extra comments

app.py

@@ -63,6 +63,8 @@ def user_loader(user_id):
 # than getting the user name the standard way (from the session cookie)
 @login_manager.request_loader
 def request_loader(request):
+    # Even though this HTTP header is primarily used for *authentication*
+    # rather than *authorization*, it's still called "Authorization".
     auth = request.headers.get('Authorization')
 
     # If there is not Authorization header, do nothing, and the login
@@ -78,7 +80,7 @@ def request_loader(request):
         u = users.get(uid)
         if u: # and check_password(u.password, passwd):
             return user_loader(uid)
-    elif auth_scheme == 'bearer': # Bearer auth contains an access token
+    elif auth_scheme == 'bearer': # Bearer auth contains an access token;
         # an 'access token' is a unique string that both identifies
         # and authenticates a user, so no username is provided (unless
         # you encode it in the token – see JWT (JSON Web Token), which
@@ -91,10 +93,13 @@ def request_loader(request):
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
 
     # If we failed to find a valid Authorized header or valid credentials, fail
-    # with 401 Unauthorized and a list of valid authentication schemes
+    # with "401 Unauthorized" and a list of valid authentication schemes
     # (The presence of the Authorized header probably means we're talking to
     # a program and not a user in a browser, so we should send a proper
     # error message rather than redirect to the login page.)
+    # (If an authenticated user doesn't have authorization to view a page,
+    # Flask will send a "403 Forbidden" response, so think of
+    # "Unauthorized" as "Unauthenticated" and "Forbidden" as "Unauthorized")
     abort(HTTPStatus.UNAUTHORIZED, www_authenticate = WWWAuthenticate('Basic realm=inf226, Bearer'))
 
 def pygmentize(text):