diff --git a/changelog/unreleased/rewrite-authentication.md b/changelog/unreleased/rewrite-authentication.md
new file mode 100644
index 0000000000..c399074312
--- /dev/null
+++ b/changelog/unreleased/rewrite-authentication.md
@@ -0,0 +1,7 @@
+Enhancement: Rewrite of the request authentication middleware
+
+There were some flaws in the authentication middleware which were resolved by this rewrite.
+This rewrite also introduced the need to manually mark certain paths as "unprotected" if
+requests to these paths must not be authenticated.
+
+https://github.com/owncloud/ocis/pull/4374
diff --git a/services/proxy/pkg/middleware/public_share_auth.go b/services/proxy/pkg/middleware/public_share_auth.go
index dabaa8a38c..cab9b6ebf3 100644
--- a/services/proxy/pkg/middleware/public_share_auth.go
+++ b/services/proxy/pkg/middleware/public_share_auth.go
@@ -18,6 +18,8 @@ const (
 	_paramExpiration = "expiration"
 )
 
+// PublicShareAuthenticator is the authenticator which can authenticate public share requests.
+// It will add the share owner into the request context.
 type PublicShareAuthenticator struct {
 	Logger            log.Logger
 	RevaGatewayClient gateway.GatewayAPIClient
diff --git a/services/proxy/pkg/middleware/signed_url_auth.go b/services/proxy/pkg/middleware/signed_url_auth.go
index 80a613aace..2455e8eecf 100644
--- a/services/proxy/pkg/middleware/signed_url_auth.go
+++ b/services/proxy/pkg/middleware/signed_url_auth.go
@@ -38,6 +38,7 @@ var (
 	}
 )
 
+// SignedURLAuthenticator is the authenticator responsible for authenticating signed URL requests.
 type SignedURLAuthenticator struct {
 	Logger             log.Logger
 	PreSignedURLConfig config.PreSignedURL