Skip to content

Document the request lifecycle and middleware execution order from app.js bootstrap #520

Description

@mikewheeleer

Document the end-to-end middleware execution order

Description

A request to the Liquifact API passes through a long, order-sensitive middleware chain assembled in src/app.js and the composed stacks in src/middleware/stacks.js: correlation/request id, sanitization, body-size limits, CORS, helmet security headers, rate limiting, authentication, tenant extraction, KYC and legal-hold gates, idempotency, then route handlers, and finally the RFC 7807 error handler. The exact order is load-bearing (e.g. sanitization before validation, auth before tenant, gates before the funding handler), but docs/request-lifecycle-middleware-order.md does not yet reflect the current bootstrap. This issue produces an authoritative, code-accurate description.

Requirements and context

  • Repository scope: Liquifact/Liquifact-backend only.
  • Enumerate the actual global and per-stack middleware order as wired in src/app.js and src/middleware/stacks.js, explaining why each ordering constraint matters (e.g. sanitization before src/utils/validators.js, requireKycForFunding and legalHoldGate before submission in src/routes/invest.js).
  • Include a Mermaid sequence diagram of a representative POST /api/invest/fund-invoice request from id assignment to error mapping in src/middleware/problemJson.js.
  • Cross-reference the body-size limits, CORS, helmet, and rate-limit middlewares and which routes opt into stricter stacks.
  • Ensure middleware names and order in the doc match the code exactly by inspection.

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b docs/request-lifecycle-16-middleware-order
  • Implement changes
    • Write code in: docs-only; no runtime change unless an undocumented/misordered middleware is found.
    • Write comprehensive tests in: n/a; optionally add a route-order assertion test in tests/app.routes.test.js if a mismatch is found.
    • Add documentation: rewrite docs/request-lifecycle-middleware-order.md and link it from README.md.
    • Ensure middleware labels match the constants/exports in app.js/stacks.js.
    • Validate security: clearly call out the security-critical ordering invariants (auth→tenant, gates→handler, sanitize→validate).
  • Test and commit

Test and commit

  • Run npm run lint to confirm no code regressions.
  • Cover edge cases in prose: an unauthenticated request, a request blocked at the KYC/legal-hold gate, and an error mapped by the 7807 handler.
  • Include the rendered diagram in the PR description.

Example commit message

docs(request-lifecycle): document the middleware execution order from app bootstrap

Guidelines

  • Minimum 95 percent test coverage for impacted modules.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the Liquifact community on Discord for questions, reviews, and faster merges: https://discord.gg/JrGPH4V3
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions