From cacbd577523af7159547f47f98815eb4ff2f3d9d Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Wed, 29 Apr 2026 01:10:30 +0200
Subject: [PATCH] docs(person-mention): document implicit auth assumption on
 typeahead fetch

Sina #5505 concern 2: the typeahead silently relies on the Vite-proxy
cookie injection + same-origin policy for auth. Spell that out in the
fetch site so the next reader doesn't have to derive it from the proxy
config.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 frontend/src/lib/components/PersonMentionEditor.svelte | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/frontend/src/lib/components/PersonMentionEditor.svelte b/frontend/src/lib/components/PersonMentionEditor.svelte
index e194e0e2..57c6102b 100644
--- a/frontend/src/lib/components/PersonMentionEditor.svelte
+++ b/frontend/src/lib/components/PersonMentionEditor.svelte
@@ -94,6 +94,11 @@ function scheduleSearch(q: string) {
 	}
 	debounceTimer = setTimeout(async () => {
 		try {
+			// SECURITY: relies on the SvelteKit Vite proxy injecting the auth_token
+			// cookie as the Authorization header (vite.config.ts) and on the
+			// browser's same-origin policy for the /api/* path. Mounted in
+			// transcribe mode behind WRITE_ALL — never reachable to unauthenticated
+			// users.
 			const res = await fetch(`/api/persons?q=${encodeURIComponent(q)}`);
 			if (res.ok) {
 				const data: Person[] = await res.json();