@sap/cds 7.1.2 → 7.2.0

package/libx/odata/afterburner.js

@@ -30,6 +30,7 @@ const _addKeysDeep = (keys, keysCollector, ignoreManagedBacklinks) => {
 function _keysOf(entity, ignoreManagedBacklinks) {
   const keysCollector = []
   if (!entity || !entity.keys) return keysCollector
+
   _addKeysDeep(entity.keys, keysCollector, ignoreManagedBacklinks)
   return keysCollector
 }
@@ -174,15 +175,16 @@ function _convertVal(element, value) {
       throw new Error('Not a valid integer') // TODO
 
     case 'cds.String':
-    case 'cds.LargeString':
+    case 'cds.LargeString':      
+      return String(value)
+    case 'cds.Double':      
+      return parseFloat(value)
     case 'cds.Decimal':
     case 'cds.DecimalFloat':
-    case 'cds.Double':
     case 'cds.Int64':
     case 'cds.Integer64':
       if (typeof value === 'string') return value
       return String(value)
-
     case 'cds.Boolean':
       return typeof value === 'string' ? value === 'true' : value
 

package/libx/odata/cqn2odata.js

@@ -73,7 +73,7 @@ function hasValidProps(obj, ...names) {
   return true
 }
 
-function _args(args) {
+function _args(args, func) {
   const res = []
 
   for (const cur of args) {
@@ -83,11 +83,11 @@ function _args(args) {
     }
 
     if (hasValidProps(cur, 'func', 'args')) {
-      res.push(`${cur.func}(${_args(cur.args)})`)
+      res.push(`${cur.func}(${_args(cur.args, cur.func)})`)
     } else if (hasValidProps(cur, 'ref')) {
       res.push(_format(cur))
     } else if (hasValidProps(cur, 'val')) {
-      res.push(_format(cur))
+      res.push(_format(cur, null, null, null, null, func))
     }
   }
 
@@ -111,20 +111,20 @@ const _odataV2Func = (func, args) => {
       // this doesn't support the contains signature with two collections as args, introduced in odata v4.01
       return `substringof(${_args([args[1], args[0]])})`
     default:
-      return `${func}(${_args(args)})`
+      return `${func}(${_args(args, func)})`
   }
 }
 
-const _format = (cur, elementName, target, kind, isLambda) => {
+const _format = (cur, elementName, target, kind, isLambda, func) => {
   if (typeof cur !== 'object') return encodeURIComponent(formatVal(cur, elementName, target, kind))
   if (hasValidProps(cur, 'ref'))
     return encodeURIComponent(isLambda ? [LAMBDA_VARIABLE, ...cur.ref].join('/') : cur.ref[0].id || cur.ref.join('/'))
-  if (hasValidProps(cur, 'val')) return encodeURIComponent(formatVal(cur.val, elementName, target, kind))
+  if (hasValidProps(cur, 'val')) return encodeURIComponent(formatVal(cur.val, elementName, target, kind, func))
   if (hasValidProps(cur, 'xpr')) return `(${_xpr(cur.xpr, target, kind, isLambda)})`
   // REVISIT: How to detect the types for all functions?
   if (hasValidProps(cur, 'func')) {
     if (cur.args?.length) {
-      return kind === 'odata-v2' ? _odataV2Func(cur.func, cur.args) : `${cur.func}(${_args(cur.args)})`
+      return kind === 'odata-v2' ? _odataV2Func(cur.func, cur.args) : `${cur.func}(${_args(cur.args, cur.func)})`
     }
     return `${cur.func}()`
   }

package/libx/odata/utils.js

@@ -1,6 +1,8 @@
 const { toBase64url } = require('../_runtime/common/utils/binary')
 const cds = require('../_runtime/cds')
 
+const MATH_FUNC = {'round': 1, 'floor': 1, 'ceiling': 1}
+
 const getSafeNumber = str => {
   const n = Number(str)
   return Number.isSafeInteger(n) || String(n) === str ? n : str
@@ -48,11 +50,12 @@ const _getElement = (csnTarget, key) => {
   }
 }
 
