From d2b7c287fcd07d7876af8db9a525b7625e0be61b Mon Sep 17 00:00:00 2001
From: Matthias Pfefferle <pfefferle@users.noreply.github.com>
Date: Mon, 22 May 2023 13:35:46 +0200
Subject: [PATCH] code doc

---
 includes/rest/class-server.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/rest/class-server.php b/includes/rest/class-server.php
index 7e52772..351284d 100644
--- a/includes/rest/class-server.php
+++ b/includes/rest/class-server.php
@@ -88,6 +88,7 @@ class Server {
 	public static function authorize_activitypub_requests( $response, $handler, $request ) {
 		$route = $request->get_route();
 
+		// check if it is an activitypub request and exclude webfinger and nodeinfo endpoints
 		if (
 			! str_starts_with( $route, '/' . ACTIVITYPUB_REST_NAMESPACE ) ||
 			str_starts_with( $route, '/' . \trailingslashit( ACTIVITYPUB_REST_NAMESPACE ) . 'webfinger' ) ||
@@ -96,12 +97,13 @@ class Server {
 			return $response;
 		}
 
+		// POST-Requets are always signed
 		if ( 'POST' === $request->get_method() ) {
 			$verified_request = Signature::verify_http_signature( $request );
 			if ( \is_wp_error( $verified_request ) ) {
 				return $verified_request;
 			}
-		} elseif ( 'GET' === $request->get_method() ) {
+		} elseif ( 'GET' === $request->get_method() ) { // GET-Requests are only signed in secure mode
 			if ( ACTIVITYPUB_SECURE_MODE ) {
 				$verified_request = Signature::verify_http_signature( $request );
 				if ( \is_wp_error( $verified_request ) ) {