@sap/cds 6.1.2 → 6.2.1

package/lib/srv/protocols/odata-v2.js

@@ -0,0 +1,26 @@
+const cds = require('../../index'), { decodeURIComponent } = cds.utils
+const LOG = cds.log('odata-v2')
+const logger = function cap_legacy_req_logger (req,_,next) {
+  if (/\$batch$/.test(req.url)) {
+    const prefix = decodeURIComponent(req.originalUrl).replace('$batch','')
+    req.on ('dispatch', (req) => {
+      LOG && LOG (req.event, prefix+decodeURIComponent(req._path), req._query||'')
+      if (LOG._debug && req.query) LOG.debug (req.query)
+    })
+  } else {
+    LOG && LOG (req.method, decodeURIComponent(req.originalUrl), req.body||'')
+  }
+  next()
+}
+
+const ODataV2Proxy = require('./odata-v2-proxy') // ('@sap/cds-odata-v2-adapter-proxy')
+module.exports = function ODataV2Adapter (srv) {
+  const proxy = new ODataV2Proxy ({
+    sourcePath: srv.path,
+    targetPath: '/odata/v4',
+    target: 'auto', // to detect server url + port dynamically
+    logLevel: 'warn',
+    ...srv.options, path:""
+  })
+  return [ logger, proxy ]
+}

package/lib/srv/protocols/odata-v4.js

@@ -0,0 +1,16 @@
+const cds = require('../../index'), { User } = cds, { decodeURIComponent } = cds.utils
+const libx = require('../../../libx/_runtime')
+const LOG = cds.log('odata')
+
+module.exports = function ODataAdapter (srv) { return [
+  (req, _, next) => {
+    let u = req.user
+    req.user = u instanceof User ? u : new User(u)
+    req.on ('dispatch', (eve) => {
+      LOG && LOG (req.method, req.baseUrl + decodeURIComponent(eve._path), eve._query||'')
+      if (LOG._debug && eve.query) LOG.debug (eve.query)
+    })
+    next()
+  },
+  libx.to.odata_v4 (srv)
+]}

package/lib/srv/protocols/rest.js

@@ -0,0 +1,13 @@
+const cds = require('../../index'), { User } = cds, { decodeURIComponent } = cds.utils
+const libx = require('../../../libx/_runtime')
+const LOG = cds.log('rest')
+
+module.exports = function RestAdapter (srv) { return [
+  (req, _, next) => {
+    let u = req.user
+    req.user = u instanceof User ? u : new User(u)
+    LOG (req.method, decodeURIComponent(req.originalUrl), req.body||'')
+    next()
+  },
+  libx.to.rest (srv)
+]}

package/lib/srv/srv-api.js

@@ -15,6 +15,11 @@ class Service extends require('./srv-handlers') {
     if (model) this.model = model
   }
 
+  /**
+   * Subclasses commonly override this to register event handlers
+   */
+  init() {}
+
   /**
    * Subclasses may override this to prepare the given model appropriately
    */

package/lib/srv/srv-models.js

@@ -53,7 +53,7 @@ class ExtendedModels {
 
     const {cache} = ExtendedModels, key = cache.key4 (tenant, features)
     const cached = cache.at(key); if (cached) return cached
-    if (key === ':') return cache.add (':', cds.compile.for.nodejs(cds.model))
+    else if (key === ':') return cache.add (':', cds.compile.for.nodejs(cds.model))
     else return cache[key] = (async()=>{ // temporarily add promise to cache to avoid race conditions...
 
       // If tenant doesn't have extensions check cache with tenant = undefined
@@ -99,7 +99,6 @@ class ExtendedModels {
     if (model.then) return model //> promised model to avoid race conditions
 
     const {_cached} = model, interval = ExtendedModels.checkInterval
-    if (!_cached.touched)  return model
     if (Date.now() - _cached.touched < interval) return model //> checked recently
 
