@sap/cds 5.9.8 → 6.0.1

package/libx/rest/RestAdapter.js

@@ -2,8 +2,6 @@ const cds = require('../_runtime/cds')
 
 const express = require('express')
 
-const auth = require('./middleware/auth')
-const content = require('./middleware/content')
 const parse = require('./middleware/parse')
 const input = require('./middleware/input')
 
@@ -12,122 +10,184 @@ const read = require('./middleware/read')
 const update = require('./middleware/update')
 const deleet = require('./middleware/delete')
 const operation = require('./middleware/operation')
+const payload = require('./middleware/payload')
 
 const error = require('./middleware/error')
 const { alias2ref } = require('../_runtime/common/utils/csn')
+const { bufferToBase64 } = require('../_runtime/common/utils/binary')
 
-class RestAdapter extends express.Router {
-  constructor(srv) {
-    super()
-
-    alias2ref(srv)
-
-    // pass srv-reated stuff to middlewares via req
-    this.use('/', (req, res, next) => {
-      req._srv = srv
-      next()
-    })
-
-    this.use(express.json())
-
-    // check @requires as soon as possible (DoS)
-    this.use('/', auth)
-
-    // service root
-    const GH = { GET: 1, HEAD: 1 }
-    this.use('/', (req, res, next) => {
-      if (req.path !== '/' || !GH[req.method]) return next()
-      if (req.method === 'HEAD') return res.json({})
-      res.json(
-        Object.keys(req._srv.entities).reduce(
-          (acc, cur) => {
-            acc.entities.push({ name: cur, url: cur })
-            return acc
-          },
-          { entities: [] }
-        )
-      )
-    })
-
-    // content-type check
-    this.use('/', content)
-
-    // parse
-    this.use('/', parse)
-
-    // payload validation
-    this.use('/', input)
-
-    // begin tx
-    this.use('/', (req, res, next) => {
-      // create tx and set as cds.context
-      // REVISIT: _model should not be necessary
-      req._tx = cds.context = srv.tx({ user: req.user, req, res, _model: req._srv.model })
-      next()
-    })
-
-    // POST
-    this.post('/*', (req, res, next) => {
-      if (req._operation) operation(req, res, next)
-      else create(req, res, next)
-    })
-
-    // HEAD
-    this.head('/*', (req, res, next) => {
-      read(req, res, next)
-    })
-
-    // GET
-    this.get('/*', (req, res, next) => {
-      if (req._operation) operation(req, res, next)
-      else read(req, res, next)
-    })
-
-    // PUT, PATCH, DELETE
-    this.put('/*', update)
-    this.patch('/*', update)
-    this.delete('/*', deleet)
-
-    // end tx (i.e., commit or rollback)
-    this.use('/', async (req, res, next) => {
-      const { result, status, location } = req._result
-
-      // unfortunately, express doesn't catch async errors -> try catch needed
-      try {
-        await req._tx.commit(result)
-      } catch (e) {
-        return next(e)
-      }
+const RestAdapter = function(srv) {
+
+  alias2ref(srv) // REVISIT: that's an anti pattern in new prototocol adapter setups
+
+  const router = express.Router()
+
+  // -----------------------------------------------------------------------------------------
+  // service root
+  router.head('/', (_,res) => res.json({}))
+  router.get('/', (_,res) => res.json({
+    entities: Object.keys(srv.entities).map(e => ({ name:e, url:e }))
+  }))
+
+  // -----------------------------------------------------------------------------------------
+
+  // pass srv-related stuff to middlewares via req
+  router.use((req, res, next) => {
+    req._srv = srv  // FIXME: That's only because of how we organized our rest adapater code into fragmented files -> don't do that
+
+      // cds/libx/rest/middleware/create.js:
+      //   12:   const { _srv: srv, _query: query, _target, _data } = _req
+
+      // cds/libx/rest/middleware/delete.js:
+      //   4:   const { _srv: srv, _query: query, _target, _params } = _req
+
+      // cds/libx/rest/middleware/error.js:
+      //   40:   const { _srv: srv } = req
+
+      // cds/libx/rest/middleware/input.js:
+      //   40:   const { _srv, _query, _data, _operation } = req
+      //   43:   if (!(_data && _srv && definition)) return next()
+      //   47:   const template = getTemplate(_cache(req), _srv, definition, { pick: _picker(req) })
+
+      // cds/libx/rest/middleware/operation.js:
+      //   7:   const { _srv: srv, _query: query, _operation: operation, _data: data } = _req
 
