X-Git-Url: https://git.auder.net/?p=vchess.git;a=blobdiff_plain;f=server%2Froutes%2Fusers.js;h=1d553dba74ecba1e247f273c88b0821fc5dda68a;hp=163dc30132977dcf1f5c43b533cc5e0a9acd33cc;hb=58e7b94e6e1a8d5721b9211b45c40e65fc13f600;hpb=d36ca1989daec86e5ad4b2e65c8a045af171fafd

diff --git a/server/routes/users.js b/server/routes/users.js
index 163dc301..1d553dba 100644
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -7,6 +7,7 @@ var genToken = require("../utils/tokenGenerator");
 var access = require("../utils/access");
 var params = require("../config/parameters");
 
+// NOTE: this method is safe because the sessionToken must be guessed
 router.get("/whoami", access.ajax, (req,res) => {
   const callback = (user) => {
     return res.json({
@@ -27,6 +28,7 @@ router.get("/whoami", access.ajax, (req,res) => {
   });
 });
 
+// NOTE: this method is safe because only IDs and names are returned
 router.get("/users", access.ajax, (req,res) => {
   const ids = req.query["ids"];
   UserModel.getByIds(ids, (err,users) => {