docs: enhance middleware stack documentation with detailed descriptions and execution order

alukach · alukach · commit 2d155125c88e · 2025-09-05T16:27:57.000-07:00
diff --git a/docs/architecture/middleware-stack.md b/docs/architecture/middleware-stack.md
@@ -1,39 +1,81 @@
 # Middleware Stack
 
-Aside from the actual communication with the upstream STAC API, the majority of the proxy's functionality occurs within a chain of middlewares. Each request passes through this chain, wherein each middleware performs a specific task:
+Aside from the actual communication with the upstream STAC API, the majority of the proxy's functionality occurs within a chain of middlewares. Each request passes through this chain, wherein each middleware performs a specific task. The middleware chain is ordered from last added (first to run) to first added (last to run).
 
-1. **[`EnforceAuthMiddleware`][stac_auth_proxy.middleware.EnforceAuthMiddleware]**
+> [!TIP]
+> If you want to apply just the middleware onto your existing FastAPI application, you can do this with [`configure_app`][stac_auth_proxy.configure_app] rather than setting up a separate proxy application.
 
-      - Handles authentication and authorization
-      - Configurable public/private endpoints
-      - OIDC integration
-      - Places auth token payload in request state
+> [!IMPORTANT]
+> The order of middleware execution is **critical**. For example, `RemoveRootPathMiddleware` must run before `EnforceAuthMiddleware` so that authentication decisions are made on the correct path after root path removal.
 
-1. **[`Cql2BuildFilterMiddleware`][stac_auth_proxy.middleware.Cql2BuildFilterMiddleware]**
+1. **[`CompressionMiddleware`][starlette_cramjam.middleware.CompressionMiddleware]**
 
-      - Builds CQL2 filters based on request context/state
-      - Places [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) in request state
+   - Handles response compression when [`ENABLE_COMPRESSION`](configuration.md#enable_compression) is enabled
+   - Reduces response size for better performance
 
-2. **[`Cql2ApplyFilterQueryStringMiddleware`][stac_auth_proxy.middleware.Cql2ApplyFilterQueryStringMiddleware]**
+2. **[`RemoveRootPathMiddleware`][stac_auth_proxy.middleware.RemoveRootPathMiddleware]**
 
-      - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
-      - Augments `GET` requests with CQL2 filter by appending to querystring
+   - Removes the application root path from incoming requests
+   - Ensures requests are properly routed to upstream API
+   - Only active if [`ROOT_PATH`](configuration.md#root_path) is configured
 
-3. **[`Cql2ApplyFilterBodyMiddleware`][stac_auth_proxy.middleware.Cql2ApplyFilterBodyMiddleware]**
+3. **[`ProcessLinksMiddleware`][stac_auth_proxy.middleware.ProcessLinksMiddleware]**
 
-      - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
-      - Augments `` POST`/`PUT`/`PATCH `` requests with CQL2 filter by modifying body
+   - Updates links in JSON responses to handle root path and upstream URL path differences
+   - Removes upstream URL path from links and adds root path if configured
+   - Only active if [`ROOT_PATH`](configuration.md#root_path) is set or `upstream_url.path != "/"`
 
-4. **[`Cql2ValidateResponseBodyMiddleware`][stac_auth_proxy.middleware.Cql2ValidateResponseBodyMiddleware]**
+4. **[`EnforceAuthMiddleware`][stac_auth_proxy.middleware.EnforceAuthMiddleware]**
 
-      - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
-      - Validates response against CQL2 filter for non-filterable endpoints
+   - Handles authentication and authorization
+   - Configurable public/private endpoints via [`PUBLIC_ENDPOINTS`](configuration.md#public_endpoints) and [`PRIVATE_ENDPOINTS`](configuration.md#private_endpoints)
+   - OIDC integration via [`OIDC_DISCOVERY_INTERNAL_URL`](configuration.md#oidc_discovery_internal_url)
+   - JWT audience validation via [`ALLOWED_JWT_AUDIENCES`](configuration.md#allowed_jwt_audiences)
+   - Places auth token payload in request state
 
