BA
Better Auth7d ago
lux

Password visible in network tab for request to `signUp.email`

Hello, I'm using Better Auth in tandem with Next.js and react-hook-form and I'm seeing that the password is a raw string in the request body, like in the attached image. Is this a concern? It seems like it could be a problem, but there's nothing in the docs about it so I'm wondering if this is an issue I should spend time on. This is the relevant code, if that helps: 
async function onSubmit(values: z.infer<typeof formSchema>) {
  if (values.password !== values.confirmPassword) {
    toast.message("Passwords do not match", {
      description: "Please check your passwords and try again.",
    });
    return;
  }

  await signUp.email({
    email: values.email,
    password: values.password,
    name: values.name,
    callbackURL: "/",
    fetchOptions: {
      onSuccess: () => {
        toast.success("You have successfully signed up.");
        redirect("/");
      },
      onResponse: () => {
        setLoading(false);
      },
      onRequest: () => {
        setLoading(true);
      },
      onError: (ctx) => {
        toast.error(ctx.error.message);
      },
    },
  });
}
async function onSubmit(values: z.infer<typeof formSchema>) {
  if (values.password !== values.confirmPassword) {
    toast.message("Passwords do not match", {
      description: "Please check your passwords and try again.",
    });
    return;
  }

  await signUp.email({
    email: values.email,
    password: values.password,
    name: values.name,
    callbackURL: "/",
    fetchOptions: {
      onSuccess: () => {
        toast.success("You have successfully signed up.");
        redirect("/");
      },
      onResponse: () => {
        setLoading(false);
      },
      onRequest: () => {
        setLoading(true);
      },
      onError: (ctx) => {
        toast.error(ctx.error.message);
      },
    },
  });
}
No description
Solution:
Not a problem at all, the server will take that password and hash it and stored it encrypted, have a look at any other sign in form the network tab is a log for that page of all requests made once the tab is reloaded the log is cleared.
Jump to solution
3 Replies
Solution
lonelyplanet
lonelyplanet7d ago
Not a problem at all, the server will take that password and hash it and stored it encrypted, have a look at any other sign in form the network tab is a log for that page of all requests made once the tab is reloaded the log is cleared.
lonelyplanet
lonelyplanet7d ago
How are you supposed to tell the server what password your trying to use? If you are using HTTPS:// (in development http is fine) the body will not be visible in transit so no-one can intercept your request and view the body only the server and browser can
lux
luxOP7d ago
Gotcha, just wanted to double check since the only other projects I've worked on haven't used email and password auth. Thanks!

Did you find this page helpful?