SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

When I was working to override some of backend apis I noticed that the user  password was available in the `input` object in plaintext. I'm not a cryptography expert by any means but I was under the impression that passwords should be hashed on the FE and then the hash is sent to the backend. Isn't sending the password to the backend, even when using TLS, not best practice?

Not necessarily. Hashing password on the frontend would disable you to enforce password strength on the backend. So there are pros and cons.

If you want to hash it on the frontend though, you can. Just override the sign up / sign in functions on the frontend to hash the password before calling the original implementation

Oh that's a good point I hadn't considered.

So is the password ever hashed on the backend in the original implementation or is that left for the developer to decide?

it is hashed - of course. When it's sent to the core, the core hashes it before storing in db.

and the password strength validation happens in backend SDK level