From 546dc8bdcb362e8a0465a82f47753c9d57898882 Mon Sep 17 00:00:00 2001
From: dmontagu <35119617+dmontagu@users.noreply.github.com>
Date: Tue, 28 May 2019 22:24:09 -0700
Subject: [PATCH] :lock: Update login.py to receive password as body (#33)

Change `new_password` from a query parameter to a body parameter for security.

(Why this is problematic is discussed in the top answer to https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl)
---
 .../backend/app/app/api/api_v1/endpoints/login.py             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py
index 2640f1c..64197ca 100644
--- a/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py
+++ b/{{cookiecutter.project_slug}}/backend/app/app/api/api_v1/endpoints/login.py
@@ -1,6 +1,6 @@
 from datetime import timedelta
 
-from fastapi import APIRouter, Depends, HTTPException
+from fastapi import APIRouter, Body, Depends, HTTPException
 from fastapi.security import OAuth2PasswordRequestForm
 from sqlalchemy.orm import Session
 
@@ -74,7 +74,7 @@ def recover_password(email: str, db: Session = Depends(get_db)):
 
 
 @router.post("/reset-password/", tags=["login"], response_model=Msg)
-def reset_password(token: str, new_password: str, db: Session = Depends(get_db)):
+def reset_password(token: str, new_password: str = Body(...), db: Session = Depends(get_db)):
     """
     Reset password
     """