POST requests are appending the parameters to the URL.

The Retrofit POST requests in the GitLab interface appear to appending the request parameters to the URL using the @Query annotation. This becomes a security issue on login because the user's credentials are exposed in the URL, example log:

.../com.commit451.gitlab I/TimberRequestInterceptor﹕ Sending request https://gitlab.com/api/v3/session?login=***&password=***

Recommendation: Using application/x-www-form-urlencoded MIME type by modifying the service methods as follows:

	@FormUrlEncoded
	@POST(API_VERSION + "/session")
	Call<Session> getSessionByUsername(@Field("login") String login,
									   @Field("password") String password);

This ensures the user's credentials are not exposed in the URL.