@sap/cds 6.4.1 → 6.6.0

package/lib/srv/protocols/odata-v2-proxy.js

@@ -938,7 +938,7 @@ function cov2ap(options = {}) {
         }
       }
 
-      Object.entries(headers).forEach(([name, value]) => {
+      Object.keys(headers).forEach(name => {
         if (
           name === "dataserviceversion" ||
           name === "DataServiceVersion" ||
@@ -1171,7 +1171,7 @@ function cov2ap(options = {}) {
     return req.context;
   }
 
-  function convertUrlLinks(url, req) {
+  function convertUrlLinks(url) {
     url.contextPath = url.contextPath.replace(/\/\$links\//gi, "/");
   }
 
@@ -1630,7 +1630,7 @@ function cov2ap(options = {}) {
     }
   }
 
-  function convertFilter(url, req) {
+  function convertFilter(url) {
     const _ = "§§";
 
     let filter = url.query["$filter"];
@@ -1702,7 +1702,7 @@ function cov2ap(options = {}) {
     }
   }
 
-  function convertSearch(url, req) {
+  function convertSearch(url) {
     if (url.query.search) {
       let search = url.query.search;
       if (quoteSearch) {
@@ -2789,7 +2789,7 @@ function cov2ap(options = {}) {
     }
   }
 
-  function removeMetadata(data, headers, definition, elements, body, req) {
+  function removeMetadata(data) {
     Object.keys(data).forEach((key) => {
       if (key.startsWith("@") || key.startsWith("odata.") || key.includes("@odata.")) {
         delete data[key];
@@ -2797,7 +2797,7 @@ function cov2ap(options = {}) {
     });
   }
 
-  function convertMedia(data, headers, definition, elements, proxyBody, req) {
+  function convertMedia(data) {
     Object.keys(data).forEach((key) => {
       if (key.endsWith("@odata.mediaReadLink")) {
         data[key.split("@odata.mediaReadLink")[0]] = data[key];
@@ -2807,7 +2807,7 @@ function cov2ap(options = {}) {
     });
   }
 
-  function removeAnnotations(data, headers, definition, elements, proxyBody, req) {
+  function removeAnnotations(data) {
     Object.keys(data).forEach((key) => {
       if (key.startsWith("@")) {
         delete data[key];
@@ -2999,7 +2999,7 @@ function cov2ap(options = {}) {
     return `PT${timeParts[0] || "00"}H${timeParts[1] || "00"}M${timeParts[2] || "00"}S`;
   }
 
-  function addResultsNesting(data, headers, definition, elements, root, req) {
+  function addResultsNesting(data, headers, definition, elements) {
     if (!returnCollectionNested) {
       return;
     }

package/lib/srv/srv-handlers.js

@@ -16,13 +16,19 @@ class EventHandlers {
   )}
 
   async prepend (...impl_functions) {
-    // IMPORTANT: We might be called in parallel -> the ._handlers._handlers
-    // game below avoids loosing registrations due to race conditions
-    const _handlers = this._handlers._handlers || this._handlers
-    const _new = this._handlers = { _handlers, on:[], before:[], after:[], _initial:[], _error:[] }
-    await Promise.all (impl_functions.map (fn => is_impl(fn) && fn.call (this,this)))
-    for (let each in _new) if (_new[each].length) _handlers[each] = [ ..._new[each], ..._handlers[each] ]
-    this._handlers = _handlers
+    // IMPORTANT: We might be called in parallel -> the ._handlers._real
+    // game below avoids loosing registrations due to race conditions.
+    // Note also that {__proto__:this, _handlers:_new} doesn't work as
+    // usages frequently look like that: srv.prepend(()=>srv.on(...)),
+    // which means the derived srv instance would be bypassed.
+    const _real = this._handlers._real || this._handlers
+    const _new = { on:[], before:[], after:[], _initial:[], _error:[], _real }
+    await Promise.all (impl_functions.map (fn => { if (is_impl(fn)) {
+      this._handlers = _new
+      return fn.call (this,this)
+    }}))
+    for (let handlers in _new) if (_new[handlers].length) _real[handlers] = [ ..._new[handlers], ..._real[handlers] ]
+    this._handlers = _real
     return this
   }
 
@@ -85,6 +91,19 @@ const _register = function (srv, phase, event, path, handler) { //NOSONAR
     if (!path.startsWith(srv.name+'.')) path = `${srv.name}.${path}`
   }
 
