@sap/cds 7.1.2 → 7.2.1

package/lib/auth/mocked-users.js

@@ -10,19 +10,6 @@ class MockedUsers {
       if (typeof v === 'boolean') continue
       if (typeof v === 'string') v = { password:v }
       let id = _configured(v).id || k
-
-      // Only for mock users the pseudo roles are kept in the role list.
-      // In all other cases pseudo roles are filtered out.
-      if (v.roles) {
-        if (Array.isArray(v.roles)) {
-          if (v.roles.includes('system-user')) v._is_system = true
-          if (v.roles.includes('internal-user')) v._is_internal = true
-        } else {
-          if ('system-user' in v.roles) v._is_system = true
-          if ('internal-user' in v.roles) v._is_internal = true
-        }
-      } else v.roles = []
-
       let u = users[id] = new User ({ id, ...v })
       let fts = tenants[u.tenant]?.features
       if (fts && !u.features) u.features = fts

package/lib/auth/passport-basic.js

@@ -1,3 +1,5 @@
+// REVISIT: either document passport basic auth or remove it
+
 /* eslint-disable cds/no-missing-dependencies */
 module.exports = function passport_basic_auth (options) {
   // const session = require('express-session')({ secret:'secret', resave:false, saveUninitialized:true, })

package/lib/auth/passport-digest.js

@@ -1,3 +1,5 @@
+// REVISIT: either document passport digest auth or remove it
+
 /* eslint-disable cds/no-missing-dependencies */
 module.exports = function passport_digest_auth (options) {
   // const session = require('express-session')({ secret:'secret', resave:false, saveUninitialized:true, })

package/lib/compile/etc/_localized.js

@@ -2,7 +2,6 @@ const cds = require('../..'), {env} = cds
 const DEBUG = cds.debug('alpha|_localized')
 const _locales_4sql = {
 	sqlite : env.i18n.for_sqlite || env.i18n.for_sql || [],
-	h2 :     env.i18n.for_sql || [],
 	plain  : env.i18n.for_sql || [],
 }
 

package/lib/compile/extend.js

@@ -3,15 +3,31 @@ const { extend } = require ('../lazy')
 
 module.exports = o => o.definitions ? { with(...csns) {
 
+  // merge all extension csns
   const csn=o, merged = { definitions: {}, extensions: [] }
   for (const { definitions, extensions } of csns) {
     if (definitions) Object.assign(merged.definitions, definitions)
     if (extensions) merged.extensions.push(...extensions)
   }
+
+  // extend given base csn with merged extensions
   const extended = compile({
     'base.csn': compile.to.json(csn),
     'ext.csn': compile.to.json(merged)
   })
+
+  // handle localized extension elements
+  for (let ext of merged.extensions) {
+    for (let name in ext.elements) {
+      const e = ext.elements[name]
+      if (e.localized) {
+        // add localized element also to respective .texts entity
+        const texts = extended.definitions[ext.extend+'.texts']
+        texts.elements[name] ??= { ...e, localized:null }
+      }
+    }
+  }
+
   extended.$sources = csn.$sources // required to load resources like i18n later on
   return extended
 

