@sap/cds 6.2.3 → 6.3.1

package/bin/deploy/to-hana/cfUtil.js

@@ -2,6 +2,10 @@ const cp = require('child_process');
 const fsp = require('fs').promises;
 const os = require('os');
 const path = require('path');
+const util = require('util');
+
+const IS_WIN = os.platform() === 'win32';
+const execAsync = util.promisify(cp.exec);
 
 const cds = require('../../../lib');
 const LOG = cds.log ? cds.log('deploy') : console;
@@ -33,46 +37,23 @@ class CfUtil {
     }
 
     async _cfRun(...args) {
-        const cmdLine = `${CF_COMMAND} ${args.join(' ')}`;
-        if (DEBUG) {
-            // eslint-disable-next-line no-console
-            console.time(cmdLine);
-            LOG.debug('>>> ' + cmdLine);
-        }
+        args = args.map(arg => arg.replace(/"/g, '\\"'));
+        const cmdLine = `${CF_COMMAND} "${args.join('" "')}"`;
+        DEBUG && console.time(cmdLine);
+        LOG.debug('>>>', cmdLine);
 
         try {
-            return await new Promise((resolve, reject) => {
-                const child = cp.spawn(CF_COMMAND, args);
-
-                let stdout = '';
-                child.stdout.on('data', (data) => {
-                    stdout += data;
-                });
-
-                let stderr = '';
-                child.stderr.on('data', (data) => {
-                    stderr += data;
-                });
-
-                child.on('error', (err) => {
-                    DEBUG && LOG.debug(`${stdout}\n${stderr}`);
-                    if (err.code === 'ENOENT') {
-                        reject(new Error(`Command ${bold(CF_COMMAND)} not found. Make sure to install the Cloud Foundry Command Line Interface.`));
-                    } else {
-                        reject(err);
-                    }
-                });
-
-                child.on('close', (code) => {
-                    DEBUG && LOG.debug(`${stdout}\n${stderr}`);
-                    if (!code) {
-                        resolve(stdout.trim());
-                    } else {
-                        const errorMessage = `${stdout}\n${stderr}`;
-                        reject(new Error(errorMessage.trim()));
-                    }
-                });
+            const result = await execAsync(cmdLine, {
+                shell: IS_WIN,
+                stdio: ['inherit', 'pipe', 'inherit']
             });
+            result.stdout = result.stdout?.trim();
+            result.stderr = result.stderr?.trim();
+            return result;
+        } catch (err) {
+            err.stdout = err.stdout?.trim();
+            err.stderr = err.stderr?.trim();
+            throw err;
         } finally {
             // eslint-disable-next-line no-console
             DEBUG && console.timeEnd(cmdLine);
@@ -98,17 +79,19 @@ class CfUtil {
             args.push(JSON.stringify(bodyObj)); // cfRun uses spawn so no special handling for quotes on cli required
         }
 
-        const response = await this._cfRun(...args);
-        if (!response) {
-            throw new Error(`The response from the server was empty. Maybe your token is expired. Run the command again and re-log on in case the problem persists.`);
+        const result = await this._cfRun(...args);
+        let response = {};
+        if (result.stdout) {
+            response = JSON.parse(result.stdout);
+        } else if (result.stderr) {
+            response = { errors: [{ title: result.stderr }] };
         }
 
-        const result = JSON.parse(response);
-        if (result.errors) {
+        if (response.errors) {
             const errorMessage = result.errors.map((entry) => `${entry.title}: ${entry.detail} (${entry.code})`).join('\n');
             throw new Error(errorMessage);
         }
-        return result;
+        return response;
     }
 
