Comments are here
I've added comment support to this blog. Currently it's available via the web interface for mastodon users. It uses the mastodon API to authenticate a user similar to how OpenID works. The user info is then stored in a JWT in the user's cookie - the user info doesn't enter my database until they actually make a comment.
It's important to consider bad actors when accepting user input. All commenters are considered "untrusted" users by default, can only comment on posts less than a week old, and need to be accepted manually by me. I may add a "trusted user" type later on, but this I think is the bare minimum for a safe comments system.