oauth/token - hashing the password

I'm trying to change the behavior of the oauth/token call from the passport package in laravel. In my tests, I pass this:

POST /oauth/token HTTP/1.1
HOST: localhost:8080
content-type: application/x-www-form-urlencoded
cookie: laravel_session=eyJpdiI6Ikp...MDg4MzRjOTcifQ==
content-length: 41

grant_type=password&client_id=2&client_secret=dKhn6c8...tuECrPm1hjXN&username=test&password=123456&scope=*

and it works(I received the token with a 200 response). But I believe that the correct would be to HASH the password, once that the password is already HASHed in the Server side, we should not send it visible in the request. Am I missing something here or what should I do to be able to send the HASHed password?

Thanks, Joao

joaosauer
joaosauer
  • 2 months ago