From e8aa12a52afa46dc9d0533b82c510f7178440ab3 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Fri, 3 Jan 2025 14:05:02 +0300
Subject: Add a small note about the authorization confirmation endpoint data

Change-Id: I145777043c043163f7c7f3acbb405994d73b479f
---
 src/indieauth/mod.rs | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/indieauth')

diff --git a/src/indieauth/mod.rs b/src/indieauth/mod.rs
index ab38715..00ae393 100644
--- a/src/indieauth/mod.rs
+++ b/src/indieauth/mod.rs
@@ -281,6 +281,13 @@ enum Credential {
     WebAuthn(::webauthn::prelude::PublicKeyCredential)
 }
 
+// The IndieAuth standard doesn't prescribe a format for confirming
+// authorizations, since that's supposed to be internal to the
+// server. We are merely passing through the authorization request,
+// so the endpoint is stateless, plus a credential.
+//
+// CSRF protection is supposed to be taken care of by the IndieAuth
+// data we are passing through.
 #[derive(Deserialize, Debug)]
 struct AuthorizationConfirmation {
     authorization_method: Credential,
-- 
cgit 1.4.1