Verifying the existence of a user through a RestFul API would be a GET transaction given that it would only be a select.
In short, you would be sending the Login and Password in this way:
const validator =require('validator');
app.get('/users/:login/:passwd',function(req,res){
var login = validator.trim(validator.escape(req.param('login')));
var passwd = validator.trim(validator.escape(req.param('passwd')));
con.query("SELECT * FROM users where login = '"+login+"' AND password='"+passwd+"' ", function (err, result) {
if(err){
throw err;
}
else{
res.json({ result });
}
});
});
My question is that GET is sending sensitive information like log and password.
How do we do this verification without hurting the Restful API good practice standards (verbs appropriate for CRUD transactions) and maintaining security (Do not send sensitive info with GET)?