@sap/cds 7.1.2 → 7.2.1

package/apis/services.d.ts

@@ -9,8 +9,11 @@ import { ref } from './cqn'
 // import { Service } from './cds'
 
 export class QueryAPI {
+
+  entities : LinkedModel['entities']
+
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   read: {
     <T extends ArrayConstructable<any>>(entity: T, key?: any): Awaitable<SELECT<T>, InstanceType<T>>
@@ -18,7 +21,7 @@ export class QueryAPI {
   }
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   create: {
     <T extends ArrayConstructable<any>>(entity: T, key?: any): INSERT<T>
@@ -26,7 +29,7 @@ export class QueryAPI {
   }
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   insert: {
     <T extends ArrayConstructable<any>>(data: T): INSERT<T>
@@ -34,7 +37,7 @@ export class QueryAPI {
   }
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   upsert: {
     <T extends ArrayConstructable<any>>(data: T): UPSERT<T>
@@ -42,7 +45,7 @@ export class QueryAPI {
   }
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   update: {
     <T extends ArrayConstructable<any>>(entity: T, key?: any): UPDATE<T>
@@ -50,26 +53,26 @@ export class QueryAPI {
   }
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   run: {
     (query: ConstructedQuery | ConstructedQuery[]): Promise<ResultSet | any>
     (query: Query): Promise<ResultSet | any>
     (query: string, args?: any[] | object): Promise<ResultSet | any>
   }
- 
+
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-facade?q=cds.delete)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
    */
   delete<T>(entity: Definition | string, key?: any): DELETE<T>
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-run)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#srv-foreach-entity)
    */
   foreach(query: Query, callback: (row: object) => void): this
 
   /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-stream)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#srv-stream-column)
    */
   stream: {
     (column: string): {
@@ -82,18 +85,18 @@ export class QueryAPI {
 
   /**
    * Starts or joins a transaction
-   * @see [docs](https://cap.cloud.sap/docs/node.js/services#srv-tx)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx)
    */
   tx(context?: object): Transaction
   transaction(context?: object): Transaction
-  
+
   /**
-   * @see [docs](https://pages.github.tools.sap/cap/docs/node.js/cds-context-tx?q=spawn#cds-spawn)
+   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx#cds-spawn)
    */
   spawn(options: Options, fn: (tx: Transaction) => {}): SpawnEventEmitter
 
   /**
-   * @see [docs](https://pages.github.tools.sap/cap/docs/node.js/cds-context-tx?q=cds.context#cds-context
+   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx#event-contexts
    */
   context:  ContextProperties
 }
@@ -107,7 +110,7 @@ type ContextProperties = {
 
 /**
  * Class cds.Service
- * @see [capire docs](https://cap.cloud.sap/docs/node.js/services)
+ * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
  */
 export class Service extends QueryAPI {
   constructor(
@@ -126,81 +129,81 @@ export class Service extends QueryAPI {
 
   /**
    * The model from which the service's definition was loaded
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-reflect)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   model: LinkedModel
 
   /**
    * Provides access to the entities exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-reflect)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   entities: Definitions & ((namespace: string) => Definitions)
 
   /**
    * Provides access to the events declared by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-reflect)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   events: Definitions & ((namespace: string) => Definitions)
 
   /**
    * Provides access to the types exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-reflect)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   types: Definitions & ((namespace: string) => Definitions)
 
   /**
    * Provides access to the operations, i.e. actions and functions, exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-reflect)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   operations: Definitions & ((namespace: string) => Definitions)
 
   /**
    * Acts like a parameter-less constructor. Ensure to call `await super.init()` to have the base class’s handlers added.
    * You may register own handlers before the base class’s ones, to intercept requests before the default handlers snap in.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#cds-service-subclasses)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#srv-init)
    */
   init(): Promise<void>
 