     _extract(string, pattern, errorMsg) {
@@ -138,23 +121,24 @@ class CfUtil {
 
     async getCfTargetFromCli() {
         const result = await this._cfRun('target');
-        return {
-            apiEndpoint: this._extract(result, /api endpoint\s*:\s*([^\s]+)/i, `CF API endpoint is missing. Use 'cf login' to login.`),
-            user: this._extract(result, /user\s*:\s*(.+)/i, `CF user is missing. Use 'cf login' to login.`),
-            org: this._extract(result, /org\s*:\s*(.+)/i, `CF org is missing. Use 'cf target -o <ORG> to specify.`),
-            space: this._extract(result, /space\s*:\s*(.+)/i, `CF space is missing. Use 'cf target -s <SPACE>' to specify.`),
-        };
+        if (result?.stdout) {
+            return {
+                apiEndpoint: this._extract(result.stdout, /api endpoint\s*:\s*([^\s]+)/i, `CF API endpoint is missing. Use 'cf login' to login.`),
+                user: this._extract(result.stdout, /user\s*:\s*(.+)/i, `CF user is missing. Use 'cf login' to login.`),
+                org: this._extract(result.stdout, /org\s*:\s*(.+)/i, `CF org is missing. Use 'cf target -o <ORG> to specify.`),
+                space: this._extract(result.stdout, /space\s*:\s*(.+)/i, `CF space is missing. Use 'cf target -s <SPACE>' to specify.`),
+            };
+        }
     }
 
     async getCfTarget() {
-        // check if token is valid or expired / missing
-        await this._cfRun('oauth-token');
+        await this._cfRun('oauth-token'); // check if token is valid or expired / missing
         return await this.getCfTargetFromConfigFile() || await this.getCfTargetFromCli();
     }
 
     async getCfSpaceInfo() {
         if (!this.spaceInfo) {
-            DEBUG && LOG.debug('getting space info');
+            LOG.debug('getting space info');
 
             const target = await this.getCfTarget();
 
@@ -179,7 +163,7 @@ class CfUtil {
     }
 
     async getService(serviceName, showMessage = true) {
-        showMessage && LOG.log(`Getting service ${bold(serviceName)}`);
+        showMessage && console.log(`Getting service ${bold(serviceName)}`);
         const spaceInfo = await this.getCfSpaceInfo();
 
         let counter = POLL_COUNTER;
@@ -208,7 +192,7 @@ class CfUtil {
                     throw new Error(`The returned service reported state '${OPERATION_STATE_FAILED}'.\n${JSON.stringify(serviceInstance, null, 4)}`);
 
                 default:
-                    LOG.log(`Unsupported server response state '${serviceInstance?.last_operation?.state}'. Waiting for next response.`);
+                    console.error(`Unsupported server response state '${serviceInstance?.last_operation?.state}'. Waiting for next response.`);
                     break;
             }
         }
@@ -221,11 +205,11 @@ class CfUtil {
 
         const probeService = await this.getService(serviceName, false);
         if (probeService) {
-            LOG.log(`Getting service ${bold(serviceName)}`);
+            console.log(`Getting service ${bold(serviceName)}`);
             return probeService;
         }
 
-        LOG.log(`Creating service ${bold(serviceName)} - please be patient...`);
+        console.log(`Creating service ${bold(serviceName)} - please be patient...`);
 
         const spaceInfo = await this.getCfSpaceInfo();
 
@@ -263,7 +247,7 @@ class CfUtil {
         }
 
         const postResult = await this._cfRequest('/v3/service_instances', undefined, body);
-        if (postResult.errors) {
+        if (postResult?.errors) {
             throw new Error(postResult.errors[0].detail);
         }
 