+  if (cds.env.features.lean_draft && cds.env.features.lean_draft_compatibility) {
+    const entity = path && srv.model?.definitions[path.name || path]
+    if (['PATCH', 'CANCEL', 'NEW'].includes(event)) {
+      // delegate to drafts
+      path = typeof path === 'string' && path !== '*' && !path.endsWith('.drafts') ? path + '.drafts' : typeof path === 'object' && path.drafts || path
+      if (event === 'PATCH') event = 'UPDATE'
+    }
+    else if (entity && (event === 'READ' || entity.actions?.[event]) && (entity.drafts && !entity.name.endsWith('.drafts'))) {
+      // additionally add drafts for READ and bound actions/functions
+      _register(srv, phase, event, entity.name + '.drafts', handler)
+    }
+  }
+
   // Finally register with a filter function to match requests to be handled
   const _handlers = srv._handlers [event === 'error' ? '_error' : (handler._initial ? '_initial' : phase)] // REVISIT: remove _initial handlers
   _handlers.push (new EventHandler (phase, event, path, handler))

package/lib/srv/srv-methods.js

@@ -4,8 +4,8 @@ const LOG = cds.log('cds.serve',{label:'cds'})
 
 module.exports = (srv) => {
   if (srv.model && ( //> we only support that for app services
-    srv instanceof cds.ApplicationService ||
-    srv instanceof cds.RemoteService ||
+    srv.isAppService ||
+    srv.isExternal ||
     srv._add_stub_methods
   )) {
     for (const each of srv.operations) {

package/lib/srv/srv-models.js

@@ -57,7 +57,13 @@ class ExtendedModels {
     else return cache[key] = (async()=>{ // temporarily add promise to cache to avoid race conditions...
 
       // If tenant doesn't have extensions check cache with tenant = undefined
-      const _has_extensions = tenant && extensibility && await _is_extended(tenant)
+      let _has_extensions = false
+      try {
+        _has_extensions = tenant && extensibility && await _is_extended(tenant)
+      } catch (error) {
+        // Better error message for client
+        cds.error('`extensibility: true` is configured but table "cds.xt.Extensions" does not exist. Please redeploy.', error)
+      }
       if (!_has_extensions) {
         let k = cache.key4 (tenant = undefined, features)
         let cached = cache.at(k); if (cached) return cached
@@ -146,8 +152,7 @@ class ExtendedModels {
       if (Date.now() - m._cached.touched > ExtendedModels.sentinelInterval) {
         delete this [key]
       }
-    }}, ExtendedModels.sentinelInterval)
-    cds.on('shutdown', ()=> clearInterval(this.sentinel))
+    }}, ExtendedModels.sentinelInterval).unref()
   }
 
 

package/lib/utils/cds-test.js

@@ -29,10 +29,8 @@ class Test extends require('./axios') {
       catch (e) { if (is_mocha) console.error(e) } // eslint-disable-line no-console
     })
 
-    // shutdown cds server...
-    after (done => {
-      this.server ? this.server.close (done) : done && done()
-    })
+    // gracefully shutdown cds server...
+    after (() => this.server && cds.shutdown())
 
     beforeEach (async () => {
       if (this.data._autoReset)  await this.data.reset()
@@ -80,7 +78,11 @@ class Test extends require('./axios') {
 
   then(r) {
     const {cds} = this
-    cds.once('listening',r)
+    if (this.server) {
+      r({ server: this.server, url: this.url })
+    } else {
+      cds.once('listening', r)
+    }
   }
 }
 

package/lib/utils/cds-utils.js

@@ -63,6 +63,7 @@ exports.exists = function exists (x) {
   }
 }
 
+// REVISIT naming: doesn't return boolean
 exports.isdir = function isdir (x) {
   if (x) try {
     const y = resolve (cds.root,x)
@@ -72,6 +73,7 @@ exports.isdir = function isdir (x) {
   } catch(e){/* ignore */}
 }
 
+// REVISIT naming: doesn't return boolean
 exports.isfile = function isfile (x) {
   if (x) try {
     const y = resolve (cds.root,x)
@@ -100,7 +102,7 @@ exports.read = async function read (file, _encoding) {
 exports.write = function write (file, data, o) {
   if (arguments.length === 1) return {to:(...path) => write(join(...path),file)}
   if (typeof data === 'object' && !Buffer.isBuffer(data))
-    data = JSON.stringify(data, null, ' '.repeat(o && o.spaces))
+    data = JSON.stringify(data, null, ' '.repeat(o && o.spaces)) + require('os').EOL
   const f = resolve (cds.root,file)
   return fs.mkdirp (dirname(f)).then (()=> fs.promises.writeFile (f,data,o))
 }

package/lib/utils/tar.js

@@ -96,8 +96,11 @@ exports.create = async (dir='.', ...args) => {
       c = spawnDir(dir, args)
     }
   } else {
-    if (Array.isArray(args[0])) args.push (...args.shift().map (f => path.isAbsolute(f) ? path.relative(dir,f) : f))
-    else args.push('.')
+    if (Array.isArray(args[0])) {
+      args.push (...args.shift().map (f => path.isAbsolute(f) ? path.relative(dir,f) : f))
+    } else {
+      args.push('.')
+    }
   
     c = spawn ('tar', ['c', '-C', dir, ...args])
   }
@@ -236,5 +239,5 @@ exports.t = tar.tf = tar.list
 // ---------------------------------------------------------------------------------
 // Compatibility...
 
