Skip to content

Commit

Permalink
🔒 Update login.py to receive password as body (fastapi#33)
Browse files Browse the repository at this point in the history
Change `new_password` from a query parameter to a body parameter for security.

(Why this is problematic is discussed in the top answer to https://stackoverflow.com/questions/2629222/are-querystring-parameters-secure-in-https-http-ssl)
  • Loading branch information
dmontagu authored and tiangolo committed May 29, 2019
1 parent 9c003ee commit e80cff5
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
from datetime import timedelta

from fastapi import APIRouter, Depends, HTTPException
from fastapi import APIRouter, Body, Depends, HTTPException
from fastapi.security import OAuth2PasswordRequestForm
from sqlalchemy.orm import Session

Expand Down Expand Up @@ -74,7 +74,7 @@ def recover_password(email: str, db: Session = Depends(get_db)):


@router.post("/reset-password/", tags=["login"], response_model=Msg)
def reset_password(token: str, new_password: str, db: Session = Depends(get_db)):
def reset_password(token: str, new_password: str = Body(...), db: Session = Depends(get_db)):
"""
Reset password
"""
Expand Down

0 comments on commit e80cff5

Please sign in to comment.