@@ -277,7 +261,7 @@ class CfUtil {
 
 
     async getServiceKey(serviceInstance, serviceKeyName, showMessage = true) {
-        showMessage && LOG.log(`Getting service key ${bold(serviceKeyName)}`);
+        showMessage && console.log(`Getting service key ${bold(serviceKeyName)}`);
 
         let counter = POLL_COUNTER;
         while (counter > 0) {
@@ -303,7 +287,7 @@ class CfUtil {
                     throw new Error(`The returned binding reported state '${OPERATION_STATE_FAILED}'.\n${JSON.stringify(binding, null, 4)}`);
 
                 default:
-                    LOG.log(`Unsupported server response state '${binding?.last_operation?.state}'. Waiting for next response.`);
+                    console.error(`Unsupported server response state '${binding?.last_operation?.state}'. Waiting for next response.`);
                     break;
             }
         }
@@ -316,11 +300,11 @@ class CfUtil {
 
         const serviceKey = await this.getServiceKey(serviceInstance, serviceKeyName, false);
         if (serviceKey) {
-            LOG.log(`Getting service key ${bold(serviceKeyName)}`);
+            console.log(`Getting service key ${bold(serviceKeyName)}`);
             return serviceKey;
         }
 
-        LOG.log(`Creating service key ${bold(serviceKeyName)} - please be patient...`);
+        console.log(`Creating service key ${bold(serviceKeyName)} - please be patient...`);
 
         const body = {
             type: 'key',
@@ -338,7 +322,7 @@ class CfUtil {
         }
 
         const postResult = await this._cfRequest('/v3/service_credential_bindings', undefined, body);
-        if (postResult.errors) {
+        if (postResult?.errors) {
             throw new Error(postResult.errors[0].detail);
         }
 

package/lib/auth/index.js

@@ -25,7 +25,8 @@ module.exports = lazified (Object.assign (auth_factory, {
   basic:  require('./basic-auth'),
   dummy:  require('./dummy-auth'),
   ias:    require('./ias-auth'),
-  xsuaa:  require('./xsuaa-auth'),
+  jwt:    require('./jwt-auth'),
+  xsuaa:  require('./jwt-auth'),
 }))
 
 require = _require // eslint-disable-line no-global-assign

package/lib/auth/jwt-auth.js

@@ -1,3 +1,64 @@
-// TODO...
-console.trace ('JWT auth is not yet implemented')
-module.exports = ()=> (req,res,next)=> next()
+const cds = require('../')
+const _require = require('../../libx/_runtime/common/utils/require')
+// _require for better error message
+const express = _require('express')
+const passport = _require('passport')
+const { JWTStrategy } = _require('@sap/xssec')
+const LOG = cds.log('auth')
+
+module.exports = function jwt_auth(config) {
+  // warn if no credentials
+  if (!config.credentials) {
+    LOG._warn &&
+      LOG.warn(`
+       No XSUAA instance bound to application, but "${config.kind}" configured.
+       This is NOT recommended in production!
+       `)
+
+    return (req,res,next) => next()
+  }
+
+  passport.use(config.kind, new JWTStrategy(config.credentials))
+  return express
+    .Router()
+    .use(passport.authenticate(config.kind, { session: false }))
+    .use((req, res, next) => {
+      const payload = req.tokenInfo.getPayload()
+    
+      let id = req.user.id
+    
+      let roles = payload.scope.map(s => s.replace(new RegExp(`^(${config.credentials.xsappname + '.'})`), ''))
+      roles.push('identified-user')
+      if (payload.grant_type) {
+        // > not "weak"
+        roles.push('authenticated-user')
+    
+        const CLIENT = { client_credentials: 1, client_x509: 1 }
+        if (payload.grant_type in CLIENT) {
+          id = 'system'
+          roles.push('system-user')
+          if (req.tokenInfo.getClientId() === config.credentials.clientid) roles.push('internal-user')
+        }
+      }
+
+      let attr = req.authInfo.getAttributes() || {}
+      if (config.kind === 'xsuaa') {
+        attr.logonName = req.authInfo.getLogonName()
+        attr.givenName = req.authInfo.getGivenName()
+        attr.familyName = req.authInfo.getFamilyName()
+        attr.email = req.authInfo.getEmail()
+      }
+
+      req.user = new cds.User({ id, roles, attr })
+      req.tenant = req.tokenInfo.getZoneId?.()
+      next()
+    })
+    .use((err, req, res, next) => {
+      if (req.tokenInfo) {
+        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
+      }
+      // REVISIT: reject request immediately as our other auth strategies do
+      // should we call next(err)? -> I don't think so; it's not an error, is it?
+      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
+    })
+}