package/lib/compile/for/lean_drafts.js

@@ -72,17 +72,49 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
     // Positive list would be bigger (search, requires, fiori, ...)
     if (draft['@readonly']) draft['@readonly'] = undefined
     if (draft['@insertonly']) draft['@insertonly'] = undefined
-    if (draft['@restrict']) draft['@restrict'] = undefined
-    if ('@Capabilities.DeleteRestrictions.Deletable' in draft) draft['@Capabilities.DeleteRestrictions.Deletable'] = undefined
-    if ('@Capabilities.InsertRestrictions.Insertable' in draft) draft['@Capabilities.InsertRestrictions.Insertable'] = undefined
-    if ('@Capabilities.UpdateRestrictions.Updatable' in draft) draft['@Capabilities.UpdateRestrictions.Updatable'] = undefined
-    if ('@Capabilities.NavigationRestrictions.RestrictedProperties' in draft) draft['@Capabilities.NavigationRestrictions.RestrictedProperties'] = undefined
+    if (draft['@restrict']) {
+      const restrictions = ['CREATE', 'WRITE', '*']
+      draft['@restrict'] = draft['@restrict']
+        .map(d => ({
+          ...d,
+          grant:
+            d.grant && Array.isArray(d.grant)
+              ? d.grant.filter(g => restrictions.includes(g))
+              : typeof d.grant === 'string' && restrictions.includes(d.grant)
+              ? [d.grant]
+              : []
+        }))
+        .filter(r => r.grant.length > 0)
+      if (draft['@restrict'].length > 0) {
+        // Change WRITE & CREATE to NEW
+        draft['@restrict'] = draft['@restrict'].map(d => {
+          if (d.grant.includes('WRITE') || d.grant.includes('CREATE')) {
+            return { ...d, grant: 'NEW' }
+          }
+          return d
+        })
+      } else {
+        draft['@restrict'] = undefined
+      }
+    }
+    if ('@Capabilities.DeleteRestrictions.Deletable' in draft)
+      draft['@Capabilities.DeleteRestrictions.Deletable'] = undefined
+    if ('@Capabilities.InsertRestrictions.Insertable' in draft)
+      draft['@Capabilities.InsertRestrictions.Insertable'] = undefined
+    if ('@Capabilities.UpdateRestrictions.Updatable' in draft)
+      draft['@Capabilities.UpdateRestrictions.Updatable'] = undefined
+    if ('@Capabilities.NavigationRestrictions.RestrictedProperties' in draft)
+      draft['@Capabilities.NavigationRestrictions.RestrictedProperties'] = undefined
 
     // Recursively add drafts for compositions
     for (const each in draft.elements) {
       const e = draft.elements[each]
       const newEl = Object.create(e)
-      if (e.isComposition || (e.isAssociation && e['@odata.draft.enclosed']) || ((!active['@Common.DraftRoot.ActivationAction'] || e._target === active) && _isCompositionBacklink(e))) {
+      if (
+        e.isComposition ||
+        (e.isAssociation && e['@odata.draft.enclosed']) ||
+        ((!active['@Common.DraftRoot.ActivationAction'] || e._target === active) && _isCompositionBacklink(e) && _isDraft(e._target))
+      ) {
         if (e._target['@odata.draft.enabled'] === false) continue // happens for texts if @fiori.draft.enabled is not set
         _redirect(newEl, addDraftEntity(e._target, model))
       }

package/lib/compile/resolve.js

@@ -14,7 +14,6 @@ const suffixes = [ '.csn', '.cds', sep+'index.csn', sep+'index.cds', sep+'csn.js
 * @returns and array of absolute filenames
 */
 module.exports = exports = function cds_resolve (model, o={}) { // NOSONAR
-
   if (!model || model === '--') return
   if (model._resolved) return model
   if (model === '*') return _resolve_all(o,this)
@@ -25,7 +24,7 @@ module.exports = exports = function cds_resolve (model, o={}) { // NOSONAR
   if (model.endsWith('/*')) return _resolve_subdirs_in(model,o,this)
 
   const cwd = o.root || this.root, local = resolve (cwd,model)
-  const context = _paths(cwd,o), {cached} = context
+  const context = _paths(cwd,o,this), {cached} = context
   let id = model.startsWith('.') ? local : model
   if (id in cached)  return cached[id]
 
@@ -93,11 +92,14 @@ function _resolve_subdirs_in (pattern='fts/*',o,cds) {
   }
 }
 
-function _paths (dir,o) {
+function _paths (dir,o,cds) {
   const cache = o.cache || exports.cache
   const cached = cache[dir]; if (cached)  return cached
-  const a = dir.split(sep), n = a.length, nm = sep+'node_modules'
-  const paths = [ dir, ...a.map ((_,i,a)=> a.slice(0,n-i).join(sep)+nm) ]
+  const a = dir.split(sep), n = a.length, paths = [ dir ]
+  const { cdsc: { moduleLookupDirectories }} = o.env ?? cds.env
+  for (const mld of moduleLookupDirectories) { // node_modules/ usually, more for Java
+    paths.push(...a.map ((_,i,a)=> a.slice(0,n-i).join(sep)+sep+mld))
+  }
   return cache[dir] = { paths, cached:{} }
 }
 

