- * @param {Console} logger
- * @param {AuthDBInterface} db
- * @param {Object} options
- * @param {String|String[]} options.encryptionSecret
- * @param {Object} options.authenticator
- * @param {Boolean} options.authenticator.secureAuthOnly
- * @param {String[]} options.authenticator.forbiddenPAMIdentifiers
- * @param {String[]} options.authenticator.authnEnabled in order of preference for storing new credentials
- * @param {Number=} options.authenticator.inactiveSessionLifespanSeconds
- * @param {String[]=} options.authenticator.loginBlurb
- * @param {String[]=} options.authenticator.indieAuthBlurb
- * @param {String[]=} options.authenticator.userBlurb
- * @param {String[]=} options.authenticator.otpBlurb
- * @param {String=} options.dingus
- * @param {String=} options.dingus.proxyPrefix
+ * @typedef {object} ConsoleLike
+ * @property {Function} debug log debug
+ * @property {Function} error log error
+ * @property {Function} info log info
+ */
+ /**
+ * @param {ConsoleLike} logger logger instance
+ * @param {AuthDBInterface} db db instance
+ * @param {object} options options
+ * @param {string | string[]} options.encryptionSecret encryption secret
+ * @param {object} options.authenticator authenticator options
+ * @param {boolean=} options.authenticator.secureAuthOnly disable auth over non-https
+ * @param {string=} options.authenticator.sessionCookieSameSite sameSite setting for session cookie, default Lax
+ * @param {string[]=} options.authenticator.forbiddenPAMIdentifiers reject these identifiers for PAM auth
+ * @param {string[]=} options.authenticator.authnEnabled in order of preference for storing new credentials
+ * @param {number=} options.authenticator.inactiveSessionLifespanSeconds session timeout
+ * @param {string[]=} options.authenticator.loginBlurb text for login page
+ * @param {string[]=} options.authenticator.indieAuthBlurb text for indieauth login section
+ * @param {string[]=} options.authenticator.userBlurb text for local user login section
+ * @param {string[]=} options.authenticator.otpBlurb text for otp entry
+ * @param {object=} options.dingus dingus options
+ * @param {string=} options.dingus.proxyPrefix base url prefix