That's no different from how just about any other webapp works.
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.
That's no different from how just about any other webapp works.
"Bothering" with client-side password hashing, in the absence of TLS, is security theater. It provides only the most trivial protection against eavesdroppers.
If someone can steal an unhashed password, then they can also steal whatever hash you send instead. If you try to fix this with some kind of ad-hoc challenge-response protocol, then the attacker can just steal your session cookie after login.
There shouldn't even be a question of using insecure HTTP for anything that requires authentication.