     else return this[key] = (async()=>{ // temporarily replace cache entry by promise to avoid race conditions...
@@ -132,7 +131,7 @@ class ExtendedModels {
    */
   add (key, model, touched = Date.now()) {
     if (model) {
-      if (!model._cached) Object.defineProperty (model,'_cached',{ value:{key,touched} })
+      if (!model._cached) Object.defineProperty (model,'_cached',{ value: { touched } })
       return this[key] = model
     }
   }
@@ -192,8 +191,7 @@ if (!extensibility) {
 // helper to get model for tenant/features
 const _is_extended = old_mtx ? t => old_mtx.isExtended(t) : extensibility ? ()=> cds.db.exists('cds.xt.Extensions') : ()=> false
 const _get_model4 = old_mtx ? async (tenant) => {
-  const isExtended = tenant && await old_mtx.isExtended(tenant) // REVISIT: avoid await
-  if (isExtended) return old_mtx.getCsn(tenant) .then (cds.compile.for.nodejs)
+  return old_mtx.getCsn(tenant) .then (cds.compile.for.nodejs)
 } : (tenant, toggles) => {
   const { 'cds.xt.ModelProviderService':mps } = cds.services
   return mps.getCsn (tenant, toggles) .then (cds.compile.for.nodejs)
@@ -203,5 +201,5 @@ const _get_model4 = old_mtx ? async (tenant) => {
 // ---------------------------------------------------------------------------
 // Optimizations for single-tenancy modes
 
-if (cds.requires.multitenancy && typeof global.it === 'undefined') ExtendedModels.cache.startSentinel()
+if (cds.requires.multitenancy && typeof global.it === 'undefined') cds.once ('listening', ()=> ExtendedModels.cache.startSentinel())
 // REVISIT: how to do ^that^ correctly with jest?

package/lib/utils/axios.js

@@ -1,7 +1,8 @@
 class Axios {
 
   get axios() {
-    return super.axios = require('axios').default.create ({
+    // eslint-disable-next-line cds/no-missing-dependencies
+    return super.axios = require('axios').create ({
       headers: { 'Content-Type': 'application/json' },
       baseURL: this.url,
     })
@@ -37,7 +38,7 @@ const _args = (args) => {
 
 const _error = (e) => {
   Error.captureStackTrace (e,_error) //> adds the stack trace from caller code
-  if (e.code === 'ECONNREFUSED' && e.port === 80 /* default port */) throw Object.assign (e, {
+  if (e.code && e.port === 80 /* default port */) throw Object.assign (e, {
     message:  e.message + '\nIt seems that the server was not started. Make sure to call \'cds.test(...)\' or \'cds.test.run(...)\'.',
     stack: null // stack is just clutter here
   })

package/lib/utils/cds-test.js

@@ -1,4 +1,4 @@
-const { is_mocha } = support_jest_and_mocha()
+const { is_mocha, is_jest } = support_jest_and_mocha()
 
 class Test extends require('./axios') {
 
@@ -64,9 +64,8 @@ class Test extends require('./axios') {
   /**
    * Switch on/off console log output.
    */
-  verbose(v) {
-    v === false ? delete process.env.CDS_TEST_VERBOSE : process.env.CDS_TEST_VERBOSE=v
-    initLogging()
+  verbose (v) {
+    initLogging({ is_mocha, is_jest, verbose: v })
     return this
   }
 
@@ -79,6 +78,10 @@ class Test extends require('./axios') {
   get cds() { return require('../index') }
   get spy() { return spy }
 
+  then(r) {
+    const {cds} = this
+    cds.once('listening',r)
+  }
 }
 
 function support_jest_and_mocha() {
@@ -110,9 +113,8 @@ function support_jest_and_mocha() {
       const repl = global.cds.repl
       repl && repl.on('exit',fn)
     }
-    process.env.CDS_TEST_VERBOSE = true
   }
-  initLogging()
+  initLogging ({ is_jest, is_mocha })
   return { is_jest, is_mocha }
 }
 
@@ -122,24 +124,28 @@ function load_chai() {
     Failed to load required package '${mod}'. Please add it thru:
     npm add -D chai chai-as-promised chai-subset
   `)}}
-  const chai = require('chai')
-  chai.use (require('chai-subset'))
-  chai.use (require('chai-as-promised'))
+  const chai = require('chai')           // eslint-disable-line cds/no-missing-dependencies
+  chai.use (require('chai-subset'))      // eslint-disable-line cds/no-missing-dependencies
+  chai.use (require('chai-as-promised')) // eslint-disable-line cds/no-missing-dependencies
   return chai
 }
 