-      // TODO: cf. bufferToBase64() in old rest adapter
-
-      // only set status if not yet modified
-      if (status && res.statusCode === 200) res.status(status)
-      if (location) res.set('location', location)
-      if (req.method === 'HEAD')
-        res
-          .set({
-            'content-type': 'application/json; charset=utf-8',
-            'content-length': JSON.stringify(result).length
-          })
-          .end()
-      // need to convert number to string because express interprets integer as status code
-      else res.send(typeof result === 'number' ? result.toString() : result)
-    })
-    this.use('/', (err, req, res, next) => {
-      // request may fail during processing or during commit -> both caught here
-
-      // REVISIT: rollback needed if error occured before commit attempted -> how to distinguish?
-      if (req._tx) req._tx.rollback(err).catch(() => {})
-
-      next(err)
-    })
-
-    /*
-     * error handling
-     */
-    this.use(error)
-  }
+      // cds/libx/rest/middleware/parse.js:
+      //   10:   const { _srv: service } = req
+
+      // cds/libx/rest/middleware/read.js:
+      //   4:   const { _srv: srv, _query: query, _target, _params } = _req
+
+      // cds/libx/rest/middleware/update.js:
+      //   11:   let { _srv: srv, _query: query, _target, _data, _params } = _req
+
+    next()
+  })
+
+  // req.user + req.tenant -> cds.context = { user, tenant }
+  // NOT ALLOWED: cds.context.user = 'me'
+  // req.requiresLogin() -> login -> redirect to referrer
+
+
+  // check @requires as soon as possible (DoS)
+  router.use((req, res, next) => { // REVISIT: This is authorization enforcement which is protocol-independent -> should move to service layer
+    const requires = srv.definition['@requires']
+    if (requires) {
+      const ok = typeof requires === 'string' ? req.user.is(requires) : requires.some(r => req.user.is(r))
+      if (ok) return next()
+    } else {
+      return next() // neither of the above
+    }
+
+    if (req.user._is_anonymous) { // > unauthorized or forbidden?
+      if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';')) //> REVISIT: is this for basic auth only? -> should be done differently
+      throw cds.error ('Unauthorized', { statusCode: 401, code: '401' }) //> UNAUTHORIZED
+    }
+    throw cds.error ('Forbidden', { statusCode: 403, code: '403' }) //> FORBIDDEN
+    // REVISIT: send res.status().json() instead of throwing exceptions
+    // REVISIT: security log?
+  })
+
+  // -----------------------------------------------------------------------------------------
+  // parse
+
+  // content-type check
+  router.use((req, res, next) => { // REVISIT: move that into parse function
+    if (req.method in { POST: 1, PUT: 1, PATCH: 1 }) {
+      const contentType = req.headers['content-type'] && req.headers['content-type'].split(';')
+      if (
+        contentType &&
+        (!contentType[0].match(/^application\/json$/) || (typeof contentType[1] === 'string' && !contentType[1]))
+      ) {
+        throw cds.error ('INVALID_CONTENT_TYPE_ONLY_JSON', { statusCode: 415, code: '415' }) // FIXME: better i18n + use res.status
+      }
+      if (req.method in { PUT: 1, PATCH: 1 } && Array.isArray(req.body)) {
+        throw cds.error (`INVALID_${req.method}`, { statusCode: 400, code: '400' }) // FIXME: better i18n + use res.status
+      }
+    }
+    next()
+  })
+  router.use(express.json()) // REVISIT: -> belongs to the parses
+  router.use(parse) // REVISIT: -> move to actual handler(s)
+  router.use(payload) // REVISIT: -> move?
+  // payload validation
+  router.use(input) // REVISIT: This is protocol-independent, isn't it? -> move to service layer
+
+  // -----------------------------------------------------------------------------------------
+  // begin tx
+  router.use((req, res, next) => { // REVISIT: -> move to actual handler(s)
+    // create tx and set as cds.context
+    // REVISIT: _model should not be necessary
+    // REVISIT: req._tx should not be used like that!
+    req.tx = cds.context = srv.tx({ user: req.user, req, res, _model: srv.model })
+    next()
+  })
+
+  // -----------------------------------------------------------------------------------------
+  // Actual handlers for HEAD, GET, PUT, POST, PATCH, DELETE
+  //
+  router.head('/*', (req, res, next) => {
+    read(req, res, next) // REVISIT: HEAD is doing a full read ?
+  })
+  router.post('/*', (req, res, next) => {
+    if (req._operation) operation(req, res, next)
+    else create(req, res, next)
+  })
+  router.get('/*', (req, res, next) => {
+    if (req._operation) operation(req, res, next)
+    else read(req, res, next)
+  })
+  router.put('/*', update)
+  router.patch('/*', update)
+  router.delete('/*', (req,res,next) => deleet(req,res).then(next).catch(next))
+
+
+  // -----------------------------------------------------------------------------------------
+  // end tx (i.e., commit or rollback)
+  router.use(async (req, res, next) => {
+    const { result, status, location } = req._result // REVISIT: Ugly voodoo _req._result channel -> eliminate
+
+    // unfortunately, express doesn't catch async errors -> try catch needed
+    try {
+      // REVISIT: req._tx should not be used like that!
+      await req.tx.commit(result)
+    } catch (e) {
+      return next(e)
+    }
+
+    // convert binaries
+    const definition = req._operation || req._query.__target
+    if (result && srv && definition) bufferToBase64(result, srv, definition)
+
+    // only set status if not yet modified
+    if (status && res.statusCode === 200) res.status(status) // REVISIT: Why only when res.statusCode === 200?
+    if (location) res.set('location', location)             // REVISIT: When do we redirect?
+    if (req.method === 'HEAD') // REVISIT: Move that to the implementation of HEAD
+      res
+        .set({
+          'content-type': 'application/json; charset=utf-8',
+          'content-length': JSON.stringify(result).length
+        })
+        .end()
+    // need to convert number to string because express interprets integer as status code
+    else res.send(typeof result === 'number' ? result.toString() : result) // REVISIT: use req.json() instead?
+  })
+
+
+  // -----------------------------------------------------------------------------------------
+  // error handling
+  router.use((err, req, res, next) => { // REVISIT: should not be neccessary!
+    // request may fail during processing or during commit -> both caught here
+
+    // REVISIT: rollback needed if error occured before commit attempted -> how to distinguish?
+    // REVISIT: req._tx should not be used like that!
+    if (req.tx) req.tx.rollback(err).catch(() => {}) // REVISIT: silently ?!?
+
+    next(err)
+  })
+  router.use(error) // FIXME: nope -> call next()
+
+  return router
 }
 
