I'm looking for the best practice and safe approach to handling a "renew-password" page in a SPA. The user will get redirected with "username" and a temporary token from the "login" page when his password is expired. So far I found multiple options:
/reset-password?username=test&token=jfF5$88F.../reset-password/:username/:tokenOther options that aren't dealing with URL:
history.push({ state: { username, token } })But my main question is putting these data into the URL is safe or not? Can Man-In-The-Middle hijack the data even in "https" protocol?
You usually do not put secrets into URLs. The reason is, that every load balancer or proxy along the way is allowed to log URLs for debug reasons. We don't want our secrets to leak just because logs leaked.
There is one exception to this rule - when the secret is a one-time-only secret. When it is invalidated right after it is used. The reason for this exception is that there would be no other way of passing secrets over e.g. mails.
If HTTPS is done right nobody should be able to hijack the data. URL is part of the HTTP payload and will be encrypted whole if this is what you are concerned with.