username and password is shown in logs in plain text

[Simpler1]

Describe Your Environment

• latest master branch development environment from 8-Apr-2024
• Built using docker with https://github.com/zoneminder-containers/eventserver-base

Describe the bug
Log file for nginx shows my username and password in plain text:
306 [nginx] 192.168.96.1 - - [09/Apr/2024:12:57:29 -0400] "GET /api/zones/forMonitor/2.json?username=user1&password=my_pass&user=user1&pass=my_pass HTTP/1.1" 200 500 "-" "Python-urllib/3.11" "-"
The other lines in the log file are showing a token (as they should).

Expected behavior
password should not be sent in the GET request and should not be shown in the log file.

OPT_USE_LEGACY_API_AUTH is toggled off.

[welcome]

Thanks for opening your first issue here! Just a reminder, this forum is for Bug Reports only. Be sure to follow the issue template!

[Simpler1]

This is actually coming from:
https://github.com/ZoneMinder/zmeventnotification/tree/6b45c0f6757f2fa4d710ba950a0f6016f440aac3/hook/zmes_hook_helpers/utils.py

# Imports zone definitions from ZM
def import_zm_zones(mid, reason):

    match_reason = False
    if reason:
        match_reason = True if g.config['only_triggered_zm_zones']=='yes' else False
    g.logger.Debug(2,'import_zm_zones: match_reason={} and reason={}'.format(match_reason, reason))

    url = g.config['api_portal'] + '/zones/forMonitor/' + mid + '.json'
    g.logger.Debug(2,'Getting ZM zones using {}?username=xxx&password=yyy&user=xxx&pass=yyy'.format(url))
    url = url + '?username=' + g.config['user']
    url = url + '&password=' + urllib.parse.quote(g.config['password'], safe='')
    url = url + '&user=' + g.config['user']
    url = url + '&pass=' + urllib.parse.quote(g.config['password'], safe='')

Can this be changed to use the token instead?