A weird security bug

I have just found quite a worrying security bug. I am using token-based auth and have just deployed my application for the first time. The login fails with a 401 (but it works within the editor) then the username and password gets logged out as plaintext in the URL.

image (5)