From 976b506a58f76a39e0793bc70f7e8784c57d3b23 Mon Sep 17 00:00:00 2001
From: Daniel <daniel@harvey>
Date: Wed, 8 Jul 2020 09:55:00 +0200
Subject: [PATCH] DOC: A bit more documentation.

---
 .../SelfValidatingAuthenticationToken.java             | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/main/java/caosdb/server/accessControl/SelfValidatingAuthenticationToken.java b/src/main/java/caosdb/server/accessControl/SelfValidatingAuthenticationToken.java
index 4eab5003..8a3ccb75 100644
--- a/src/main/java/caosdb/server/accessControl/SelfValidatingAuthenticationToken.java
+++ b/src/main/java/caosdb/server/accessControl/SelfValidatingAuthenticationToken.java
@@ -147,7 +147,13 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
   @Override
   public abstract String toString();
 
-  /** Implementation specific version of a peppered checksum. */
+  /** Implementation specific version of a peppered checksum.
+   *
+   * For secure opration, implementing classes must make sure that the pepper is actually used in
+   * calculating the checksum and that the checksum can not be used to infer information about the
+   * pepper.  This can be achieved for example by using the {@link calcChecksum(final Object... fields)}
+   * method.
+   */
   public abstract String calcChecksum(String pepper);
 
   /** No credentials (returns null), since this token is self-validating. */
@@ -214,7 +220,7 @@ public abstract class SelfValidatingAuthenticationToken extends Principal
       case "S":
         return SessionToken.parse(array);
       default:
-        throw new AuthenticationException("Could not parse the authtoken string.");
+        throw new AuthenticationException("Could not parse the authtoken string (unknown type).");
     }
   }
 
-- 
GitLab