-exports.packTarArchive = (files,d) => d ? tar.cz (d,files) : tar.cz (files)
+exports.packTarArchive = (resources,d) => d ? tar.cz (d,resources) : tar.cz (resources)
 exports.unpackTarArchive = (x,dir) => tar.xz(x).to(dir)

package/libx/_runtime/auth/strategies/JWT.js

@@ -24,6 +24,7 @@ class JWTStrategy extends JS {
         roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
         attr: xssecUtils.getAttrForJWT(info)
       })
+      xssecUtils.addRolesFromGrantType(user, info, credentials)
       const tenant = xssecUtils.getTenant(info)
       if (tenant) user.tenant = tenant
       // call "super.success"

package/libx/_runtime/auth/strategies/ias-auth.js

@@ -42,9 +42,10 @@ module.exports = function ias_auth(config) {
       if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
         req.user = new cds.User({
           id: 'system',
-          roles: ['system-user', 'authenticated-user'],
+          roles: ['authenticated-user'],
           attr: {}
         })
+        req.user._is_system = true
       } else {
         // add all unknown attributes to req.user.attr in order to keep public API small
         const payload = req.tokenInfo.getPayload()
@@ -65,7 +66,7 @@ module.exports = function ias_auth(config) {
       req.tenant = req.tokenInfo.getZoneId()
       next()
     })
-    .use((err, req, res, next) => {
+    .use((err, req, res, _next) => {
       if (req.tokenInfo) {
         LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
       }

package/libx/_runtime/auth/strategies/mock.js

@@ -21,6 +21,17 @@ class MockStrategy {
     if (user.password && user.password !== password) return this.fail(CHALLENGE)
 
     const { features } = req.headers
+    // Only in the mock strategy the pseudo roles are kept in the role list.
+    // In all other cases pseudo roles are filtered out.
+    if (user.roles) {
+      if (Array.isArray(user.roles)) {
+        if (user.roles.includes('system-user')) user._is_system = true
+        if (user.roles.includes('internal-user')) user._is_internal = true
+      } else {
+        if ('system-user' in user.roles) user._is_system = true
+        if ('internal-user' in user.roles) user._is_internal = true
+      }
+    }
     this.success(new cds.User(features ? { ...user, features } : user))
   }
 }
@@ -44,7 +55,7 @@ const _init_users = (users, tenants = {}) => {
           Array.isArray(user.roles) ? user.roles.push(...scopes) : (user.roles = scopes)
         }
         if (user.jwt.grant_type === 'client_credentials' || user.jwt.grant_type === 'client_x509') {
-          user.roles.push('system-user')
+          user._is_system = true
         }
         if (!user.tenant && user.jwt.zid) user.tenant = user.jwt.zid
       }

package/libx/_runtime/auth/strategies/xssecUtils.js

@@ -5,21 +5,19 @@ const getUserId = (user, info) => {
   return user.id || (info && info.getClientId && info.getClientId())
 }
 
-const _addRolesFromGrantType = (roles, info, credentials) => {
+const addRolesFromGrantType = (user, info, credentials) => {
   const grantType = info && (info.grantType || (info.getGrantType && info.getGrantType()))
   if (grantType) {
     // > not "weak"
-    roles.push('authenticated-user')
+    user.roles['authenticated-user'] = true
     if (grantType in CLIENT) {
-      roles.push('system-user')
-      if (info.getClientId() === credentials.clientid) roles.push('internal-user')
+      user._is_system = true
+      if (info.getClientId() === credentials.clientid) user._is_internal = true
     }
   }
 }
 
-const getRoles = (roles, info, credentials) => {
-  _addRolesFromGrantType(roles, info, credentials)
-
+const getRoles = (roles, info) => {
   // convert to object
   roles = Object.assign(...roles.map(ele => ({ [ele]: true })))
 