package/lib/compile/to/json.js

@@ -4,6 +4,7 @@ const path = require('path')
 module.exports = (csn,o={}) => {
   const relative = filename => (o.src !== o.cwd) ? path.relative(o.src, path.join(o.cwd, filename)) : filename
   const relative_cds_home = RegExp ('^' + path.relative (o.src || o.cwd || cds.root, cds.home) + '/')
+  const { moduleLookupDirectories } = cds.env.cdsc
 
   const resolver = (_,v) => {
 
@@ -20,9 +21,12 @@ module.exports = (csn,o={}) => {
       // Preserve original sources for services so we can use them for finding
       // sibling implementation files when reloaded from csn.json.
       let file = relative(v.$location.file)
-        .replace(relative_cds_home,'@sap/cds/')
-        .replace('node_modules/','')
         .replace(/\\/g,'/')
+        .replace(relative_cds_home,'@sap/cds/')
+      for (const mld of moduleLookupDirectories) { // node_modules/ usually, more for Java
+        file = file.replace(mld, '')
+      }
+
       // If there is still a relative path pointing outside of cwd, convert it to a module path
       // e.g. ../bookshop/srv/cat-service.cds -> @capire/bookshop/srv/cat-service.cds
       if (file.startsWith('../')) {

package/lib/dbs/cds-deploy.js

@@ -80,7 +80,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
   let schevo = o.schema_evolution === 'auto' || o['with-auto-schema-evolution'] || o['model-only'] || o['delta-from'] || (o.kind === 'postgres' && o.schema_evolution !== false);
   if (schevo) {
     const { prior, table_exists } = await get_prior_model()
-    const { afterImage, drops: d, createsAndAlters } = cds.compile.to.sql.delta(csn, o, prior && JSON.parse(prior))
+    const { afterImage, drops: d, createsAndAlters } = cds.compile.to.sql.delta(csn, o, prior);
     const after = JSON.stringify(afterImage)
     if (!o.dry && after != prior) {
       if (!table_exists) {
@@ -135,7 +135,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
     let file = o['delta-from']
     if (file) {
       let prior = await cds.utils.read(file)
-      return { prior }
+      return { prior: typeof prior === 'string' ? JSON.parse(prior) : prior }
     }
     if (o.dry) return {}
 
@@ -153,7 +153,7 @@ exports.create = async function cds_deploy_create (db, csn=db.model, o) {
 
     if (table_exists) {
       let [{ csn }] = await db.run('SELECT csn from cds_model')
-      return { prior: csn, table_exists }
+      return { prior: csn && JSON.parse(csn), table_exists }
     }
     return { table_exists } // no prior csn
   }

package/lib/env/cds-env.js

@@ -33,6 +33,7 @@ class Config {
     if (NODE_ENV) profiles.push (NODE_ENV)
     if (CDS_ENV) profiles.push (...CDS_ENV.split(/\s*,\s*/))
     if (_home) _add_static_profiles (_home, profiles);
+    if (_home && this['project-nature'] === 'java') profiles.push('java')
     if (!profiles.includes('production')) profiles.push('development')
     this._profiles = new Set (profiles)
     this._profiles._defined = new Set
@@ -173,8 +174,8 @@ class Config {
    * For BAS only: to find out whether this is a Java or Node.js project
    */
   get "project-nature" () {
-    const has_pom_xml = [this.folders.srv,'.'] .some (
-      f => isfile (path.join (this._home, f, 'pom.xml'))
+    const has_pom_xml = [this.folders?.srv,'.'] .some (
+      f => f && isfile (path.join (this._home, f, 'pom.xml'))
     )
     return has_pom_xml ? 'java' : 'nodejs'
   }
@@ -193,7 +194,6 @@ class Config {
   //    The following are internal APIs which can always change!
   //
 