   /**
    * Constructs and emits an asynchronous event.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-emit)
+   * @see [capire docs](https://cap.cloud.sap/docs/core-services#srv-emit-event)
    */
   emit: {
-    <T = any>(details: { event: Events; data?: object; headers?: object }): Promise<T>
-    <T = any>(event: Events, data?: object, headers?: object): Promise<T>
+    <T = any>(details: { event: EventArg; data?: object; headers?: object }): Promise<T>
+    <T = any>(event: EventArg, data?: object, headers?: object): Promise<T>
   }
 
   /**
    * Constructs and sends a synchronous request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srvsend--method-path-data-headers--results-)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#srv-send-request)
    */
   send: {
-    <T = any>(event: Events, path: string, data?: object, headers?: object): Promise<T>
-    <T = any>(event: Events, data?: object, headers?: object): Promise<T>
-    <T = any>(details: { event: Events; data?: object; headers?: object }): Promise<T>
+    <T = any>(event: EventArg, path: string, data?: object, headers?: object): Promise<T>
+    <T = any>(event: EventArg, data?: object, headers?: object): Promise<T>
+    <T = any>(details: { event: EventArg; data?: object; headers?: object }): Promise<T>
     <T = any>(details: { query: ConstructedQuery; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { method: Event; path: string; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { event: Event; entity: Definition | string; data?: object; params?: object }): Promise<T>
+    <T = any>(details: { method: EventName; path: string; data?: object; headers?: object }): Promise<T>
+    <T = any>(details: { event: EventName; entity: Definition | string; data?: object; params?: object }): Promise<T>
   }
 
   /**
    * Constructs and sends a GET request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-send)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
    */
   get<T = any>(entityOrPath: Target, data?: object): Promise<T>
   /**
    * Constructs and sends a POST request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-send)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
    */
   post<T = any>(entityOrPath: Target, data?: object): Promise<T>
   /**
    * Constructs and sends a PUT request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-send)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
    */
   put<T = any>(entityOrPath: Target, data?: object): Promise<T>
   /**
    * Constructs and sends a PATCH request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services#srv-send)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
    */
   patch<T = any>(entityOrPath: Target, data?: object): Promise<T>
   /**
@@ -213,28 +216,28 @@ export class Service extends QueryAPI {
   }
 
   // The central method to dispatch events
-  dispatch(msg: EventMessage): Promise<any>
+  dispatch(msg: Event): Promise<any>
 
   // Provider API
   prepend(fn: ServiceImpl): Promise<this>
-  on<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.On<InstanceType<T>, InstanceType<T> | void | Error>): this
+  on<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.On<InstanceType<T>, InstanceType<T> | void | Error>): this
   on<P,R>(boundAction: (args: P) => R, service: string, handler: ActionEventHandler<P, void | Error | R>): this
   on<P,R>(action: (args: P) => R, handler: ActionEventHandler<P, void | Error | R>): this
-  on(eve: Events, entity: Target, handler: OnEventHandler): this
-  on(eve: Events, handler: OnEventHandler): this
+  on(eve: EventArg, entity: Target, handler: OnEventHandler): this
+  on(eve: EventArg, handler: OnEventHandler): this
 
 
   // onSucceeded (eve: Events, entity: Target, handler: EventHandler): this
   // onSucceeded (eve: Events, handler: EventHandler): this
   // onFailed (eve: Events, entity: Target, handler: EventHandler): this
   // onFailed (eve: Events, handler: EventHandler): this
-  before<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.Before<InstanceType<T>, InstanceType<T> | void | Error>): this
-  before(eve: Events, entity: Target, handler: EventHandler): this
-  before(eve: Events, handler: EventHandler): this
-  after<T extends Constructable>(eve: Events, entity: T, handler: CRUDEventHandler.After<InstanceType<T>, InstanceType<T> | void | Error>): this
-  after(eve: Events, entity: Target, handler: ResultsHandler): this
-  after(eve: Events, handler: ResultsHandler): this
-  reject(eves: Events, ...entity: Target[]): this
+  before<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.Before<InstanceType<T>, InstanceType<T> | void | Error>): this
+  before(eve: EventArg, entity: Target, handler: EventHandler): this
+  before(eve: EventArg, handler: EventHandler): this
+  after<T extends Constructable>(eve: EventArg, entity: T, handler: CRUDEventHandler.After<InstanceType<T>, InstanceType<T> | void | Error>): this
+  after(eve: EventArg, entity: Target, handler: ResultsHandler): this
+  after(eve: EventArg, handler: ResultsHandler): this
+  reject(eves: EventArg, ...entity: Target[]): this
 }
 
 export interface Transaction extends Service {
@@ -242,6 +245,9 @@ export interface Transaction extends Service {
   rollback(): Promise<void>
 }
 
