@sap/cds 5.9.3 → 5.9.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -4,13 +4,38 @@
|
|
|
4
4
|
- The format is based on [Keep a Changelog](http://keepachangelog.com/).
|
|
5
5
|
- This project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## Version 5.9.4 - 2022-05-02
|
|
8
|
+
|
|
9
|
+
### Fixed
|
|
10
|
+
|
|
11
|
+
- Error messages are improved if no `passport` module was found or if no `xsuaa` service binding is available
|
|
12
|
+
- Issue fixed for `srv.get()`. It was returning `TypeError` in plain REST usage for external services, e.g. `srv.get('/some/arbitrary/path/111')`
|
|
13
|
+
- Allow unrestricted services to run unauthenticated, removing the `Unable to require required package/file "passport"` error. Totally not recommended in production. Note that though this restores pre 5.9.0 behavior, this will come again starting in 6.0.
|
|
14
|
+
- Audit logging of sensitive data in a composition child if its parent is annotated with `@PersonalData.EntitySemantics: 'Other'` and has no data privacy annotations other than `@PersonalData.FieldSemantics: 'DataSubjectID'` annotating a corresponding composition, for example:
|
|
15
|
+
```js
|
|
16
|
+
annotate Customers with @PersonalData : {
|
|
17
|
+
DataSubjectRole : 'Address',
|
|
18
|
+
EntitySemantics : 'Other'
|
|
19
|
+
} {
|
|
20
|
+
addresses @PersonalData.FieldSemantics: 'DataSubjectID';
|
|
21
|
+
}
|
|
22
|
+
annotate CustomerPostalAddress with @PersonalData : {
|
|
23
|
+
DataSubjectRole : 'Address',
|
|
24
|
+
EntitySemantics : 'DataSubject'
|
|
25
|
+
} {
|
|
26
|
+
ID @PersonalData.FieldSemantics : 'DataSubjectID';
|
|
27
|
+
street @PersonalData.IsPotentiallyPersonal;
|
|
28
|
+
town @PersonalData.IsPotentiallySensitive;
|
|
29
|
+
}
|
|
30
|
+
```
|
|
31
|
+
|
|
7
32
|
## Version 5.9.3 - 2022-04-25
|
|
8
33
|
|
|
9
34
|
### Fixed
|
|
10
35
|
|
|
11
|
-
- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed.
|
|
12
|
-
- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning.
|
|
13
|
-
- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`.
|
|
36
|
+
- Since 5.8.2 `req.target` for requests like `srv.put('/MyService.entity')` is defined, but `req.query` undefined (before `req.target` was also undefined). This was leading to accessing undefined, which has been fixed.
|
|
37
|
+
- Custom actions with names conflicting with methods from service base classes, e.g. `run()`, could lead to hard-to-detect errors. This is now detected and avoided with a warning.
|
|
38
|
+
- Typed methods for custom actions were erroneously applied to `cds.db` service, which led to server crashes, e.g. when the action was named `deploy()`.
|
|
14
39
|
- Invalid batch requests were further processed after error response was already sent to client, leading to an InternalServerError
|
|
15
40
|
- Full support of `SELECT` queries with operator expressions (`xpr`)
|
|
16
41
|
|
|
@@ -44,7 +44,10 @@ const _initializers = {
|
|
|
44
44
|
// REVISIT: compat, remove with cds^6
|
|
45
45
|
passport.use(new XSUAAStrategy(uaa.credentials))
|
|
46
46
|
} else {
|
|
47
|
-
throw Object.assign(
|
|
47
|
+
throw Object.assign(
|
|
48
|
+
new Error('No or malformed credentials for auth kind "xsuaa". Make sure to bind the app to an "xsuaa" service'),
|
|
49
|
+
{ credentials }
|
|
50
|
+
)
|
|
48
51
|
}
|
|
49
52
|
}
|
|
50
53
|
}
|
|
@@ -178,6 +181,18 @@ module.exports = (srv, app, options) => {
|
|
|
178
181
|
// > dummy or mock authentication (for development/testing)
|
|
179
182
|
_mountMockAuth(srv, app, strategy, config)
|
|
180
183
|
} else {
|
|
184
|
+
// if no restriction and no binding, don't mount passport middleware
|
|
185
|
+
if (!restricted && !config.credentials) {
|
|
186
|
+
if (!logged) {
|
|
187
|
+
const msg = `Service ${srv.name} is unrestricted`
|
|
188
|
+
if (process.env.NODE_ENV !== 'production') LOG._debug && LOG.debug(msg)
|
|
189
|
+
else LOG._info && LOG.info(`${msg}. This is not recommended in production.`)
|
|
190
|
+
}
|
|
191
|
+
|
|
192
|
+
// no auth wanted > return
|
|
193
|
+
return
|
|
194
|
+
}
|
|
195
|
+
|
|
181
196
|
// > passport authentication
|
|
182
197
|
_mountPassportAuth(srv, app, strategy, config)
|
|
183
198
|
}
|
|
@@ -44,7 +44,9 @@ const hasPersonalData = entity => {
|
|
|
44
44
|
for (const ele in entity.elements) {
|
|
45
45
|
if (
|
|
46
46
|
entity.elements[ele]['@PersonalData.IsPotentiallyPersonal'] ||
|
|
47
|
-
entity.elements[ele]['@PersonalData.IsPotentiallySensitive']
|
|
47
|
+
entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
|
|
48
|
+
(entity.elements[ele]['@PersonalData.FieldSemantics'] &&
|
|
49
|
+
entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
|
|
48
50
|
) {
|
|
49
51
|
val = true
|
|
50
52
|
break
|
|
@@ -58,7 +60,11 @@ const hasSensitiveData = entity => {
|
|
|
58
60
|
let val
|
|
59
61
|
if (entity['@PersonalData.DataSubjectRole'] && entity['@PersonalData.EntitySemantics']) {
|
|
60
62
|
for (const ele in entity.elements) {
|
|
61
|
-
if (
|
|
63
|
+
if (
|
|
64
|
+
entity.elements[ele]['@PersonalData.IsPotentiallySensitive'] ||
|
|
65
|
+
(entity.elements[ele]['@PersonalData.FieldSemantics'] &&
|
|
66
|
+
entity.elements[ele]['@PersonalData.FieldSemantics'] === 'DataSubjectID')
|
|
67
|
+
) {
|
|
62
68
|
val = true
|
|
63
69
|
break
|
|
64
70
|
}
|