-
   _add_to_process_env (cwd, filename) {
     const file = path.resolve (cwd,filename)
     try {

package/lib/env/cds-requires.js

@@ -46,6 +46,7 @@ const _authentication_strategies = {
     tenants: {}
   },
   "mocked-auth": {
+    _kind: 'mocked', // REVISIT: workaround to distinguish from 'basic-auth' (cf. restrict_all_services)
     kind: 'basic-auth',
     users: {
       alice: { tenant: 't1', roles: [ ...admin ] },

package/lib/env/defaults.js

@@ -149,7 +149,10 @@ const defaults = module.exports = {
   },
 
   build: {
-    target: 'gen'
+    target: 'gen',
+    '[java]': {
+      target: '.'
+    }
   },
 
   mtx: {
@@ -163,6 +166,10 @@ const defaults = module.exports = {
   },
 
   cdsc: {
+    moduleLookupDirectories: ['node_modules/'],
+    '[java]': {
+      moduleLookupDirectories: ['node_modules/', 'target/cds/'],
+    }
     // cv2: {
     //   _localized_entries: true,
     //   _texts_entries: true,

package/lib/env/schemas/cds-rc.json

@@ -11,7 +11,7 @@
     "profile": {
       "description": "A single static profile",
       "anyOf": [
-        { "enum": [ "mtx-sidecar", "with-mtx-sidecar" ] },
+        { "enum": [ "mtx-sidecar", "with-mtx-sidecar", "java" ] },
         { "type": "string" }
       ]
     },
@@ -257,8 +257,32 @@
           "description": "Enables new middlewares support (experimental)."
         },
         "multitenancy": {
-          "type": "boolean",
-          "description": "Shortcut to enable multitenancy."
+          "oneOf": [
+            {
+              "type": "boolean",
+              "description": "Shortcut to enable multitenancy."
+            },
+            {
+              "type": "object",
+              "description": "Multitenancy configuration options.",
+              "properties": {
+                "jobs": {
+                  "type": "object",
+                  "description": "Configuration options for the built-in async job executor.",
+                  "properties": {
+                    "workerSize": {
+                      "type": "number",
+                      "description": "Number of workers running in parallel per database."
+                    },
+                    "clusterSize": {
+                      "type": "number",
+                      "description": "Number of databases executing parallel tasks."
+                    }
+                  }
+                }
+              }
+            }
+          ]
         },
         "extensibility": {
           "oneOf": [

package/lib/i18n/localize.js

@@ -3,7 +3,7 @@ const {existsSync, readdirSync} = require ('fs')
 const {join,dirname,resolve,parse,sep} = require ('path')
 
 const DEBUG = cds.debug('i18n')
-const _node_modules = sep + 'node_modules'
+const _node_modules = cds.env.cdsc.moduleLookupDirectories.map(d => sep+d.slice(0, -1))
 
 module.exports = Object.assign (localize, {
   bundles4, folders4, folder4, bundle4
@@ -182,8 +182,8 @@ function folder4 (loc) {
   }
   //> no --> search up the folder hierarchy up to cds.root, cds.home, or some .../node_modules/<package>
   let next = dirname(loc)
-  if (next.includes(_node_modules)) {
-    if (next.endsWith(_node_modules)) return folder4[loc] = null
+  if (_node_modules.some(m => next.includes(m))) {
+    if (_node_modules.some(m => next.endsWith(m))) return folder4[loc] = null
   } else {
     if (!(
       next.startsWith(cds.root) ||

package/lib/index.js

@@ -139,3 +139,7 @@ global.cds = cds // REVISIT: using global.cds seems wrong
 
 // install jest util if jest is defined
 if (process.env.CDS_JEST_MEM_FIX && typeof jest !== 'undefined') require('./utils/jest.js')
+
+// Allow for import cds from '@sap/cds' without esModuleInterop
+Object.defineProperty(module.exports, "__esModule", { value: true });
+module.exports.default = module.exports

package/lib/log/cds-log.js

@@ -1,5 +1,6 @@
 const cds = require ('../index'), conf = cds.env.log
 const log = module.exports = exports = cds_log
+const path = require('path')
 
 /**
  * Cache used for all constructed loggers.
@@ -167,7 +168,15 @@ const { ERROR, WARN, INFO, DEBUG, TRACE } = exports.levels = {
 
