# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1701462925 -3600
# Node ID d563a6b0dfb7a7bedd8f1e6f0e26ec226dac6090
# Parent  c89077b4f46e56a1e1ae9e8da607d4a1f1f2021b
mod_http_oauth2: Comment on authorization code storage

diff -r c89077b4f46e -r d563a6b0dfb7 mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Dec 01 21:32:33 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Dec 01 21:35:25 2023 +0100
@@ -215,12 +215,19 @@
 	return code_expires_in(code) < 0;
 end
 
+-- LRU cache for short-term storage of authorization codes and device codes
 local codes = cache.new(10000, function (_, code)
+	-- If the cache is full and the oldest item hasn't expired yet then we
+	-- might be under some kind of DoS attack, so might as well reject further
+	-- entries for a bit.
 	return code_expired(code)
 end);
 
 -- Clear out unredeemed codes so they don't linger in memory.
 module:daily("Clear expired authorization codes", function()
+	-- The tail should be the least recently touched item, and most likely to
+	-- have expired already, so check and remove that one until encountering
+	-- one that has not expired.
 	local k, code = codes:tail();
 	while code and code_expired(code) do
 		codes:set(k, nil);