-function initLogging() {
-  const levels = process.env.CDS_TEST_VERBOSE
-    ? { deploy:'info', serve:'info', server:'info',cds:'info' }
-    : { deploy:'warn', serve:'warn', server:'warn',cds:'silent' /* silences provoked request errors */ }
-
-  const cds = require('../index')
-  const env = Reflect.getOwnPropertyDescriptor(cds,'env')
-  for (const id of Object.keys(levels)) {
-    if (env && env.value)
-      cds.log(id, { level:levels[id] })
-    else // uninitialized cds.env -> set env variables to avoid initializing cds.env eagerly
-      process.env['cds_log_levels_'+id] = levels[id]
+function initLogging ({ verbose }={}) {
+  if (verbose && global.console.logs) return global.console = global.console.__proto__
+  if (process.env.CDS_TEST_SILENT) {
+    const console = global.console, logs = []
+    const {format} = require('util')
+    global.console = { __proto__: console, logs,
+      time: ()=>{}, timeEnd: (...args)=> logs.push(args),
+      debug: (...args)=> logs.push(args),
+      info: (...args)=> logs.push(args),
+      log: (...args)=> logs.push(args),
+      warn: (...args)=> logs.push(args),
+      trace: (...args)=> logs.push(args),
+      error: (...args)=> logs.push(args),
+      dump(){ for (let each of logs) process.stdout.write (format(...each)+'\n') },
+    }
+    afterAll (()=> global.console = console)
   }
 }
 

package/lib/utils/cds-utils.js

@@ -1,15 +1,17 @@
 const cwd = process.env._original_cwd || process.cwd()
-const path = require ('path'), { dirname, extname, join, resolve, relative } = path
-const fs = require('fs')
 const cds = require('../index')
 
-const all = module.exports = exports = { ...fs,
-  get inspect() { return $set (this, 'inspect', require('util').inspect) },
-  get uuid() { return $set (this, 'uuid', require('@sap/cds-foss').uuid) },
+const ux = module.exports = exports = new class {
+  get inspect() { return super.inspect = require('util').inspect }
+  get uuid() { return super.uuid = require('@sap/cds-foss').uuid }
+  get tar() { return super.tar = require('./tar') }
 }
 
-exports.fs = all
-exports.path = path
+const path = exports.path = require('path'), { dirname, extname, join, resolve, relative } = path
+const fs = exports.fs = Object.assign (ux,require('fs')) //> for compatibility
+
+exports.decodeURIComponent = s => { try { return decodeURIComponent(s) } catch { return s } }
+exports.decodeURI = s => { try { return decodeURI(s) } catch { return s } }
 
 exports.local = (file) => relative(cwd,file)
 
@@ -59,7 +61,7 @@ exports.write = function write (file, data, o) {
   if (typeof data === 'object' && !Buffer.isBuffer(data))
     data = JSON.stringify(data, null, ' '.repeat(o && o.spaces))
   const f = resolve (cds.root,file)
-  return mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
+  return fs.mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
 }
 
 exports.mkdirp = async function (...path) {
@@ -87,8 +89,8 @@ exports.copy = async function copy (x,y) {
   const src = resolve (cds.root,x)
   const dst = resolve (cds.root,y)
   if (fs.promises.cp) return fs.promises.cp (src,dst,{recursive:true})
-  await mkdirp (dirname(dst))
-  if (isdir(src)) {
+  await fs.mkdirp (dirname(dst))
+  if (fs.isdir(src)) {
     const entries = await fs.promises.readdir(src)
     return Promise.all (entries.map (async each => {
       const e = join (src,each)
@@ -133,14 +135,11 @@ exports.find = function find (base, patterns='*', filter=()=>true) {
 