+export class ApplicationService extends Service {}
+export class MessagingService extends Service {}
+export class RemoteService extends Service {}
 export class DatabaseService extends Service {
   deploy(model?: csn | string): Promise<csn>
   begin(): Promise<void>
@@ -251,26 +257,29 @@ export class DatabaseService extends Service {
 
 export interface ResultSet extends Array<{}> {}
 
-export class cds {
+declare class cds {
   /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/services)
+   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
    */
   Service: typeof Service
+  Request: typeof Request
+  Event: typeof Event
+  EventContext: typeof EventContext
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/app-services)
    */
-  ApplicationService: typeof Service
+  ApplicationService: typeof ApplicationService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/remote-services)
    */
-  RemoteService: typeof Service
+  RemoteService: typeof RemoteService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/messaging)
    */
-  MessagingService: typeof Service
+  MessagingService: typeof MessagingService
 
   /**
    * @see [capire docs](https://cap.cloud.sap/docs/node.js/databases)
@@ -305,7 +314,7 @@ type OneOrMany<T> = T | T[];
 
 type TypedRequest<T> = Omit<Request, 'data'> & { data: T }
 
-// https://cap.cloud.sap/docs/node.js/services#event-handlers
+// https://cap.cloud.sap/docs/node.js/core-services#srv-on-before-after
 export namespace CRUDEventHandler {
   type Before<P,R> = (req: TypedRequest<P>) => Promise<R> | R
   type On<P,R> = (req: TypedRequest<P>, next: (...args: any) => Promise<R> | R) => Promise<R> | R
@@ -336,7 +345,7 @@ interface ResultsHandler {
  * Represents the invocation context of incoming request and event messages.
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface EventContext {
+export class EventContext {
   timestamp: Date
   locale: string
   id: string
@@ -347,7 +356,7 @@ interface EventContext {
 /**
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface EventMessage extends EventContext {
+export class Event extends EventContext {
   event: string
   data: any
   headers: {}
@@ -379,7 +388,7 @@ interface Options {
 /**
  * @see [capire docs](https://cap.cloud.sap/docs/node.js/requests)
  */
-interface Request extends EventMessage {
+export class Request extends Event {
   params: (string | {})[]
   method: string
   path: string
@@ -414,8 +423,10 @@ interface Request extends EventMessage {
   reject(message: { code?: number | string; message: string; target?: string; args?: {}, status?: number }): Error
 }
 
-type Events = Event | Event[]
-type Event = (CRUD | TX | HTTP | DRAFT) | (CustomOp & {})
+export default cds
+
+type EventArg = EventName | EventName[]
+type EventName = (CRUD | TX | HTTP | DRAFT) | (CustomOp & {})
 type CRUD = 'CREATE' | 'READ' | 'UPDATE' | 'DELETE'
 type DRAFT = 'NEW' | 'EDIT' | 'PATCH' | 'SAVE'
 type HTTP = 'GET' | 'PUT' | 'POST' | 'PATCH' | 'DELETE'

package/apis/test.d.ts

@@ -1,6 +1,5 @@
 import { AxiosInstance } from 'axios';
 import chai from 'chai';
-import * as main_cds from './cds';
 import * as http from 'http';
 import { Service } from './services';
 
@@ -37,7 +36,7 @@ declare class Test extends Axios {
   get expect(): typeof chai.expect;
   get assert(): typeof chai.assert;
   get data(): DataUtil;
-  get cds(): typeof main_cds;
+  get cds(): typeof import('./cds').default;
 
   then(r: (args: { server: http.Server, url: string }) => void): void;
 

package/bin/serve.js

@@ -111,7 +111,7 @@ module.exports = Object.assign ( serve, {
         database, if any, and only adds an in-memory database if no
         persistent one is configured.
 
