diff --git a/core/server/web/oauth/app.js b/core/server/web/oauth/app.js
index b00dc1d4a1..1d3492ed5f 100644
--- a/core/server/web/oauth/app.js
+++ b/core/server/web/oauth/app.js
@@ -25,27 +25,45 @@ module.exports = function setupOAuthApp() {
     // send 503 json response in case of maintenance
     oauthApp.use(shared.middlewares.maintenance);
 
+    /**
+     * Configure the passport.authenticate middleware
+     * We need to configure it on each request because clientId and secret
+     * will change (when the Owner is changing these settings)
+     */
     function googleOAuthMiddleware(clientId, secret) {
         return (req, res, next) => {
+            // TODO: use url config instead of the string /ghost
+
+            //Create the callback url to be sent to Google
             const callbackUrl = new URL(urlUtils.getSiteUrl());
             callbackUrl.pathname = '/ghost/oauth/google/callback';
+
             passport.authenticate(new GoogleStrategy({
                 clientID: clientId,
                 clientSecret: secret,
                 callbackURL: callbackUrl.href
             }, async function (accessToken, refreshToken, profile) {
+                // This is the verify function that checks that a Google-authenticated user
+                // is matching one of our users (or invite).
+
                 if (req.user) {
+                    // CASE: the user already has an active Ghost session
                     const emails = profile.emails.filter(email => email.verified === true).map(email => email.value);
 
                     if (!emails.includes(req.user.get('email'))) {
                         return res.redirect('/ghost/#/staff/?message=oauth-linking-failed');
                     }
 
+                    // TODO: configure the oauth data for this user (row in the oauth table)
+
                     //Associate logged-in user with oauth account
                     req.user.set('password', randomPassword());
                     await req.user.save();
                 } else {
+                    // CASE: the user is logging-in or accepting an invite
+
                     //Find user in DB and log-in
+                    //TODO: instead find the oauth row with the email use the provider id
                     const emails = profile.emails.filter(email => email.verified === true);
                     if (emails.length < 1) {
                         return res.redirect('/ghost/#/signin?message=login-failed');
@@ -57,6 +75,8 @@ module.exports = function setupOAuthApp() {
                     });
 
                     if (!user) {
+                        // CASE: the user is accepting an invite
+                        // TODO: move this code in the invitations service
                         const options = {context: {internal: true}};
                         let invite = await models.Invite.findOne({email, status: 'sent'}, options);
 
@@ -73,6 +93,8 @@ module.exports = function setupOAuthApp() {
                         }, options);
 
                         await invite.destroy(options);
+
+                        // TODO: create an oauth model link to user
                     }
 
                     req.user = user;