 
 // internal utility to load a file through ESM or CommonJs.  TODO find a better place.
-const { pathToFileURL } = require('url')
-exports._import = async function(filePath) {
-  return typeof jest !== 'undefined' || extname(filePath) === '.ts' // ts-node w/ ESM not working (cap/issues#11980)
-    ? require(filePath)
-    : import (pathToFileURL(filePath).href) // must use a file: URL, esp. on Windows for C:\... paths
+exports._import = id => require(id)
+if (!global.test && !global.it) {
+  const { pathToFileURL } = require('url')
+  exports._import = id => {
+    if (extname(id) === '.ts') return require(id) // ts-node w/ ESM not working (cap/issues#11980)
+    else return import (pathToFileURL(id).href) // must use a file: URL, esp. on Windows for C:\... paths
+  }
 }
-
-
-/** @type <T>(o,p,v:T) => T */
-const $set = (o,p,v) => { Object.defineProperty(o,p,{value:v}); return v }
-const { mkdirp, isdir } = exports

package/lib/utils/tar.js

@@ -0,0 +1,175 @@
+const child_process = require('child_process')
+const spawn = /\btar\b/.test(process.env.DEBUG) ? (cmd, args, options) => {
+  Error.captureStackTrace(spawn,spawn)
+  process.stderr.write(cmd +' ', args.join(' ') +' '+ spawn.stack.slice(7) + '\n')
+  return child_process.spawn(cmd, args, options)
+} : child_process.spawn
+
+const cds = require('../index'), { fs, path, mkdirp } = cds.utils
+const _resolve = (...x) => path.resolve (cds.root,...x)
+
+// tar does not work properly on Windows (by npm/jest tests) w/o this change
+const win = path => {
+  if (!path) return path
+  if (typeof path === 'string') return path.replace('C:', '//localhost/c$')
+  if (Array.isArray(path)) return path.map(el => win(el))
+}
+
+/**
+ * Creates a tar archive, to an in-memory Buffer, or piped to write stream or file.
+ * @example ```js
+ *  const buffer = await tar.c('src/dir')
+ *  await tar.c('src/dir') .to (fs.createWriteStream('t.tar'))
+ *  await tar.c('src/dir') .to ('t.tar')
+ *  await tar.c('src/dir','-f t.tar *')
+ * ```
+ * @param {string} dir - the directory to archive, used as `cwd` for the tar process
+ * @param {string} [args] - additional arguments passed to tar (default: `'*'`)
+ * @param {string[]} [more] - more of such additional arguments like `args`
+ * @example ```js
+ *  // Passing additional arguments to tar
+ *  tar.c('src/dir','-v *')
+ *  tar.c('src/dir','-v -f t.tar *')
+ *  tar.c('src/dir','-vf','t.tar','*')
+ *  tar.c('src/dir','-vf','t.tar','file1','file2')
+ * ```
+ * @returns A `ChildProcess` as returned by [`child_process.spawn()`](
+ * https://nodejs.org/api/child_process.html#child_processspawncommand-args-options),
+ * augmented by two methods:
+ * - `.then()` collects the tar output into an in-memory `Buffer`
+ * - `.to()` is a convenient shortcut to pipe the output into a write stream
+ */
+exports.create = (dir='.', ...args) => {
+
+  if (typeof dir === 'string') dir = _resolve(dir)
+  if (Array.isArray(dir)) [ dir, ...args ] = [ cds.root, dir, ...args ]
+  if (Array.isArray(args[0])) args.push (...args.shift().map (f => path.isAbsolute(f) ? path.relative(dir,f) : f))
+  else args.push('.')
+  const c = process.platform === 'linux' 
+    ? spawn (`tar c -C ${dir}`, args, { shell:true })
+    : spawn (`tar cf - -C ${win(dir)}`, args, { shell:true })
+
+  return {__proto__:c, // returning a thenable + fluent ChildProcess...
+
+    /**
+     * Turns the returned `ChildProcess` into a thenable, resolving to an
+     * in-memory Buffer holding the tar output, hence enabling this usage:
+     * @example const buffer = await tar.c('src/dir')
+     */
+    then (r,e) {
+      const bb=[]; c.stdout.on('data', b => bb.push(b))
+      c.on('close', ()=>r(Buffer.concat(bb)))
+      c.on('error', e)
+    },
+
+    /**
+     * Turns the returned `ChildProcess` into fluent API, allowing to pipe
+     * the tar's `stdout` into a write stream. If the argument is a string,
+     * it will be interpreted as a filename and a write stream opened on it.