 ;(function _init() {
   const conf = cds.env.log
-  if (conf.Logger) exports.Logger = require (conf.Logger) // Use configured logger in case of cds serve
+  if (conf.Logger) {
+    let resolvedPath
+    try { resolvedPath = require.resolve(conf.Logger) } catch { 
+      try { resolvedPath = require.resolve(path.join(cds.root, conf.Logger)) } catch {
+        throw new Error(`Cannot find logger at "${conf.Logger}"`)
+      }
+    }
+    exports.Logger = require (resolvedPath) // Use configured logger in case of cds serve
+  }
   if (conf.service) {
     const {app} = cds, serveIn = app => require('./service').serveIn(app)
     app ? setImmediate(() => serveIn(app)) : cds.on('bootstrap', app => serveIn(app))

package/lib/ql/Whereable.js

@@ -78,12 +78,16 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
       pred.push('or', ...predicate4([x],_clause))
       continue
     }
+    if (k === 'not') {
+      pred.push('not', {xpr:predicate4([x],_clause)})
+      continue
+    }
     if (k === 'exists') {
-      pred.push(pred.length && 'and', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
+      pred.push('and', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
       continue
     }
     if (k === 'not exists') {
-      pred.push(pred.length && 'and', 'not', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
+      pred.push('and', 'not', 'exists', typeof x === 'object' ? x : { ref: x.split('.') })
       continue
     }
     else pred.push('and', parse.expr(k))
@@ -97,7 +101,7 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
     else if (_clause === 'on' && typeof x === 'string') pred.push('=', { ref: x.split('.') })
     else pred.push('=', {val:x})
   }
-  return pred.slice(1)
+  return pred[0] === 'and' ? pred.slice(1) : pred
 }
 
 const _fluid_predicate = (args) => { // e.g. .where ('ID=',4711, 'and stock >=',1)

package/lib/req/user.js

@@ -1,5 +1,3 @@
-const PSEUDO_ROLES = ['system-user', 'internal-user']
-
 class User {
 
   constructor (_) {
@@ -8,27 +6,31 @@ class User {
       if (new.target === Anonymous) return
       else return new User.default
     }
-    if (typeof _ === 'string') { this.id = _; return }
-    for (let each in _) super[each === '_roles' ? 'roles' : each] = _[each] // overrides getters
-    const roles = this.hasOwnProperty('roles') && this.roles // eslint-disable-line no-prototype-builtins
-    if (Array.isArray(roles)) this.roles = roles.filter(r => !PSEUDO_ROLES.includes(r)).reduce ((p,n)=>{p[n]=1; return p},{})
-    else PSEUDO_ROLES.forEach(r => delete this.roles[r])
+    else if (typeof _ === 'string') this.id = _
+    else Object.assign(this,_)
   }
 
   get attr() { return super.attr = {} }
+  set attr(a) { super.attr = a }
+
   get roles(){ return super.roles = {} }
-  get _roles(){ return this.roles } // compatibility
-
-  is (role) { 
-    return role === 'any' || 
-      role === 'identified-user' || 
-      role === 'system-user' && this._is_system || 
-      role === 'internal-user' && this._is_internal || 
-      role === 'authenticated-user' || 
-      !!this.roles[role] 
+  set roles(r) {
+    super.roles = !Array.isArray(r) ? r : r.reduce((p,n)=>{ p[n]=1; return p },{})
+  }
+
+  is (role) {
+    return (
+      role === 'authenticated-user' ||
+      role === 'identified-user' ||
+      role === 'any' ||
+      !!this.roles[role]
+    )
   }
   valueOf() { return this.id }
 
+  // compatibility
+  get _roles(){ return this.roles }
+  set _roles(r){ this.roles = r }
 }
 
 /**

package/lib/srv/middlewares/sap-statistics.js

@@ -1,10 +1,10 @@
-const { performance:{now} } = require ('perf_hooks')
+const { performance } = require ('perf_hooks')
 
 module.exports = (prec = 1000) => function sap_statistics (req, res, next) {
   if (req.query['sap-statistics'] || req.headers['sap-statistics']) {
-    const { writeHead } = res, t0 = now()
+    const { writeHead } = res, t0 = performance.now()
     res.writeHead = function (...args) {
-      const total = ((now() - t0) / prec).toFixed(2)
+      const total = ((performance.now() - t0) / prec).toFixed(2)
       if (res.statusCode < 400) res.setHeader('sap-statistics', `total=${total}`)
       writeHead.call(this, ...args)
     }

