Surfaced by independent review of PR #24 (#11). Trivial cleanup.
Problem
The handler() docstring in src/lambdas/nb_oauth_callback/handler.py still says the state parameter is {user_id, nb_slug, redirect_uri} carried from the client. After the CSRF hardening, state is an opaque single-use nonce validated server-side, and those fields come from the trusted DynamoDB record — not the client. The docstring will mislead the next engineer.
Acceptance Criteria
Can be folded into another small PR. Source: PR #24 review.
Surfaced by independent review of PR #24 (#11). Trivial cleanup.
Problem
The
handler()docstring insrc/lambdas/nb_oauth_callback/handler.pystill says thestateparameter is{user_id, nb_slug, redirect_uri}carried from the client. After the CSRF hardening,stateis an opaque single-use nonce validated server-side, and those fields come from the trusted DynamoDB record — not the client. The docstring will mislead the next engineer.Acceptance Criteria
Can be folded into another small PR. Source: PR #24 review.