The authorize action is used for authorizing off-session payments where the order is *already complete* and the order cycle may have closed (backoffice and subscriptions). They are essentially asynchronous and not coupled to the current open/closed state of the order cycle.
This Stripe-payment-authorizing logic is used by backoffice and subscriptions orders (but not the checkout), and was previously being handled by the #show action in Spree::OrdersController. It involves the user being redirected back to OFN after visiting a Stripe URL.
There are 4 or 5 different places in the app where we reference a :token and params[:token] for completely different purposes (they're not even vaguely the *same* token).
This is an attempt to clarify the places in the app where we use params[:token] in relation to *orders*, for allowing guest users (who are not logged in) to view details of an order they have placed (like after checkout completion), and differentiate it from the various other places where params[:token] can actually be used for something entirely different!