 module.exports = RestAdapter

package/libx/rest/RestRequest.js

@@ -9,8 +9,8 @@ class RestRequest extends cds.Request {
      * propagate _ (i.e., req._ and, hence, req._.req/res)
      * -> in the old adapters this is also set in OdataRequest/RestRequest
      */
-    Object.setPrototypeOf(this._, cds.context._)
-
+    Object.setPrototypeOf(this._, cds.context._) // REVISIT: We should avoid doing this
+    if (args._req) this._queryOptions = args._req.query
     /*
      * new req.res api [work in progress -> not official]:
      * - req.res.status(202)
@@ -24,6 +24,7 @@ class RestRequest extends cds.Request {
       status: s => (that._status = s),
       set: (k, v) => (that._headers[k] = v)
     }
+    // REVISIT: We should avoid all of the above, and hence eliminate this class completely
   }
 }
 

package/libx/rest/middleware/create.js

@@ -4,10 +4,12 @@ const { INSERT } = cds.ql
 const RestRequest = require('../RestRequest')
 
 const _error4 = rejected =>
-  rejected.length > 1 ? { message: 'MULTIPLE_ERRORS', details: rejected.map(r => r.reason) } : rejected[0].reason
+  rejected.length > 1
+    ? Object.assign(new Error('MULTIPLE_ERRORS'), { details: rejected.map(r => r.reason) })
+    : rejected[0].reason
 
 module.exports = async (_req, _res, next) => {
-  const { _srv: srv, _query: query, _target, _data } = _req
+  const { _srv: srv, _query: query, _target, _data, _params } = _req
 
   let result, location
 
@@ -18,7 +20,7 @@ module.exports = async (_req, _res, next) => {
     if (query.INSERT.entries.length > 1) {
       // > batch insert
       const reqs = query.INSERT.entries.map(
-        entry => new RestRequest({ query: INSERT.into(query.INSERT.into).entries(entry), _target })
+        entry => new RestRequest({ query: INSERT.into(query.INSERT.into).entries(entry), _target, params: _params })
       )
       const ress = await Promise.allSettled(reqs.map(req => srv.dispatch(req)))
       const rejected = ress.filter(r => r.status === 'rejected')
@@ -26,15 +28,15 @@ module.exports = async (_req, _res, next) => {
       result = ress.map(r => r.value)
     } else {
       // > single insert
-      const req = new RestRequest({ query, _target })
+      const req = new RestRequest({ query, _target, params: _params })
       result = await srv.dispatch(req)
-      location = `../${req.entity.replace(srv.name + '.', '')}`
+      location = `../${req.entity.replace(srv.name + '.', '')}` // REVISIT: Is it guaranteed that the GET works? Why do we need relative urls?
       for (const k in req.target.keys) location += `/${result[k]}`
     }
   } catch (e) {
     return next(e)
   }
 