+     * In that case, more filenames can be specified which are path.joined.
+     */
+    to (out, ...etc) {
+      if (typeof out === 'string') {
+        // fs.mkdirSync(path.dirname(out),{recursive:true})
+        out = fs.createWriteStream (_resolve(out,...etc))
+      }
+      // Returning a thenable ChildProcess.stdout
+      return {__proto__: c.stdout.pipe (out),
+        then(r,e) {
+          out.on('close',r)
+          c.on('error',e)
+        }
+      }
+    }
+  }
+}
+
+/**
+ * Extracts a tar archive, from an in-memory Buffer, or piped from a read stream or file.
+ * @example ```js
+ *  await tar.x(buffer) .to ('dest')
+ *  await tar.x(fs.createReadStream('t.tar')) .to ('dest')
+ *  await tar.x('t.tar') .to ('dest')
+ *  await tar.x('t.tar','-C dest')
+ * ```
+ * @param {String|Buffer|ReadableStream} [archive] - the tar file or content to extract
+ * @param {String[]} [args] - additional arguments passed to tar, .e.g. '-C dest'
+ */
+exports.extract = (archive, ...args) => ({
+
+  /**
+   * Fluent API method to actually start the tar x command.
+   * @param  {...string} dest - path names to a target dir → get `path.resolved` from `cds.root`.
+   * @returns A `ChildProcess` as returned by [`child_process.spawn()`](
+   * https://nodejs.org/api/child_process.html#child_processspawncommand-args-options),
+   * augmented by a method `.then()` to allow `await`ing finish.
+   */
+  to (...dest) {
+    if (typeof dest === 'string') dest = _resolve(...dest)
+    const input = typeof archive !== 'string' || archive == '-' ? '-' : _resolve(archive)
+    const x = spawn(`tar xf ${win(input)} -C ${win(dest)}`, args, { shell:true })
+    if (archive === '-') return x.stdin
+    if (Buffer.isBuffer(archive)) archive = require('stream').Readable.from (archive)
+    if (typeof archive !== 'string') archive.pipe (x.stdin)
+    if (args.includes('-v')) {
+      var list = '';
+      ;(process.platform === 'linux' ? x.stdout : x.stderr) .on ('data', d => list+=d)
+    }
+    return {__proto__:x,
+      then(r,e) {
+        x.on('close',()=>r(list ? list.split('\n').slice(0,-1).map(x => x.replace(/^x |\r/g,'')) : undefined))
+        x.on('error',e)
+      }
+    }
+  },
+
+  /**
+   * Shortcut to extract to current working directory, i.e. `cds.root`,
+   * or for this kind of usage:
+   * @example await tar.x(...,'-C _out')
+   * @returns `stdin` of the tar child process
+   */
+  then (r,e) { return this.to('.') .then(r,e) },
+
+})
+
+
+exports.list = (archive, ...more) => {
+  const input = typeof archive !== 'string' ? '-' : archive === '-' ? archive : _resolve(archive)
+  const x = spawn(`tar tf`, [ input, ...more ], { shell:true })
+  let list = ''; x.stdout.on ('data', d => list+=d)
+  return {__proto__:x,
+    then(r,e) {
+      x.on('close',()=>r(list.split('\n').slice(0,-1)))
+      x.on('error',e)
+    }
+  }
+}
+
+// Common tar command shortcuts
+const tar = exports
+exports.c = tar.create
+exports.cz = (d,...args) => tar.c (d, ...args, '-z')
+exports.cf = (t,d,...args) => tar.c (d, ...args, '-f',t)
+exports.czf = (t,d,...args) => tar.c (d, ...args, '-z', '-f',t)
+exports.czfd = (t,...args) => mkdirp(path.dirname(t)).then (()=> tar.czf (t,...args))
+exports.x = tar.xf = tar.extract
+exports.xz = tar.xzf = (a,...args) => tar.x (a, ...args, '-z')
+exports.xv = tar.xvf = (a,...args) => tar.x (a, ...args, '-v')
+exports.xvz = tar.xvzf = (a,...args) => tar.x (a, ...args, '-v', '-z')
+exports.t = tar.tf = tar.list
+
+/**
+ * Shortcut for that kind of usage:
+ * @example fs.createReadStream('t.tar') .pipe (tar.x.to('dest/dir'))
+ * @returns `stdin` of the tar child process
+ */
+ exports.extract.to = function (..._) { return this().to(..._) }
+
+
+
+// ---------------------------------------------------------------------------------
+// Compatibility...
+
+exports.packTarArchive = (files,d) => d ? tar.cz (d,files) : tar.cz (files)
+exports.unpackTarArchive = (x,dir) => tar.xz(x).to(dir)