package/lib/auth/xsuaa-auth.js

@@ -1,3 +1,2 @@
-// TODO...
-console.trace ('XSUAA auth is not yet implemented')
-module.exports = ()=> (req,res,next)=> next()
+// REVISIT: "kind": "xsuaa-auth" does not work because cds.requires logic does not resolve it. Intentional?
+module.exports = require('./jwt-auth')

package/lib/compile/cdsc.js

@@ -103,6 +103,7 @@ const _options = {for: Object.assign (_options4, {
 
 /**
  * Return a derivate of cdsc, with the most prominent
+ * @type { import('@sap/cds-compiler') }
  */
 module.exports = exports = {__proto__:compile, _options,
   for: {__proto__: compile.for,

package/lib/compile/etc/_localized.js

@@ -2,6 +2,7 @@ const cds = require('../..'), {env} = cds
 const DEBUG = cds.debug('alpha|_localized')
 const _locales_4sql = {
 	sqlite : env.i18n.for_sqlite || env.i18n.for_sql || [],
+	h2 :     env.i18n.for_sql || [],
 	plain  : env.i18n.for_sql || [],
 }
 

package/lib/dbs/cds-deploy.js

@@ -143,7 +143,6 @@ exports.init = (db, csn=db.model, log=()=>{}) => db.run (async tx => {
       if (db.kind === 'better-sqlite') _add_missing_pks2(q)
       log (file,e)
       inits.push (tx.run(q) .catch (e => {
-        Error.captureStackTrace(e)
         throw Object.assign (e, { message: 'in cds.deploy(): ' + e.message +'\n'+ inspect(q) })
       }))
     }
@@ -232,11 +231,13 @@ const _entity4 = (file,csn) => {
 const INSERT_from_csv = (entity, csv) => {
   let [ cols, ...rows ] = cds.parse.csv (csv)
   if (rows.length > 0) return INSERT.into (entity) .columns (cols) .rows (rows)
+  // if (rows.length > 0) return UPSERT.into (entity) .columns (cols) .rows (rows)
 }
 
 const INSERT_from_json = (entity, json) => {
   let records = JSON.parse (json)
   if (records.length > 0) return INSERT.into (entity) .entries (records)
+  // if (records.length > 0) return UPSERT.into (entity) .entries (records)
 }
 
 const _from_csv_or_json = { '.json': INSERT_from_json, '.csv': INSERT_from_csv, }

package/lib/env/cds-env.js

@@ -1,4 +1,4 @@
-const { isfile, fs, path } = require('../utils/cds-utils')
+const { isdir, isfile, fs, path } = require('../utils/cds-utils')
 const DEFAULTS = require('./defaults'), defaults = require.resolve ('./defaults')
 const compat = require('./compat')
 const presets = require('./presets')
@@ -6,7 +6,7 @@ const serviceBindings = require('./serviceBindings');
 
 
 /**
- * Both a config inctance as well as factory for.
+ * Both a config instance as well as factory for.
  */
 class Config {
 
@@ -28,7 +28,7 @@ class Config {
   constructor (_context, _home, _defaults=true) {
     Object.assign (this, { _context, _home, _sources:[] })
 
-    // 0. determine profiles from NODE_ENV+ CDS_ENV
+    // 0. determine profiles from NODE_ENV + CDS_ENV
     const { NODE_ENV, CDS_ENV } = process.env, profiles = []
     if (NODE_ENV) profiles.push (NODE_ENV)
     if (CDS_ENV) profiles.push (...CDS_ENV.split(/\s*,\s*/))
@@ -52,29 +52,29 @@ class Config {
     const sources = Config.sources(_home, _context)
 