-  _req._result = { result, status: 201, location }
+  _req._result = { result, status: 201, location } // REVISIT: Do a res.status(201).send(...) instead
   next()
 }

package/libx/rest/middleware/delete.js

@@ -1,20 +1,13 @@
 const RestRequest = require('../RestRequest')
 
-module.exports = async (_req, _res, next) => {
+module.exports = async (_req) => {
   const { _srv: srv, _query: query, _target, _params } = _req
 
-  // unfortunately, express doesn't catch async errors -> try catch needed
-  try {
-    const req = new RestRequest({ query, _target })
+  const req = new RestRequest({ query, _target, params: _params })
 
-    // req.data is filled with keys during read and delete
-    if (_params) req.data = _params[_params.length - 1]
+  // req.data is filled with keys during read and delete
+  if (_params) req.data = _params[_params.length - 1] // REVISIT: We should avoid that!
 
-    await srv.dispatch(req)
-  } catch (e) {
-    return next(e)
-  }
-
-  _req._result = { result: null, status: 204 }
-  next()
+  await srv.dispatch(req)
+  _req._result = { result: null, status: 204 } // REVISIT: Ugly voodoo _re._result channel -> eliminate
 }

package/libx/rest/middleware/error.js

@@ -44,8 +44,8 @@ module.exports = (err, req, res, next) => {
   if (!ctx) {
     // > error before req was dispatched
     ctx = new cds.Request({ req, res: req.res, user: req.user || new cds.User.Anonymous() })
-    for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
   }
+  for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
 
   // log the error (4xx -> warn)
   _log(err)

package/libx/rest/middleware/input.js

@@ -4,13 +4,16 @@ const templateProcessor = require('../../_runtime/common/utils/templateProcessor
 const { checkStaticElementByKey, assertNotNullError } = require('../../_runtime/cds-services/util/assert')
 const { MULTIPLE_ERRORS } = require('../../_runtime/common/error/constants')
 
-const _picker = req => {
-  const skipKeyValidation = req.method !== 'POST'
+
+//
+// REVISIT: We need to decipher what we are doing here...
+//
+
+const _picker = () => {
   return element => {
     const categories = {}
     if (Array.isArray(element)) return
     if (element._isStructured || element.isAssociation || element.items) return
-    if (!skipKeyValidation && element.key) categories['key_validation'] = true
     categories['static_validation'] = true
     return categories
   }
@@ -23,9 +26,6 @@ const _processorFn = errors => {
       const validations = checkStaticElementByKey(target, key, row[key])
       errors.push(...validations)
     }
-    if (categories['key_validation'] && !(key in row)) {
-      errors.push(assertNotNullError(element))
-    }
   }
 }
 

package/libx/rest/middleware/operation.js

@@ -4,15 +4,15 @@ const { validateReturnType } = require('../../_runtime/cds-services/adapter/rest
 const RestRequest = require('../RestRequest')
 
 module.exports = async (_req, _res, next) => {
-  const { _srv: srv, _query: query, _operation: operation, _data: data } = _req
+  const { _srv: srv, _query: query, _operation: operation, _data: data, _params } = _req
 
   let result
 
   // unfortunately, express doesn't catch async errors -> try catch needed
   try {
     const req = query
-      ? new RestRequest({ query, event: operation.name, data })
-      : new RestRequest({ event: operation.name.replace(`${srv.name}.`, ''), data })
+      ? new RestRequest({ query, event: operation.name, data, params: _params })
+      : new RestRequest({ event: operation.name.replace(`${srv.name}.`, ''), data, params: _params })
     result = await srv.dispatch(req)
   } catch (e) {
     return next(e)
@@ -41,6 +41,11 @@ module.exports = async (_req, _res, next) => {
       return next(e)
     }
 