package/libx/_runtime/audit/generic/personal/utils.js

@@ -16,15 +16,26 @@ const getRootEntity = element => {
   return entity
 }
 
+const _hasPersonalData = e => {
+  if (!e['@PersonalData.DataSubjectRole']) return
+  if (!e['@PersonalData.EntitySemantics']) return
+  return !!Object.values(e.elements).some(
+    e => e['@PersonalData.IsPotentiallyPersonal'] || e['@PersonalData.IsPotentiallySensitive']
+  )
+}
+
+const auditAnnotations = {
+  CREATE: '@AuditLog.Operation.Insert',
+  UPDATE: '@AuditLog.Operation.Update',
+  DELETE: '@AuditLog.Operation.Delete',
+  READ: '@AuditLog.Operation.Read'
+}
+
 const getPick = event => {
   return (element, target) => {
-    const annotation = {
-      CREATE: '@AuditLog.Operation.Insert',
-      UPDATE: '@AuditLog.Operation.Update',
-      DELETE: '@AuditLog.Operation.Delete',
-      READ: '@AuditLog.Operation.Read'
-    }[event]
-    if (!annotation || !target[annotation]) return
+    if (!_hasPersonalData(target)) return
+    if (!auditAnnotations[event] || !target[auditAnnotations[event]]) return
+
     const categories = []
     if (!element.isAssociation && element.key) categories.push('ObjectID')
     if (

package/libx/_runtime/audit/utils/v2.js

@@ -7,6 +7,7 @@ function connect(credentials) {
   return new Promise((resolve, reject) => {
     let auditLogging
     try {
+      // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
       auditLogging = require('@sap/audit-logging')
     } catch (e) {
       // not able to require lib -> no audit logging ootb

package/libx/_runtime/auth/index.js

@@ -167,6 +167,10 @@ module.exports = (srv, options = srv.options) => {
   if (config.impl) {
     // mount custom authentication middleware
     _mountCustomAuth(srv, app, config)
+  } else if (config.kind === 'ias-auth') {
+    // ias-auth follows the new implementation pattern for auth middlewares
+    const iasAuth = require('./strategies/ias-auth')(config)
+    if (iasAuth) app.use(iasAuth)
   } else {
     // mount our authentication strategies (legacy style)
     const strategy = _strategy4(config)

package/libx/_runtime/auth/strategies/ias-auth.js

@@ -0,0 +1,76 @@
+const cds = require('../../../../lib')
+const _require = require('../../common/utils/require')
+// _require for better error message
+const express = _require('express')
+const passport = _require('passport')
+const { JWTStrategy } = _require('@sap/xssec')
+const LOG = cds.log('auth')
+
+const RESERVED_ATTRIBUTES = new Set([
+  'aud',
+  'azp',
+  'exp',
+  'ext_attr',
+  'iat',
+  'ias_iss',
+  'iss',
+  'jti',
+  'sub',
+  'user_uuid',
+  'zone_uuid',
+  'zid'
+])
+
+module.exports = function ias_auth(config) {
+  // warn if no credentials
+  if (!config.credentials) {
+    LOG._warn &&
+      LOG.warn(`
+       No IAS instance bound to application, but "${config.kind}" configured.
+       This is NOT recommended in production!
+       `)
+
+    return
+  }
+
+  passport.use('IAS', new JWTStrategy(config.credentials))
+  return express
+    .Router()
+    .use(passport.authenticate('IAS', { session: false, failWithError: true }))
+    .use((req, res, next) => {
+      // grant_type === client_credentials or x509
+      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
+        req.user = new cds.User({
+          id: 'system',
+          roles: ['system-user', 'authenticated-user'],
+          attr: {}
+        })
+      } else {
+        // add all unknown attributes to req.user.attr in order to keep public API small
+        const payload = req.tokenInfo.getPayload()
+        const attributes = Object.keys(payload)
+          .filter(k => !RESERVED_ATTRIBUTES.has(k))
+          .reduce((attrs, k) => {
+            attrs[k] = payload[k]
+            return attrs
+          }, {})
+
+        req.user = new cds.User({
+          id: req.user.id,
+          roles: ['authenticated-user'],
+          attr: attributes
+        })
+      }
+
+      req.tenant = req.tokenInfo.getZoneId()
+      next()
+    })
+    .use((err, req, res, next) => {
+      if (req.tokenInfo) {
+        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
+      }
+      // REVISIT: reject request immediately as our other auth strategies do
+      // should we call next(err)? -> I don't think so; it's not an error, is it?
+      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
+    })
+}

