add comments to warn devs of security impacts

server-cli/src/web/ui/api.rs

@@ -64,6 +64,8 @@ async fn log_users<B>(
     Ok(next.run(req).await)
 }
 
+//TODO: do security audit before we extend this api with more security relevant
+// functionality (e.g. account management)
 pub fn router(web_ui_request_s: UiRequestSender, secret_token: String) -> Router {
     let token = UiApiToken { secret_token };
     let ip_addrs = IpAddresses::default();

server-cli/src/web/ui/mod.rs

@@ -67,6 +67,8 @@ Ui is only accessible from 127.0.0.1. Usage of proxies is forbidden.
 
     let cookie = format!("X-Secret-Token={}; SameSite=Strict", token.secret_token);
 
+    //Note: at this point we give a user our secret for the Api, this is only
+    // intended for local users, protect this route against the whole internet
     response.headers_mut().insert(
         SET_COOKIE,
         HeaderValue::from_str(&cookie).expect("An invalid secret-token for ui was provided"),