Let us breakdown our previous replies for you: once our server gets the "plaintext" password over HTTPS [...] so your password is never actually exposed to us.
After you get the plaintext password, you do something with it and it is never exposed to you. Sure.
That's one of the most contradictory conversation i had in a while.
You admit that your server receives the password in plain text, but refuse to accept that you have access to it.
Our custom build framework has built in CSRF AND SQL injection filters in place [...]
Do you even know how CSRF works ?
Thanks for confirming that you actually have no clue.