Is sending login credentials to server for authentication and authorization in body with content-type: application/json acceptable?

Question

I was looking through multiple stack overflow questions and answers but wasn't able to get anything definitive when it comes to making a request to a server for login authentication and authorization.

My question: Is sending login credentials to server for authentication and authorization in body with content-type: application/json acceptable?

const handleSubmit = (e) => {
    e.preventDefault();
    const formData = new FormData(e.target);
    const [email, password] = formData.values();

    fetch('/login', {
        method: 'POST',
        headers : {'Content-Type' : 'application/json'},
        body: JSON.stringify({email, password})
    }).then(result =>{ //result is a ReadableStream object
        return result.json();  //result.json() parses the data into useable format (json)
    }).then(data => {
        if(data.isAuthenticated){
            handleUserAuthChange(true, ()=>{
                history.push('/vehicles');
            });
        }
    }).catch(err => console.log(err));
}

Answer 1

As long as you are using HTTPS, yes. This is a pretty common way of handling login requests

Answer 2

There is a great "tutorial" here on stackoverflow.

Unless the connection is already secure (that is, tunneled through HTTPS using SSL/TLS), your login form values will be sent in cleartext, which allows anyone eavesdropping on the line between browser and web server will be able to read logins as they pass through. This type of wiretapping is done routinely by governments, but in general, we won't address 'owned' wires other than to say this: Just use HTTPS.

In short, you want to always use HTTPS to be sure it's safe.