package/lib/srv/middlewares/trace.js

@@ -24,19 +24,20 @@ if (!LOG._debug) module.exports = ()=>[]; else {
     }
   }
 
-  const { performance:{now} } = require ('perf_hooks')
+  const { performance } = require ('perf_hooks')
   const { format } = require ('util')
 
   class PerfTrace extends Array {
     log (...details) {
-      const e = { details, start:now() }
+      const e = { details, start:performance.now() }
+      console.log(e)
       return this.push(e), e
     }
     done (e) {
-      return e.stop = now()
+      return e.stop = performance.now()
     }
     toString ({truncate}) {
-      const t0 = this[0].start; if (!this[0].stop) this[0].stop = now()
+      const t0 = this[0].start; if (!this[0].stop) this[0].stop = performance.now()
       return '\n'+ this.map (e => truncate (format (
         (e.start - t0).toFixed(2).padStart(6), '→',
         (e.stop  - t0).toFixed(2).padEnd(6), '= ',

package/lib/srv/srv-dispatch.js

@@ -114,16 +114,17 @@ const _ensure_target = (srv,req) => {
   req.target = typeof q === 'object' ? cds.infer(q,defs) : defs[req.path]
 }
 
-const _ensure_fqn = (x,p,srv, name = x[p]) => {
-  if (typeof name === 'string') {
+const _ensure_fqn = (x,p,srv, from = x[p]) => {
+  if (!from) return
+  if (typeof from === 'string') {
     if (srv.isDatabaseService) return
-    if (srv.model && name in srv.model.definitions) return
-    if (name.startsWith(srv.namespace)) return
-    if (name.endsWith('_drafts')) return // REVISIT: rather fix test/fiori/localized-draft.test.js ?
-    else x[p] = `${srv.namespace}.${name}`
-  } else if (name.ref) {
-    const [head] = name.ref
-    head.id ? _ensure_fqn(head,'id',srv) : _ensure_fqn(name.ref,0,srv)
+    if (srv.model && from in srv.model.definitions) return
+    if (from.startsWith(srv.namespace)) return
+    if (from.endsWith('_drafts')) return // REVISIT: rather fix test/fiori/localized-draft.test.js ?
+    else x[p] = `${srv.namespace}.${from}`
+  } else if (from.ref) {
+    const [head] = from.ref
+    head.id ? _ensure_fqn(head,'id',srv) : _ensure_fqn(from.ref,0,srv)
     if (x.where) for (let y of x.where) if (y.SELECT) _ensure_fqn(y.SELECT,'from',srv)
   }
 }

package/lib/utils/axios.js

@@ -44,6 +44,9 @@ const _error = (e) => {
   })
   const { code, message } = e.response && e.response.data && e.response.data.error || {}
   if (message) e.message = code && code !== 'null' ? `${code} - ${message}` : message
+  // Promote toJSON from prototype to own property to make it iterable
+  // eslint-disable-next-line no-self-assign
+  if (typeof jest !== 'undefined') e.toJSON = e.toJSON
   throw e
 }
 

package/lib/utils/cds-test.js

@@ -23,6 +23,9 @@ class Test extends require('./axios') {
 
     // launch cds server...
     before (`launching ${cmd} ${args.join(' ')}...`, async () => {
+      // cds.plugins is filling cds.env before cds serve -> profile must be parsed here
+      const profile = args.indexOf('--profile')
+      if (profile !== -1) process.env.CDS_ENV = [...process.env.CDS_ENV?.split(',') ?? [], ...args[profile+1].split(',')]
       await cds.plugins
       cds.once ('listening', ({server,url}) => {
         const axp = Reflect.getOwnPropertyDescriptor(this,'axios')

package/lib/utils/cds-utils.js

@@ -5,6 +5,8 @@ const ux = module.exports = exports = new class {
   get inflect() { return super.inflect = require('./inflect') }
   get inspect() { return super.inspect = require('util').inspect }
   get uuid() { return super.uuid = require('@sap/cds-foss').uuid }
+  get yaml() { return super.yaml = require('@sap/cds-foss').yaml }
+  get pool() { return super.pool = require('@sap/cds-foss').pool }
   get tar() { return super.tar = require('./tar') }
 }
 

