We are using Amplify with AWS Cognito, using SRP. From our understanding of SRP, passwords should not be sent in plain text over the network.
When the user is required to change their password on login, we use the Auth.completeNewPassword method. Looking at the request, the password is clearly sent in plain text. Why is this?
This is because even in SRP you need to send the password at least once to the server.
When you sign up or change your password you send two values to the server: username and password. The server generates a new salt for that username and calculates a value called verifier using (among others) username, password and salt. Then it stores the following information: username, salt and verifier.
From now on you no longer need password to be sent over the wire.