-const formatVal = (val, elementName, csnTarget, kind) => {
+const formatVal = (val, elementName, csnTarget, kind, func) => {
   if (val === null || val === 'null') return 'null'
   if (typeof val === 'boolean') return val
   if (typeof val === 'number') return getSafeNumber(val)
   if (!csnTarget && typeof val === 'string' && UUID.test(val)) return kind === 'odata-v2' ? `guid'${val}'` : val
+  if (typeof val === 'string' && func in MATH_FUNC) return val
   const element = _getElement(csnTarget, elementName)
   if (kind === 'odata-v2') {
     switch (element.type) {

package/libx/rest/RestAdapter.js

@@ -17,9 +17,13 @@ const error = require('./middleware/error')
 const { alias2ref } = require('../_runtime/common/utils/csn')
 const { bufferToBase64 } = require('../_runtime/common/utils/binary')
 
+const { getAccessRestrictions } = require('../_runtime/common/utils/restrictions')
+
 const RestAdapter = function (srv) {
   alias2ref(srv) // REVISIT: that's an anti pattern in new prototocol adapter setups
 
+  const accessRestrictions = getAccessRestrictions(srv)
+
   const router = express.Router()
 
   // pass srv-related stuff to middlewares via req
@@ -64,24 +68,19 @@ const RestAdapter = function (srv) {
     // REVISIT: ensure there always is a user (should be the case with new middlewares -> remove with old middlewares)
     if (!req.user) req.user = new cds.User.default
 
-    // REVISIT: This is authorization enforcement which is protocol-independent -> should move to service layer
-    const requires = srv.definition?.['@requires']
-    if (requires) {
-      const ok = typeof requires === 'string' ? req.user.is(requires) : requires.some(r => req.user.is(r))
-      if (ok) return next()
-    } else {
-      return next() // neither of the above
-    }
-
-    // > unauthorized or forbidden?
-    if (req.user._is_anonymous) {
-      // NOTE: "return req._login()" would not invoke custom error handlers
-      if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
-      else if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
-      throw cds.error('Unauthorized', { statusCode: 401, code: '401' })
-    } else {
+    // check @restrict and @requires as soon as possible (DoS)
+    if (!accessRestrictions.some(r => req.user.is(r))) {
+      // > unauthorized or forbidden?
+      if (req.user._is_anonymous) {
+        // NOTE: "return req._login()" would not invoke custom error handlers
+        if (req._login) res.set('WWW-Authenticate', `Basic realm="Users"`)
+        else if (req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
+        throw cds.error('Unauthorized', { statusCode: 401, code: '401' })
+      }
       throw cds.error('Forbidden', { statusCode: 403, code: '403' })
     }
+
+    next()
   })
 
   // -----------------------------------------------------------------------------------------

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "7.1.2",
+  "version": "7.2.0",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [

package/lib/auth/xsuaa-auth.js

@@ -1,2 +0,0 @@
-// REVISIT: "kind": "xsuaa-auth" does not work because cds.requires logic does not resolve it. Intentional?
-module.exports = require('./jwt-auth')

package/libx/_runtime/auth/utils.js

@@ -1,32 +0,0 @@
-const UNAUTHORIZED = { statusCode: 401, code: '401', message: 'Unauthorized' }
-const FORBIDDEN = { statusCode: 403, code: '403', message: 'Forbidden' }
-
-const getRequiresAsArray = definition => {
-  const requires = definition['@requires']
-  if (requires) return Array.isArray(requires) ? requires : [requires]
-}
-
-const isRestricted = srv => {
-  if (srv.definition['@requires']) return true
-
-  const entities = srv.entities
-  const entitiesKeys = Object.keys(entities)
-
-  return !!(
-    entitiesKeys.some(entity => entities[entity]['@requires'] || entities[entity]['@restrict']) ||
-    entitiesKeys.some(entity => {
-      const actions = entities[entity].actions
-      actions && Object.keys(actions).some(action => actions[action]['@requires'] || actions[action]['@restrict'])
-    }) ||
-    Object.keys(srv.operations).some(
-      operation => srv.operations[operation]['@requires'] || srv.operations[operation]['@restrict']
-    )
-  )
-}
-
-module.exports = {
-  UNAUTHORIZED,
-  FORBIDDEN,
-  getRequiresAsArray,
-  isRestricted
-}