-5. **[`OpenApiMiddleware`][stac_auth_proxy.middleware.OpenApiMiddleware]**
+5. **[`AddProcessTimeHeaderMiddleware`][stac_auth_proxy.middleware.AddProcessTimeHeaderMiddleware]**
 
-      - Modifies OpenAPI specification based on endpoint configuration, adding security requirements
-      - Only active if `openapi_spec_endpoint` is configured
+   - Adds processing time headers to responses
+   - Useful for monitoring and debugging
 
-6. **[`AddProcessTimeHeaderMiddleware`][stac_auth_proxy.middleware.AddProcessTimeHeaderMiddleware]**
-      - Adds processing time headers
-      - Useful for monitoring/debugging
+6. **[`Cql2BuildFilterMiddleware`][stac_auth_proxy.middleware.Cql2BuildFilterMiddleware]**
+
+   - Builds CQL2 filters based on request context/state
+   - Places [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) in request state
+   - Only active if [`ITEMS_FILTER_CLS`](configuration.md#items_filter_cls) or [`COLLECTIONS_FILTER_CLS`](configuration.md#collections_filter_cls) is configured
+
+7. **[`Cql2RewriteLinksFilterMiddleware`][stac_auth_proxy.middleware.Cql2RewriteLinksFilterMiddleware]**
+
+   - Rewrites filter parameters in response links to remove applied filters
+   - Ensures links in responses show the original filter state
+   - Only active if filtering is enabled (see [`ITEMS_FILTER_CLS`](configuration.md#items_filter_cls) or [`COLLECTIONS_FILTER_CLS`](configuration.md#collections_filter_cls))
+
+8. **[`Cql2ApplyFilterQueryStringMiddleware`][stac_auth_proxy.middleware.Cql2ApplyFilterQueryStringMiddleware]**
+
+   - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
+   - Augments `GET` requests with CQL2 filter by appending to querystring
+   - Only active if filtering is enabled (see [`ITEMS_FILTER_CLS`](configuration.md#items_filter_cls) or [`COLLECTIONS_FILTER_CLS`](configuration.md#collections_filter_cls))
+
+9. **[`Cql2ApplyFilterBodyMiddleware`][stac_auth_proxy.middleware.Cql2ApplyFilterBodyMiddleware]**
+
+   - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
+   - Augments `POST`/`PUT`/`PATCH` requests with CQL2 filter by modifying body
+   - Only active if filtering is enabled (see [`ITEMS_FILTER_CLS`](configuration.md#items_filter_cls) or [`COLLECTIONS_FILTER_CLS`](configuration.md#collections_filter_cls))
+
+10. **[`Cql2ValidateResponseBodyMiddleware`][stac_auth_proxy.middleware.Cql2ValidateResponseBodyMiddleware]**
+
+    - Retrieves [CQL2 expression](http://developmentseed.org/cql2-rs/latest/python/#cql2.Expr) from request state
+    - Validates response against CQL2 filter for non-filterable endpoints
+    - Only active if filtering is enabled (see [`ITEMS_FILTER_CLS`](configuration.md#items_filter_cls) or [`COLLECTIONS_FILTER_CLS`](configuration.md#collections_filter_cls))
+
+11. **[`OpenApiMiddleware`][stac_auth_proxy.middleware.OpenApiMiddleware]**
+
+    - Modifies OpenAPI specification based on endpoint configuration, adding security requirements
+    - Configurable via [`OPENAPI_AUTH_SCHEME_NAME`](configuration.md#openapi_auth_scheme_name) and [`OPENAPI_AUTH_SCHEME_OVERRIDE`](configuration.md#openapi_auth_scheme_override)
+    - Only active if [`OPENAPI_SPEC_ENDPOINT`](configuration.md#openapi_spec_endpoint) is configured
+
+12. **[`AuthenticationExtensionMiddleware`][stac_auth_proxy.middleware.AuthenticationExtensionMiddleware]**
+
+    - Adds authentication extension information to STAC responses
+    - Annotates links with authentication requirements based on [`PUBLIC_ENDPOINTS`](configuration.md#public_endpoints) and [`PRIVATE_ENDPOINTS`](configuration.md#private_endpoints)
+    - Only active if [`ENABLE_AUTHENTICATION_EXTENSION`](configuration.md#enable_authentication_extension) is enabled
