I looked at the password-auth template and even if I remove the first console.log(event). The whole event + cleartext passwords are getting logged in the function log