Document the end-to-end middleware execution order
Description
A request to the Liquifact API passes through a long, order-sensitive middleware chain assembled in src/app.js and the composed stacks in src/middleware/stacks.js: correlation/request id, sanitization, body-size limits, CORS, helmet security headers, rate limiting, authentication, tenant extraction, KYC and legal-hold gates, idempotency, then route handlers, and finally the RFC 7807 error handler. The exact order is load-bearing (e.g. sanitization before validation, auth before tenant, gates before the funding handler), but docs/request-lifecycle-middleware-order.md does not yet reflect the current bootstrap. This issue produces an authoritative, code-accurate description.
Requirements and context
- Repository scope: Liquifact/Liquifact-backend only.
- Enumerate the actual global and per-stack middleware order as wired in
src/app.js and src/middleware/stacks.js, explaining why each ordering constraint matters (e.g. sanitization before src/utils/validators.js, requireKycForFunding and legalHoldGate before submission in src/routes/invest.js).
- Include a Mermaid sequence diagram of a representative
POST /api/invest/fund-invoice request from id assignment to error mapping in src/middleware/problemJson.js.
- Cross-reference the body-size limits, CORS, helmet, and rate-limit middlewares and which routes opt into stricter stacks.
- Ensure middleware names and order in the doc match the code exactly by inspection.
Suggested execution
- Fork the repo and create a branch
git checkout -b docs/request-lifecycle-16-middleware-order
- Implement changes
- Write code in: docs-only; no runtime change unless an undocumented/misordered middleware is found.
- Write comprehensive tests in: n/a; optionally add a route-order assertion test in
tests/app.routes.test.js if a mismatch is found.
- Add documentation: rewrite
docs/request-lifecycle-middleware-order.md and link it from README.md.
- Ensure middleware labels match the constants/exports in
app.js/stacks.js.
- Validate security: clearly call out the security-critical ordering invariants (auth→tenant, gates→handler, sanitize→validate).
- Test and commit
Test and commit
- Run
npm run lint to confirm no code regressions.
- Cover edge cases in prose: an unauthenticated request, a request blocked at the KYC/legal-hold gate, and an error mapped by the 7807 handler.
- Include the rendered diagram in the PR description.
Example commit message
docs(request-lifecycle): document the middleware execution order from app bootstrap
Guidelines
- Minimum 95 percent test coverage for impacted modules.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the Liquifact community on Discord for questions, reviews, and faster merges: https://discord.gg/JrGPH4V3
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Document the end-to-end middleware execution order
Description
A request to the Liquifact API passes through a long, order-sensitive middleware chain assembled in
src/app.jsand the composed stacks insrc/middleware/stacks.js: correlation/request id, sanitization, body-size limits, CORS, helmet security headers, rate limiting, authentication, tenant extraction, KYC and legal-hold gates, idempotency, then route handlers, and finally the RFC 7807 error handler. The exact order is load-bearing (e.g. sanitization before validation, auth before tenant, gates before the funding handler), butdocs/request-lifecycle-middleware-order.mddoes not yet reflect the current bootstrap. This issue produces an authoritative, code-accurate description.Requirements and context
src/app.jsandsrc/middleware/stacks.js, explaining why each ordering constraint matters (e.g. sanitization beforesrc/utils/validators.js,requireKycForFundingandlegalHoldGatebefore submission insrc/routes/invest.js).POST /api/invest/fund-invoicerequest from id assignment to error mapping insrc/middleware/problemJson.js.Suggested execution
git checkout -b docs/request-lifecycle-16-middleware-ordertests/app.routes.test.jsif a mismatch is found.docs/request-lifecycle-middleware-order.mdand link it fromREADME.md.app.js/stacks.js.Test and commit
npm run lintto confirm no code regressions.Example commit message
docs(request-lifecycle): document the middleware execution order from app bootstrapGuidelines
Community & contribution rewards