docs: add explanatory comment to clarify validation logic

One Saturday morning, not long after finishing my coffee, I
freaked out thinking I had borked the v4 validation logic. I
started changing the logic thinking I needed to do a security
release. I stepped back and thought, "hold on a minute, I
should have more trust and faith in my initial implementation."
And so I rolled it back and realised it actually was fine.

But, for this purpose, I've added a comment in the code.

Author: psibean

src/index.ts

@@ -134,6 +134,9 @@ export function doubleCsrf({
 
     if (typeof receivedHmac !== "string" || typeof randomValue !== "string" || randomValue === "") return false;
 
+    // The reason it's safe for us to only validate the hmac and random value from the cookie here
+    // is because we've already checked above whether the token in the cookie and the token provided
+    // by the request are the same.
     const message = constructMessage(req, randomValue);
     for (const secret of possibleSecrets) {
       const hmacForSecret = generateHmac(secret, message);