+    // mtx compat, modeled as string but object returned
+    if (operation.returns._type === 'cds.String' && typeof result === 'object') {
+      _res.set('content-type', 'application/json')
+    }
+
     // REVISIT: still needed?
     if (!operation.returns.items && Array.isArray(result)) result = result[0]
 

package/libx/rest/middleware/parse.js

@@ -70,7 +70,7 @@ module.exports = (req, res, next) => {
     default:
     // anything to do?
   }
-  req._query = query
+  req._query = query // REVISIT: req._query should not be a standard API
   if (query) req._query.__target = definition
 
   // REVISIT: query._data hack
@@ -79,7 +79,7 @@ module.exports = (req, res, next) => {
       req._data = {}
     } else {
       const payload = deepCopy(args || req.body)
-      convertStructured(service, operation || definition, payload)
+      convertStructured(service, operation || definition, payload, { cleanupStruct: cds.env.features.rest_struct_data })
       req._data = payload
     }
   }
@@ -88,7 +88,7 @@ module.exports = (req, res, next) => {
   for (let i = 0; i < _target.ref.length; i++) {
     req._params = req._params || []
     if (_target.ref[i].where) req._params.push(where2obj(_target.ref[i].where))
-    else req._params.push({})
+    else if (_target.ref.length !== 1) req._params.push({})
   }
 
   next()

package/libx/rest/middleware/payload.js

@@ -0,0 +1,12 @@
+const { base64ToBuffer } = require('../../_runtime/common/utils/binary')
+
+module.exports = (req, res, next) => {
+    const { _srv, _query, _data, _operation } = req
+    const definition = _operation || _query.__target
+  
+    if (!(_data && _srv && definition)) return next()
+    
+    base64ToBuffer(_data, _srv, definition)
+  
+    next()
+}

package/libx/rest/middleware/read.js

@@ -8,7 +8,7 @@ module.exports = async (_req, _res, next) => {
 
   // unfortunately, express doesn't catch async errors -> try catch needed
   try {
-    const req = new RestRequest({ query, _target })
+    const req = new RestRequest({ query, _target, params: _params, _req })
 
     // req.data is filled with keys during read and delete
     if (_params) req.data = _params[_params.length - 1]
@@ -23,7 +23,17 @@ module.exports = async (_req, _res, next) => {
   } catch (e) {
     return next(e)
   }
-
+  // compat for mtx returning strings instead of objects
+  if (typeof result === 'object' && result !== null && '$count' in result) {
+    result = {
+      count: result.$count,
+      value: result
+    }
+  } else if (typeof result === 'number') {
+    // TODO check if this is needed
+    result = result.toString()
+  }
   _req._result = { result, status }
+
   next()
 }

package/libx/rest/middleware/update.js

@@ -20,14 +20,14 @@ module.exports = async (_req, _res, next) => {
       // add the data (as copy, if upsert allowed)
       query.with(UPSERT_ALLOWED ? deepCopyObject(_data) : _data)
       // REVISIT: if PUT, req.method should be PUT -> Crud2Http maps UPSERT to PUT
-      result = await srv.dispatch(new RestRequest({ query, _target, method: _req.method }))
-      if (_params) Object.assign(result, _params[_params.length - 1])
+      result = await srv.dispatch(new RestRequest({ query, _target, method: _req.method, params: _params }))
+      if (_params && result) Object.assign(result, _params[_params.length - 1])
     } catch (e) {
       if ((e.code === 404 || e.status === 404 || e.statusCode === 404) && UPSERT_ALLOWED) {
         query = INSERT.into(query.UPDATE.entity).entries(
           _params ? Object.assign(_data, _params[_params.length - 1]) : _data
         )
-        result = await srv.dispatch(new RestRequest({ query, _target }))
+        result = await srv.dispatch(new RestRequest({ query, _target, params: _params }))
         status = 201
       } else {
         throw e

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "5.9.8",
+  "version": "6.0.1",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -27,13 +27,11 @@
     "LICENSE"
   ],
   "engines": {
-    "node": ">=12.18"
+    "node": ">=14.15.0"
   },
   "dependencies": {
-    "@sap-cloud-sdk/core": "^1.41",
-    "@sap-cloud-sdk/util": "^1.41",
-    "@sap/cds-compiler": "^2.13.0",
-    "@sap/cds-foss": "^3"
+    "@sap/cds-compiler": ">=2.13.0",
+    "@sap/cds-foss": ">=3"
   },
   "husky": {
     "hooks": {