-        Requires an sqlite driver to be installed. For example: _npm i sqlite3_.
+        Requires an SQLite driver to be installed. For example: _npm i @cap-js/sqlite_.
 
 # EXAMPLES
 
@@ -168,7 +168,7 @@ async function serve (all=[], o={}) {
   const cds_server = await _local_server_js() || cds.server
   if (!o.silent) _prepare_logging ()
 
-  // The following things are meant for dev mode, which can be overruled by feature flagse...
+  // The following things are meant for dev mode, which can be overruled by feature flags...
   const {features} = cds.env
   {
     // handle --with-mocks resp. --mocked
@@ -206,8 +206,8 @@ async function serve (all=[], o={}) {
 
     const LOG = cds.log('cli|server')
     cds.shutdown = _shutdown //> for programmatic invocation
-    process.on('unhandledRejection', e => _shutdown (e, cds.log('cds').error('❗️Uncaught',e)))
-    process.on('uncaughtException', e => _shutdown (e, cds.log('cds').error('❗️Uncaught',e)))
+    process.on('unhandledRejection', e => _shutdown (e, cds.log().error('❗️Uncaught',e))) //> using std logger to have it labelled with [cds] - instead of [cli] -
+    process.on('uncaughtException', e => _shutdown (e, cds.log().error('❗️Uncaught',e)))  //> using std logger to have it labelled with [cds] - instead of [cli] -
     process.on('SIGINT', cds.watched ? _shutdown : (s,n)=>_shutdown(s,n,console.log())) //> newline after ^C
     process.on('SIGHUP', _shutdown)
     process.on('SIGHUP2', _shutdown)

package/common.cds

@@ -35,7 +35,7 @@ context sap.common {
   /**
    * Code list for languages
    *
-   * See https://cap.cloud.sap/docs/cds/common#entity-sapcommonlanguages
+   * See https://cap.cloud.sap/docs/cds/common#entity-languages
    */
   entity Languages : CodeList {
     key code : Locale;
@@ -44,7 +44,7 @@ context sap.common {
   /**
    * Code list for countries
    *
-   * See https://cap.cloud.sap/docs/cds/common#entity-sapcommoncountries
+   * See https://cap.cloud.sap/docs/cds/common#entity-countries
    */
   entity Countries : CodeList {
     key code : String(3) @(title : '{i18n>CountryCode}');
@@ -53,7 +53,7 @@ context sap.common {
   /**
    * Code list for currencies
    *
-   * See https://cap.cloud.sap/docs/cds/common#entity-sapcommoncurrencies
+   * See https://cap.cloud.sap/docs/cds/common#entity-currencies
    */
   entity Currencies : CodeList {
     key code      : String(3) @(title : '{i18n>CurrencyCode}');
@@ -64,7 +64,7 @@ context sap.common {
   /**
    * Aspect for a code list with name and description
    *
-   * See https://cap.cloud.sap/docs/cds/common#aspect-sapcommoncodelist
+   * See https://cap.cloud.sap/docs/cds/common#aspect-codelist
    */
   aspect CodeList @(
     cds.autoexpose,

package/lib/auth/basic-auth.js

@@ -12,7 +12,7 @@ module.exports = function basic_auth (options) {
     // get basic authorization header
     let auth = req.headers.authorization
     // enforce login if requested
-    if (!auth || !auth.match(/^basic/i)) return login_required ? req._login('Logged in user required!') : next()
+    if (!auth || !auth.match(/^basic/i)) return login_required ? req._login('Logged in user required!') : req.user = new cds.User.default, next()
     // decode user credentials from autorization header
     let [id,pwd] = Buffer.from(auth.slice(6),'base64').toString().split(':')
     // verify user credentials and set req.user