     // 2. read config sources in defined order
-    for (const source of sources) {
-      this._load(source.path, source.file, source.mapper, this._profiles, false)
+    for (const { path, file, mapper } of sources) {
+      this._load(path, file, mapper, this._profiles, false)
     }
 
     // 3. read important (!) profiles from config sources in defined order
     const important = new Set(this.profiles.map( profile => `${profile}!` ).filter( profile => this._profiles._defined.has( profile ) ));
     if (important.size > 0) {
-      for (const source of sources) {
-        this._load(source.path, source.file, source.mapper, important, true)
+      for (const { path, file, mapper } of sources) {
+        this._load(path, file, mapper, important, true)
       }
     }
 
-    // 4. link dependant services (through kind/use)
+    // 4. link dependent services (through kind/use)
     this._link_required_services()
 
     // 5. add process env
     this._add_process_env(_context, _home)
 
-    // 6. link dependant services again -> e.g. to allow things like CDS_requires_db=sql
+    // 6. link dependent services again -> e.g. to allow things like CDS_requires_db=sql
     this._link_required_services()
 
     // 7. complete service configurations from cloud service bindings
-    this._add_cloud_service_bindings({ VCAP_SERVICES: process.env.VCAP_SERVICES, SERVICE_BINDING_ROOT: process.env.SERVICE_BINDING_ROOT })
+    this._add_cloud_service_bindings(process.env)
 
     // 8. Add compatibility for mtx
     if (this.requires && this.requires.db) {
@@ -480,48 +480,13 @@ function _readJson (file) {
 
 
 
-function _readFromDir (p, isDir) {
-  if (typeof isDir === "undefined") {
-    try {
-      const entry = fs.statSync(p)
-      if (entry.isDirectory()) {
-        isDir = true
-      } else if (isFile(p, entry)) {
-        isDir = false
-      } else {
-        return undefined
-      }
-    } catch (e) {
-      return undefined
-    }
-  }
-  if (isDir) {
+function _readFromDir (p) {
+  if (isdir(p)) {
     const result = {}
-    const entries = fs.readdirSync(p, {withFileTypes: true})
-    for (let entry of entries) {
-      const entryPath = path.join(p, entry.name)
-      if (entry.isDirectory()) {
-        result[entry.name] = _readFromDir(entryPath, true)
-      } else if (isFile(entryPath, entry)) {
-        result[entry.name] = _readFromDir(entryPath, false)
-      }
-    }
+    for (const dirent of fs.readdirSync(p)) result[dirent] = _readFromDir(path.join(p, dirent))
     return result
-  } else {
-    return _value4(fs.readFileSync(p, "utf-8"))
-  }
-
-  function isFile(p, entry) {
-    if (entry.isFile()) return true
-    if (entry.isSymbolicLink()) {
-      // Kubernetes credentials use symlinks
-      const target = fs.realpathSync(p)
-      const targetStat = fs.statSync(target)
-
-      if (targetStat.isFile()) return true
-    }
-    return false
   }
+  return _value4(fs.readFileSync(p, "utf-8"))
 }
 
 

package/lib/env/cds-requires.js

@@ -38,6 +38,9 @@ exports = module.exports = {
 }
 
 
+const admin = [ 'cds.Subscriber', 'admin' ]
+const builder = [ 'cds.ExtensionDeveloper', 'cds.UIFlexDeveloper' ]
+
 const _authentication_strategies = {
 
