Add a small note about the authorization confirmation endpoint data

Change-Id: I145777043c043163f7c7f3acbb405994d73b479f
author: Vika <vika@fireburn.ru> 2025-01-03 14:05:02 +0300
committer: Vika <vika@fireburn.ru> 2025-01-03 14:05:02 +0300
commit: e8aa12a52afa46dc9d0533b82c510f7178440ab3 (patch)
tree: 2f9eac49d07ea439faa01fd5d3745851624ff5d6 /src/indieauth/mod.rs
parent: db845e8cc6e3802ed8dde04f9c2aab078e36417d (diff)
download: kittybox-e8aa12a52afa46dc9d0533b82c510f7178440ab3.tar.zst
1 files changed, 7 insertions, 0 deletions
diff --git a/src/indieauth/mod.rs b/src/indieauth/mod.rs
index ab38715..00ae393 100644
--- a/src/indieauth/mod.rs
+++ b/src/indieauth/mod.rs
@@ -281,6 +281,13 @@ enum Credential {
     WebAuthn(::webauthn::prelude::PublicKeyCredential)
 }
 
+// The IndieAuth standard doesn't prescribe a format for confirming
+// authorizations, since that's supposed to be internal to the
+// server. We are merely passing through the authorization request,
+// so the endpoint is stateless, plus a credential.
+//
+// CSRF protection is supposed to be taken care of by the IndieAuth
+// data we are passing through.
 #[derive(Deserialize, Debug)]
 struct AuthorizationConfirmation {
     authorization_method: Credential,
author	Vika <vika@fireburn.ru>	2025-01-03 14:05:02 +0300
committer	Vika <vika@fireburn.ru>	2025-01-03 14:05:02 +0300
commit	e8aa12a52afa46dc9d0533b82c510f7178440ab3 (patch)
tree	2f9eac49d07ea439faa01fd5d3745851624ff5d6 /src/indieauth/mod.rs
parent	db845e8cc6e3802ed8dde04f9c2aab078e36417d (diff)
download	kittybox-e8aa12a52afa46dc9d0533b82c510f7178440ab3.tar.zst