package/lib/auth/dummy-auth.js

@@ -1,4 +1,5 @@
-const { User: { privileged }} = require ('../index')
+const { User: { privileged } } = require ('../index')
+
 module.exports = function dummy_auth() {
   return function dummy_auth (req, res, next) {
     req.user = privileged

package/lib/auth/ias-auth.js

@@ -1,2 +1,68 @@
-module.exports = require('../../libx/_runtime/auth/strategies/ias-auth')
-// TODO: could move that implementation over here and link from libx/_runtime
+const cds = require('../')
+const LOG = cds.log('auth')
+
+// _require for better error message
+const _require = require('../../libx/_runtime/common/utils/require')
+const express = _require('express')
+const passport = _require('passport')
+const { JWTStrategy } = _require('@sap/xssec')
+
+const RESERVED_ATTRIBUTES = new Set(['aud', 'azp', 'exp', 'ext_attr', 'iat', 'ias_iss', 'iss', 'jti', 'sub', 'user_uuid', 'zone_uuid', 'zid'])
+
+module.exports = function ias_auth(config) {
+  if (!config.credentials) {
+    let msg = `Authentication kind "${config.kind}" configured, but no IAS instance bound to application.`
+    msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
+  }
+
+  passport.use('IAS', new JWTStrategy(config.credentials))
+
+  return express
+    .Router()
+    .use((req, res, next) => {
+      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
+      const callback = (err, user, info, _status) => {
+        if (err) return next(err)
+
+        if (user) {
+          req.user = user
+          req.authInfo = info
+        } else {
+          req.user = new cds.User.default
+          if (LOG._debug && req.tokenInfo)
+            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
+        }
+
+        next()
+      }
+      passport.authenticate('IAS', { session: false }, callback)(req, res, next)
+    })
+    .use((req, res, next) => {
+      if (!('authInfo' in req)) return next()
+
+      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) //> grant_type === client_credentials or x509
+        req.user = new cds.User({
+          id: 'system',
+          roles: ['authenticated-user', 'system-user'],
+          attr: {}
+        })
+      else {
+        // add all unknown attributes to req.user.attr in order to keep public API small
+        const payload = req.tokenInfo.getPayload()
+        const attributes = Object.keys(payload)
+          .filter(k => !RESERVED_ATTRIBUTES.has(k))
+          .reduce((attrs, k) => { attrs[k] = payload[k]; return attrs }, {})
+
+        req.user = new cds.User({
+          id: req.user.id,
+          roles: ['authenticated-user'],
+          attr: attributes
+        })
+      }
+
+      req.tenant = req.tokenInfo.getZoneId()
+
+      next()
+    })
+}

package/lib/auth/index.js

@@ -1,4 +1,3 @@
-
 const cds = require ('../index'), { path, local } = cds.utils
 
 const _require = require; require = cds.lazified (module) // eslint-disable-line no-global-assign
@@ -12,23 +11,24 @@ module.exports = Object.assign (auth_factory, {
 })
 require = _require // eslint-disable-line no-global-assign
 
-
 /**
  * Constructs one of the above middlewares as configured
  */
 function auth_factory (options) {
   const o = { ...options, ...cds.requires.auth }
   let kind = o.impl ? 'custom' : o.kind || o.strategy
-  let middleware = cds.auth[kind]
+  let middleware = cds.auth[kind] || cds.auth[kind?.replace(/-auth$/, '')]
   if (middleware) {
-    cds.log().info ('using auth strategy:', { kind }, '\n')
+    // REVISIT: here, kind may be misleading, e.g., "basic-auth" instead of "mocked" -> _kind workaround
+    const _kind = (o._kind || kind).replace(/-auth$/, '') //> official auth kinds are NOT postfixed with "-auth"
+    cds.log().info ('using authentication:', { kind: _kind }, '\n')
   } else {
     let impl = kind === 'custom' ? cds.resolve (o.impl)?.[0] : path.resolve (__dirname, kind)
     try { impl = require.resolve (impl) }  catch {
       const e = o.impl ? `Cannot find custom impl at: ${o.impl}` : `Cannot find unknown auth kind: ${o.kind}`
       throw cds.error(e)
     }
-    cds.log().info ('using auth strategy:', { kind, impl: local(impl) }, '\n')
+    cds.log().info ('using authentication:', { kind, impl: local(impl) }, '\n')
     middleware = require(impl)
   }
   if ((typeof middleware === 'function' && middleware.length === 3) || Array.isArray(middleware)) {