   "basic-auth": {
@@ -49,12 +52,13 @@ const _authentication_strategies = {
   "mocked-auth": {
     kind: 'basic-auth',
     users: {
-      alice: { roles: ['admin', 'cds.Subscriber'] },
-      bob:   { roles: ['builder'] },
-      carol: { tenant: 't1', roles: ['admin', 'cds.Subscriber', 'cds.ExtensionDeveloper', 'cds.UIFlexDeveloper'] },
-      dave:  { tenant: 't1', roles: ['cds.Subscriber'], features: [] }, // user-specific features
-      erin:  { tenant: 't2', roles: ['admin', 'cds.Subscriber', 'cds.ExtensionDeveloper'] },
-      fred:  { tenant: 't2', roles: [], features: ['isbn'] },
+      alice: { tenant: 't1', roles: [ ...admin ] },
+      bob:   { tenant: 't1', roles: [ ...builder ] },
+      carol: { tenant: 't1', roles: [ ...admin, ...builder ] },
+      dave:  { tenant: 't1', roles: [ ...admin ], features: [] },
+      erin:  { tenant: 't2', roles: [ ...admin, ...builder ] },
+      fred:  { tenant: 't2', features: ['isbn'] },
+      me:    { tenant: 't1', features: ['*'] },
       yves:  { roles: ['internal-user'] },
       '*': true
     },
@@ -65,14 +69,16 @@ const _authentication_strategies = {
   },
   "jwt-auth": {
     strategy: 'JWT', // REVISIT: Can be removed when we switch to new auth middlewars
+    kind: 'jwt-auth',
     vcap: { label: 'xsuaa' }
   },
   "ias-auth": {
     kind: 'ias-auth',
     vcap: { label: 'identity' }
   },
-  "xsuaa": {
+  "xsuaa": { // CLARIFY why is this not -auth postfixed?
     strategy: 'xsuaa', // REVISIT: Can be removed when we switch to new auth middlewars
+    kind: 'xsuaa',
     vcap: { label: 'xsuaa' }
   },
   "dummy-auth": {

package/lib/env/defaults.js

@@ -12,6 +12,10 @@ module.exports = {
   },
 
   features: {
+    "[schevo]": {
+      schema_evolution: true,
+    },
+    schema_evolution: false,
     folders: 'fts/*', // where to find feature toggles -> switch on by default when released
     cls: major > 12 || major == 12 && minor >= 18,
     live_reload: !production,

package/lib/i18n/localize.js

@@ -10,8 +10,8 @@ module.exports = Object.assign (localize, {
 })
 
 
-function localize (model, /*with:*/ locale, aString) {
-  const _localize = bundle => localizeString (aString, bundle)
+function localize (model, /*with:*/ locale, aString, extBundle) {
+  const _localize = bundle => localizeString (aString, bundle, extBundle)
 
   const bundle = bundles4 (model, locale)
   if (Array.isArray(locale)) { // array of multiple locales
@@ -29,14 +29,14 @@ function localize (model, /*with:*/ locale, aString) {
 
 const TEXT_KEY_MARKER = 'i18n>'
 const TEXT_KEYS = /{b?i18n>([^"}]+)}/g
-function localizeString (aString, bundle) {
+function localizeString (aString, bundle, extBundle) {
   if (!bundle || !aString)  return aString
   if (typeof aString === 'object')  aString = JSON.stringify(aString, null, 2)
   // quick check for presence of any text key, to avoid expensive operation below
   if (!aString.includes(TEXT_KEY_MARKER))  return aString
   const escape = aString.startsWith('<?xml') ? escapeXmlAttr : /^[{[]/.test(aString) ? escapeJson : v=>v
   return aString.replace (TEXT_KEYS, (_, key) => {
-    const val = bundle[key]
+    const val = (extBundle && extBundle[key]) || bundle[key]
     return val ? escape(val) : key
   })
 }
@@ -155,11 +155,14 @@ function folders4 (model) {
   //   foo/node_modules/reuse-level-1/model.cds
   //   foo/node_modules/reuse-level-2/model.cds
   if (!model.$sources)  return []
-  const folders=[];  for (let src of model.$sources) {
+  const srcFolders = new Set (model.$sources.map (dirname))
+  const folders = []
+  srcFolders.forEach(src => {
     let folder = folder4 (src)
-    if (!folder || folders.includes(folder)) continue
-    folders.push(folder)  // use an array here to not screw up the folder order
-  }
+    if (folder && !folders.includes(folder)) {
+      folders.push(folder)  // use an array here to not screw up the folder order
+    }
+  })
 
