyncPassword = false;

        boolean result = ldapChain.changePassword("testuser", null);

labels.suggestWord=Parola suggerita
labels.targetLabel=Etichetta
labels.term=Termine di ricerca
labels.fields=Campi
labels.ex_q=Query estesa
labels.oldPassword=Password attuale
labels.newPassword=Nuova password
labels.confirmNewPassword=Conferma nuova password

labels.menu_system=Sistema
labels.menu_wizard=Wizard
labels.menu_crawl_config=Generale
labels.menu_scheduler_config=Scheduler

                // encrypted
                try {
                    this.password = pwAuth.getAnsiHash(this.ctx, this.server.encryptionKey);
                } catch (final GeneralSecurityException e) {
                    throw new RuntimeCIFSException("Failed to encrypt password", e);
                }
                this.passwordLength = this.password.length;
            } else if (this.ctx.getConfig().isDisablePlainTextPasswords()) {

Por ejemplo, en una de las formas en las que se puede usar la especificación OAuth2 (llamada "password flow") se requiere enviar un `username` y `password` como campos de formulario.

La <abbr title="specification">especificación</abbr> requiere que los campos se llamen exactamente `username` y `password`, y que se envíen como campos de formulario, no JSON.