@@ -90,5 +88,6 @@ module.exports = {
   getRoles,
   getAttrForJWT,
   getAttrForXSSEC,
-  getTenant
+  getTenant,
+  addRolesFromGrantType
 }

package/libx/_runtime/auth/strategies/xsuaa.js

@@ -25,6 +25,7 @@ class XSUAAStrategy extends JS {
         roles: xssecUtils.getRoles(['any', 'identified-user'], info, credentials),
         attr: xssecUtils.getAttrForXSSEC(info)
       })
+      xssecUtils.addRolesFromGrantType(user, info, credentials)
       const tenant = xssecUtils.getTenant(info)
       if (tenant) user.tenant = tenant
       // call "super.success"

package/libx/_runtime/cds-services/adapter/odata-v4/OData.js

@@ -253,8 +253,12 @@ class OData {
     this._odataService.process(req, res).catch(err => {
       LOG.warn(err)
       // REVISIT: use i18n
-      //do not reply with error, if response already processed (streaming)
-      if (!res.headersSent) {
+      // do not reply with error, if response already processed (streaming)
+      // destroy response socket instead
+      if (res.headersSent) {
+        // REVISIT: temp solution until streaming is switched to express middlewares
+        res.socket.destroy()
+      } else {
         const { error, statusCode } = normalizeError(err, req)
         res.status(statusCode).send({ error })
       }

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/action.js

@@ -60,9 +60,8 @@ const action = service => {
         await tx.commit(result)
       }
 
-      if (isReturnMinimal(req) || result === null) odataRes.setStatusCode(204)
+      if (isReturnMinimal(req) || result === null) odataRes.setStatusCode(204, { overwrite: true })
       else if (req.event === 'draftActivate' || req.event === 'EDIT') {
-        odataRes.setStatusCode(201)
         const keys = Object.keys(req.target.keys).filter(k => {
           return k !== 'IsActiveEntity' && !req.target.keys[k]._isAssociationStrict
         })

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/read.js

@@ -251,6 +251,14 @@ const _readEntityOrProperty = async (tx, req, segments) => {
   return odataResult
 }
 
+const _reliablePagingPossible = req => {
+  if (req.target._isDraftEnabled) return false
+  if (cds.context?.http.req.query.$apply) return false
+  if (req.query.SELECT.limit.offset?.val ?? req.query.SELECT.limit.offset > 0) return false
+  if (req.query.SELECT.orderBy.some(o => !o.ref)) return false
+  return req.query.SELECT.orderBy.every(o => req.query.SELECT.columns.some(c => o.ref[0] === c.ref[0]))
+}
+
 /**
  * Read an entity collection without including the count of the total amount of entities.
  *
@@ -260,6 +268,7 @@ const _readEntityOrProperty = async (tx, req, segments) => {
  * @returns {Promise}
  * @private
  */
+// eslint-disable-next-line complexity
 const _readCollection = async (tx, req, odataReq) => {
   const result = (await tx.dispatch(req)) || []
   if (Array.isArray(req.query)) {
@@ -284,7 +293,23 @@ const _readCollection = async (tx, req, odataReq) => {
   const top = odataReq.getUriInfo().getQueryOption(QueryOptions.TOP)
   if (limit && limit === result.length && limit !== top && !('$nextLink' in result)) {
     const token = odataReq.getUriInfo().getQueryOption(QueryOptions.SKIPTOKEN)
-    result.$nextLink = (token ? parseInt(token) : 0) + limit
+    if (cds.env.query.limit.reliablePaging && _reliablePagingPossible(req)) {
+      const decoded = token && JSON.parse(Buffer.from(token, 'base64').toString())
+      const skipToken = {
+        r: (decoded?.r || 0) + limit,
+        c: req.query.SELECT.orderBy.map(o => ({
+          a: o.sort ? o.sort === 'asc' : true,
+          k: o.ref[0],
+          v: result[result.length - 1][o.ref[0]]
+        }))
+      }
+
+      if (limit + (decoded?.r || 0) !== top) {
+        result.$nextLink = Buffer.from(JSON.stringify(skipToken)).toString('base64')
+      }
+    } else {
+      result.$nextLink = (token ? parseInt(token) : 0) + limit
+    }
   }
 
   const odataResult = toODataResult(result, req)

package/libx/_runtime/cds-services/adapter/odata-v4/handlers/update.js

@@ -11,6 +11,7 @@ const { isReturnMinimal } = require('../utils/handlerUtils')
 const { readAfterWrite } = require('../utils/readAfterWrite')
 const { toODataResult, postProcess, postProcessMinimal } = require('../utils/result')
 const { hasOmitValuesPreference } = require('../utils/omitValues')
+const { isStreaming } = require('../utils/stream')
 
 const { getSapMessages } = require('../../../../common/error/frontend')
 