package/lib/auth/jwt-auth.js

@@ -1,41 +1,64 @@
 const cds = require('../')
-const _require = require('../../libx/_runtime/common/utils/require')
+const LOG = cds.log('auth')
+
 // _require for better error message
+const _require = require('../../libx/_runtime/common/utils/require')
 const express = _require('express')
 const passport = _require('passport')
 const { JWTStrategy } = _require('@sap/xssec')
-const LOG = cds.log('auth')
 
 module.exports = function jwt_auth(config) {
-  // warn if no credentials
   if (!config.credentials) {
-    LOG._warn &&
-      LOG.warn(`Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.
-        This is NOT recommended in production!`)
-    return (req,res,next) => next()
+    let msg = `Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.`
+    msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
   }
 
-  passport.use(config.kind, new JWTStrategy(config.credentials))
+  passport.use('JWT', new JWTStrategy(config.credentials))
+
   return express
     .Router()
-    .use(passport.authenticate(config.kind, { session: false }))
     .use((req, res, next) => {
+      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
+      const callback = (err, user, info, _status) => {
+        if (err) return next(err)
+
+        if (user) {
+          req.user = user
+          req.authInfo = info
+        } else {
+          req.user = new cds.User.default
+          if (LOG._debug && req.tokenInfo)
+            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
+        }
+
+        next()
+      }
+      passport.authenticate('JWT', { session: false }, callback)(req, res, next)
+    })
+    .use((req, res, next) => {
+      if (!('authInfo' in req)) return next()
+
       const payload = req.tokenInfo.getPayload()
 
       let id = req.user.id
-      let _is_system, _is_internal
 
-      let roles = payload.scope.map(s => s.replace(new RegExp(`^(${config.credentials.xsappname + '.'})`), ''))
+      // Roles = scope names w/o xsappname
+      let xsappname = new RegExp(`^${config.credentials.xsappname}\\.`)
+      let roles = payload.scope.map(s => s.replace(xsappname, ''))
+
+      // Disallow setting system roles from external
+      roles = roles.filter(r => !(r in { 'internal-user': 1, 'system-user': 1 }))
+
       roles.push('identified-user')
       if (payload.grant_type) {
         // > not "weak"
         roles.push('authenticated-user')
 
-        const CLIENT = { client_credentials: 1, client_x509: 1 }
-        if (payload.grant_type in CLIENT) {
+        if (payload.grant_type in { client_credentials: 1, client_x509: 1 }) {
           id = 'system'
-          _is_system = true
-          if (req.tokenInfo.getClientId() === config.credentials.clientid) _is_internal = true
+          roles.push('system-user')
+          if (req.tokenInfo.getClientId() === config.credentials.clientid) roles.push('internal-user')
         }
       }
 
@@ -47,16 +70,9 @@ module.exports = function jwt_auth(config) {
         attr.email = req.authInfo.getEmail()
       }
 
-      req.user = new cds.User({ id, roles, attr, _is_system, _is_internal })
+      req.user = new cds.User({ id, roles, attr })
       req.tenant = req.tokenInfo.getZoneId?.()
+
       next()
     })
-    .use((err, req, res, _next) => {
-      if (req.tokenInfo) {
-        LOG?.debug('error during token validation', req.tokenInfo.getErrorObject())
-      }
-      // REVISIT: reject request immediately as our other auth strategies do
-      // should we call next(err)? -> I don't think so; it's not an error, is it?
-      res.status(401).json({ code: '401', message: 'Unauthorized' }) // REVISIT: this is OData style?
-    })
 }