package/libx/_runtime/auth/index.js

@@ -2,7 +2,8 @@ const cds = require('../cds')
 const LOG = cds.log()
 
 const _require = require('../common/utils/require')
-const { UNAUTHORIZED, FORBIDDEN, isRestricted } = require('./utils')
+const { containsAnyRestrictions } = require('../common/utils/restrictions')
+const { ODATA_UNAUTHORIZED } = require('../common/error/constants')
 
 let passport, logged
 
@@ -60,7 +61,7 @@ const _log = (req, challenges) => {
 const cap_auth_callback = (req, res, next, internalError, user, arg) => {
   // An internal error occurs during the authentication process
   if (internalError) {
-    return res.status(401).json({ error: UNAUTHORIZED }) // no details to client
+    return res.status(401).json({ error: ODATA_UNAUTHORIZED }) // no details to client
   }
 
   let challenges
@@ -106,10 +107,9 @@ const _mountMockAuth = (srv, app, strategy, config) => {
 
 const _mountPassportAuth = (srv, app, strategy, config) => {
   if (strategy in { jwt: 1, xsuaa: 1 } && !config.credentials) {
-    LOG._warn &&
-      LOG.warn(`Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.
-        This is NOT recommended in production!`)
-    return
+    let msg = `Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.`
+    msg += ' Either bind an XSUAA instance, or switch to an authentication kind that does not require a binding.'
+    throw new Error(msg)
   }
 
   if (!passport) passport = _require('passport')
@@ -140,11 +140,12 @@ module.exports = (srv, options = srv.options) => {
   // NOTE: options.auth is not an official API
   let config = 'auth' in options ? options.auth : cds.env.requires.auth
   if (!config) {
+    // REVISIT: can config be falsy? req.user would be undefined!
     if (cds.requires.db && cds.requires.multitenancy) {
       process.exitCode = 1 // REVISIT: why exitCode needed?
       throw new Error('Authentication required for multitenancy')
     }
-    if (isRestricted(srv)) {
+    if (containsAnyRestrictions(srv)) {
       process.exitCode = 1 // REVISIT: why exitCode needed?
       throw new Error('Authentication required for authorization checks')
     }
@@ -161,12 +162,6 @@ module.exports = (srv, options = srv.options) => {
   // mount authentication middleware or strategy
   if (!logged) LOG._debug && LOG.debug(`Using authentication`, { kind: config.kind })
 
-  // Security by default: set restrict_all_services if not disabled
-  // this is done dynamically to also cover custom auth impl
-  if (process.env.NODE_ENV === 'production' && config.restrict_all_services !== false) {
-    config.restrict_all_services = true
-  }
-
   if (config.impl) {
     // mount custom authentication middleware
     _mountCustomAuth(srv, app, config)
@@ -184,15 +179,6 @@ module.exports = (srv, options = srv.options) => {
     }
   }
 
-  // Security by default: enforce authenticated users in production if auth service bound
-  if (
-    cds.requires.multitenancy ||
-    (process.env.NODE_ENV === 'production' && config.credentials && config.restrict_all_services)
-  ) {
-    if (!logged) LOG._debug && LOG.debug(`Enforcing authenticated users for all services`)
-    app.use(cap_enforce_login)
-  }
-
   // so we don't log the same stuff multiple times
   logged = true
 
@@ -206,13 +192,3 @@ const _strategy4 = config => {
   process.exitCode = 1 // REVISIT: why exitCode needed?
   throw new Error(`Authentication kind "${config.kind}" is not supported`)
 }
-
-const cap_enforce_login = (req, res, next) => {
-  if (req.user && req.user.is('authenticated-user')) return next() // pass if user is authenticated
-  if (!req.user || req.user._is_anonymous) {
-    if (req.user && req.user._challenges) res.set('WWW-Authenticate', req.user._challenges.join(';'))
-    return res.status(401).json({ error: UNAUTHORIZED }) // no details to client
-  } else {
-    return res.status(403).json({ error: FORBIDDEN }) // no details to client
-  }
-}