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/error.js

@@ -115,14 +115,19 @@ const getErrorHandler = (crashOnError = true, srv) => {
     // invoke srv.on('error', function (err, req) { ... }) here in special situations
     // REVISIT: if for compat reasons, remove once cds^5.1
     if (srv._handlers._error.length) {
+      // REVISIT: move to error middleware
       let ctx = cds.context
       if (!ctx) {
+        // FIXME: this implementation only worked because Okra's BufferedWriter.on('finish')
+        // lost cds.context -> as we fixed that we don't get into this if branch anymore,
+        // but then the ctx in the else branch below isn't the ODataRequest anymore
         // > error before req was dispatched
-        ctx = new cds.Request({ req, res: req.res, user: req.user || new cds.User.Anonymous() })
-        for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
+        const creq = new cds.Request({ req, res: req.res, user: req.user || new cds.User.Anonymous() })
+        for (const each of srv._handlers._error) each.handler.call(srv, err, creq)
       } else {
         // > error after req was dispatched, e.g., serialization error in okra
-        for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
+        const creq = /* odataReq.req || */ new cds.Request({ req, res: req.res, user: ctx.user, tenant: ctx.tenant })
+        for (const each of srv._handlers._error) each.handler.call(srv, err, creq)
       }
     }
 

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/request.js

@@ -19,16 +19,27 @@ module.exports = srv => {
     }
 
     // in case of $batch we need to challenge directly, as the header is not processed if in $batch response body
-    if (path.endsWith('/$batch') && user && user._challenges && restricted) {
-      res.set('WWW-Authenticate', user._challenges.join(';'))
-      return next(UNAUTHORIZED)
+    if (restricted && path.endsWith('/$batch')) {
+      if (user?._challenges) {
+        res.set('WWW-Authenticate', user._challenges.join(';'))
+        return next(UNAUTHORIZED)
+      } else if (user._is_anonymous && req.login) {
+        res.set('WWW-Authenticate', `Basic realm="Users"`) // REVISIT: should be req.login(), and fiori app works with that but cds/tests/_runtime/auth/__tests__/strategies.test.js fails
+        return next(UNAUTHORIZED)
+        // return req.login()
+      }
     }
 
     // check @requires as soon as possible (DoS)
     if (requires && !requires.some(r => user.is(r))) {
       // > unauthorized or forbidden?
       if (user._is_anonymous) {
-        if (user._challenges) res.set('WWW-Authenticate', user._challenges.join(';'))
+        if (user._challenges) {
+          res.set('WWW-Authenticate', user._challenges.join(';'))
+        } else if (req.login) {
+          res.set('WWW-Authenticate', `Basic realm="Users"`) // REVISIT: should be req.login(), and fiori app works with that but cds/tests/_runtime/auth/__tests__/strategies.test.js fails
+          // return req.login()
+        }
         // REVISIT: security log in else case?
         return next(UNAUTHORIZED)
       }

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/expandToCQN.js

@@ -28,7 +28,7 @@ const _getExpandItem = (isAll, expandItems, name) => {
   return expandItems.find(item => {
     const pathSegments = item.getPathSegments()
     if (pathSegments[pathSegments.length - 1].getKind() === 'COUNT') {
-      throw getError(501, 'EXPAND_COUNT_UNSUPPORTED')
+      throw getError(501, '"/$count" is not supported for expand operation')
     }
 
     const navigation = pathSegments[pathSegments.length - 1].getNavigationProperty()