From 65c7362607784b49f1906bcb051120743faf2692 Mon Sep 17 00:00:00 2001
From: syeopite <syeopite@syeopite.dev>
Date: Tue, 25 Jul 2023 16:26:35 -0700
Subject: [PATCH] Update comments

---
 src/invidious/routes/account.cr | 21 +++++++++++++--------
 src/invidious/routes/login.cr   |  2 +-
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/invidious/routes/account.cr b/src/invidious/routes/account.cr
index c61767fb..d2fd81d7 100644
--- a/src/invidious/routes/account.cr
+++ b/src/invidious/routes/account.cr
@@ -460,16 +460,21 @@ module Invidious::Routes::Account
       secure = false
     end
 
-    # There are two routes we can go here.
-    # 1. Where the user is already logged in and is confirming a dangerous task.
-    # 2. The user is logging in.
     #
-    # The latter can be detected by the hidden email and password parameter
+    # The validate_2fa method is used in two cases:
+    # 1. To authenticate the user when logging in
+    # 2. To verify that the user wishes to proceed with a dangerous action.
+    #
+    # As we've verified that the totp given is correct we can now proceed with
+    # authenticating and/or redirecting the user back to where they came from
+    #
 
-    # If we have the email and password variables set then that means we are currently logging in
-    if email && password
-      # Verify the password
-      if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
+    logging_in = (email && password)
+
+    if logging_in
+      # Authenticate the user. The rest follows the code in login.cr
+      if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.not_nil!.byte_slice(0, 55))
+        #
         sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
         PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)
 
diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr
index f50823a0..fdc0ead8 100644
--- a/src/invidious/routes/login.cr
+++ b/src/invidious/routes/login.cr
@@ -59,7 +59,7 @@ module Invidious::Routes::Login
         if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
           # If the password is correct then we'll go ahead and begin 2fa if applicable
           if user.totp_secret
-            csrf_token = nil # setting this to false for compatibility reasons.
+            csrf_token = nil # setting this to nil for compatibility reasons.
             return templated "user/validate_2fa"
           end