for local users, or redirecting to IndieAuth server and persisting transient state
in session cookie.
- `getAdminIA` interprets the returning redirect from the IndieAuth server.
+
+### Other Notes
+
+The logger used should be able to mask these context fields:
+
+- `ctx.parsedBody.credential`
+- `ctx.parsedBody.credential-old`
+- `ctx.parsedBody.credential-new`
+- `ctx.parsedBody.credential-new-2`
+- `ctx.otpKey`
+- `ctx.otpConfirmBox`
+- `ctx.otpConfirmKey`
+- `ctx.otpState`