When I was working to override some of backend apis I noticed that the user password was available in the
object in plaintext. I'm not a cryptography expert by any means but I was under the impression that passwords should be hashed on the FE and then the hash is sent to the backend. Isn't sending the password to the backend, even when using TLS, not best practice?
3 weeks ago
Not necessarily. Hashing password on the frontend would disable you to enforce password strength on the backend. So there are pros and cons.
If you want to hash it on the frontend though, you can. Just override the sign up / sign in functions on the frontend to hash the password before calling the original implementation