@@ -146,6 +147,13 @@ const update = service => {
         previousResult = await readAfterWrite(req, service, { isBefore: true })
       }
 
+      // in case of express errors in streaming do rollback
+      const segments = odataReq.getUriInfo().getPathSegments()
+      if (isStreaming(segments)) {
+        odataReq.getIncomingRequest().on('error', async err => {
+          await tx.rollback(err).catch(() => {})
+        })
+      }
       // try UPDATE and, on 404 error, try CREATE
       ;[result, req] = await _updateThenCreate(req, odataReq, odataRes, tx)
 

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/ExpressionToCQN.js

@@ -187,7 +187,7 @@ class ExpressionToCQN {
         // ignore
       }
     }
-    return { func: `${operator ? `${operator} ` : ''}${methodName}`, args }
+    return operator ? [operator, { func: `${methodName}`, args }] : { func: `${methodName}`, args }
   }
 
   /* eslint-disable complexity */

package/libx/_runtime/cds-services/adapter/odata-v4/odata-to-cqn/readToCQN.js

@@ -41,6 +41,8 @@ const { isAsteriskColumn } = require('../../../../common/utils/rewriteAsterisks'
 
 const { ensureUnlocalized } = require('../../../../fiori/utils/handler')
 
+const { skipToken: handleSkipToken } = require('../../../../../odata/utils')
+
 const _applyOnlyContainsFilter = apply => Object.keys(apply).length === 1 && apply.filter
 
 /**
@@ -136,9 +138,9 @@ const _apply = (uriInfo, queryOptions, entity, model) => {
 }
 
 const _topSkip = (queryOptions, target, cqn) => {
-  if (queryOptions && (queryOptions.$top || queryOptions.$skip || queryOptions.$skiptoken)) {
+  if (queryOptions && (queryOptions.$top || queryOptions.$skip)) {
     const top = queryOptions.$top ? parseInt(queryOptions.$top) : getDefaultPageSize(target)
-    const skip = parseInt(queryOptions.$skip || 0) + parseInt(queryOptions.$skiptoken || 0)
+    const skip = parseInt(queryOptions.$skip || 0)
     cqn.limit(Math.min(top, getMaxPageSize(target)), skip)
   }
 }
@@ -324,6 +326,10 @@ const _handleApply = (apply, select) => {
   select.push(...mergedArray)
 }
 
+const _skipToken = (token, cqn) => {
+  handleSkipToken(token, cqn)
+}
+
 /**
  * Transform odata READ request into a CQN object.
  *
@@ -393,6 +399,9 @@ const readToCQN = (service, target, odataReq) => {
   if (isCollectionOrToMany) {
     _topSkip(queryOptions, target, cqn)
     _orderby(uriInfo, cqn)
+
+    const skipToken = queryOptions?.$skiptoken
+    if (skipToken) _skipToken(skipToken, cqn)
   }
 
   if (!isCollectionOrToMany || entity._isSingleton) cqn.SELECT.one = true

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/utils/PrimitiveValueDecoder.js

@@ -166,7 +166,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             '). ' +
             'A JSON string must be specified as value for type ' +
@@ -180,7 +180,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             ') ' +
             'as value for type ' +
@@ -209,7 +209,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             ') ' +
             'as value for type ' +
@@ -226,7 +226,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             ') ' +
             'as value for type ' +
@@ -247,7 +247,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             '). A JSON string must be specified ' +
             'as value for type ' +
@@ -262,7 +262,7 @@ class PrimitiveValueDecoder {
         throw new IllegalArgumentError(
           'Invalid value ' +
             value +
-            ' (JavaScript ' +
+            ' (' +
             typeof value +
             ') ' +
             'as value for type ' +
@@ -311,7 +311,7 @@ class PrimitiveValueDecoder {
           throw new IllegalArgumentError(
             'Invalid value ' +
               value +
-              ' (JavaScript ' +
+              ' (' +
               typeof value +
               '). A JSON ' +
               kind +
@@ -339,7 +339,7 @@ class PrimitiveValueDecoder {
           throw new IllegalArgumentError(
             'Invalid value ' +
               value +
-              ' (JavaScript ' +
+              ' (' +
               typeof value +
               ') for enumeration type ' +
               type.getFullQualifiedName() +

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/utils/ValueConverter.js

@@ -544,7 +544,7 @@ class ValueConverter {
       throw new IllegalArgumentError(
         'Invalid value ' +
           value +
-          ' (JavaScript ' +
+          ' (' +
           typeof value +
           ') ' +
           'for enumeration type ' +