From 355eb782b862a84a973eccefe47e9f38addb30ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ricardo=20Iv=C3=A1n=20Vieitez=20Parra?=
 <3857362+corrideat@users.noreply.github.com>
Date: Thu, 12 Dec 2024 12:43:19 +0000
Subject: [PATCH] Types and comments

---
 backend/routes.js                 | 7 ++++++-
 shared/domains/chelonia/Secret.js | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/routes.js b/backend/routes.js
index d2c51c084..b61a06c8a 100644
--- a/backend/routes.js
+++ b/backend/routes.js
@@ -119,7 +119,9 @@ route.POST('/event', {
       const saltUpdateToken = request.headers['shelter-salt-update-token']
       let updateSalts
       if (saltUpdateToken) {
-        // ..
+        // If we've got a salt update token (i.e., a password change), fetch
+        // the username associated to the contract to see if they match, and
+        // then validate the token
         const name = request.headers['shelter-name']
         const namedContractID = name && await sbp('backend/db/lookupName', name)
         if (namedContractID !== deserializedHEAD.contractID) {
@@ -128,6 +130,9 @@ route.POST('/event', {
         updateSalts = await redeemSaltUpdateToken(name, saltUpdateToken)
       }
       await sbp('backend/server/handleEntry', deserializedHEAD, request.payload)
+      // If it's a salt update, do it now after handling the message. This way
+      // we make it less likely that someone will end up locked out from their
+      // identity contract.
       await updateSalts?.(deserializedHEAD.hash)
       if (deserializedHEAD.isFirstMessage) {
         // Store attribution information
diff --git a/shared/domains/chelonia/Secret.js b/shared/domains/chelonia/Secret.js
index 27620860d..da7e2b4ab 100644
--- a/shared/domains/chelonia/Secret.js
+++ b/shared/domains/chelonia/Secret.js
@@ -23,10 +23,13 @@ export class Secret<T> {
   }
 
   constructor (value: T) {
+    // $FlowFixMe[escaped-generic]
     wm.set(this, value)
   }
 
   valueOf (): T {
+    // $FlowFixMe[escaped-generic]
+    // $FlowFixMe[incompatible-return]
     return wm.get(this)
   }
 }