   Object.defineProperty (model, '_i18nfolders', {value:folders})
   return folders.reverse()

package/lib/index.js

@@ -132,7 +132,7 @@ extend (cds.__proto__) .with (lazified ({
 const odp = Object.defineProperty, _global = (_,...pp) => pp.forEach (p => odp(global,p,{
   configurable:true, get:()=>{ let v=cds[_][p]; odp(this,p,{value:v}); return v }
 }))
-_global ('ql','SELECT','INSERT','UPDATE','DELETE','CREATE','DROP')
+_global ('ql','SELECT','INSERT','UPSERT','UPDATE','DELETE','CREATE','DROP')
 _global ('parse','CDL','CQL','CXL')
 
 // Check Node.js version

package/lib/log/cds-log.js

@@ -136,7 +136,7 @@ exports.winstonLogger = (options) => (label, level) => {
     return simple (label, level, ...args)
   },
   get json() {
-    return this._json || (this._json = require('./format/kibana'))
+    return this._json || (this._json = require('./format/cf'))
   }
 }
 
@@ -149,7 +149,7 @@ exports.winstonLogger = (options) => (label, level) => {
  *
  * @param {string} label the label to prefix to log output
  * @param {number} level the log level to enable -> 0=off, 1=error, 2=warn, 3=info, 4=debug, 5=trace
- * @param {any[]} args  the arguments passed to Logger.debug|log|info|wanr|error()
+ * @param {any[]} args  the arguments passed to Logger.debug|log|info|warn|error()
  */
 exports.format = (
   process.env.NODE_ENV === 'production' && cds.env.features.kibana_formatter ? log.formatters.json :

package/lib/log/format/cf.js

@@ -0,0 +1,16 @@
+const cds = require ('../../')
+const kibana = require('./kibana')
+
+/*
+ * extension of log formatter for kibana that additionally logs Cloud Foundry specific data
+ */
+module.exports = (module, level, ...args) => {
+  const toLog = kibana.addFields(module, level, ...args)
+
+  toLog.layer = 'cds'
+
+  // cds.context._ instead of cds.context.http because of messaging
+  toLog.tenant_subdomain = cds.context?._?.req?.authInfo?.getSubdomain()
+
+  return kibana.format(toLog)
+}

package/lib/log/format/kibana.js

@@ -6,7 +6,12 @@ const _l2l = { 1: 'error', 2: 'warn', 3: 'info', 4: 'debug', 5: 'trace' }
 /*
  * log formatter for kibana
  */
-module.exports = (module, level, ...args) => {
+module.exports = exports = (module, level, ...args) => {
+  const toLog = exports.addFields(module, level, ...args)
+  return exports.format(toLog)
+}
+
+exports.addFields = (module, level, ...args) => {
   // config
   const { user: log_user , kibana_custom_fields } = cds.env.log
 
@@ -28,7 +33,11 @@ module.exports = (module, level, ...args) => {
     const req = cds.context._ && cds.context._.req
     if (req && req.headers)
       for (const k in req.headers)
-        toLog[k.replace(/-/g, '_')] = k.match(/authorization/i) ? `${req.headers[k].split(' ')[0]} ***` : req.headers[k]
+        toLog[k.replace(/-/g, '_')] = (() => {
+          if (k.match(/authorization/i)) return `${req.headers[k].split(' ')[0]} ***`
+          if (k.match(/cookie/i)) return '***'
+          return req.headers[k]
+        })()
   }
   toLog.timestamp = new Date()
 
@@ -56,6 +65,10 @@ module.exports = (module, level, ...args) => {
     if (cf.length) toLog['#cf'] = { string: cf }
   }
 
+  return toLog
+}
+
+exports.format = toLog => {
   const getCircularReplacer = () => {
     const seen = new WeakSet()
     return (key, value) => {