From a45a899137b23f95c2f58025e3e06109bdf82a94 Mon Sep 17 00:00:00 2001
From: Xavier Priour <xavier.priour@bubblyware.com>
Date: Thu, 17 Dec 2015 13:11:33 +0100
Subject: Improved doc on server-side export route

---
 models/export.js | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'models/export.js')

diff --git a/models/export.js b/models/export.js
index 9fbcbcef..e250d935 100644
--- a/models/export.js
+++ b/models/export.js
@@ -1,5 +1,15 @@
 /* global JsonRoutes */
 if(Meteor.isServer) {
+  // todo XXX once we have a real API in place, move that route there
+  /*
+   * This route is used to export the board FROM THE APPLICATION.
+   * We want to identify the logged-in user without asking for password again,
+   * but the server-side API routing has no notion of "current user".
+   * So we have to pass login information (id + token) to authenticate.
+   *
+   * See https://blog.kayla.com.au/server-side-route-authentication-in-meteor/
+   * for detailed explanations
+   */
   JsonRoutes.add('get', '/api/b/:boardId/:userId/:loginToken', function (req, res) {
     const { userId, loginToken, boardId } = req.params;
     const hashToken = Accounts._hashLoginToken(loginToken);
-- 
cgit v1.2.3-1-g7c22