@sap/cds 7.4.1 → 7.5.0

package/apis/services.d.ts

@@ -1,384 +1,22 @@
-import { SELECT, INSERT, UPDATE, DELETE, Query, ConstructedQuery, UPSERT } from './ql'
-import { Awaitable } from './ql'
-import { ArrayConstructable, Constructable } from './internal/inference'
-import { LinkedCSN, LinkedDefinition, Definitions, LinkedEntity } from './linked'
-import { CSN } from './csn'
-import { EventContext } from './events'
-import { Request } from './events'
-
-export class QueryAPI {
-
-  entities : LinkedCSN['entities']
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  read: {
-    <T extends ArrayConstructable<any>>(entity: T, key?: any): Awaitable<SELECT<T>, InstanceType<T>>
-    <T>(entity: LinkedDefinition | string, key?: any): SELECT<T>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  create: {
-    <T extends ArrayConstructable<any>>(entity: T, key?: any): INSERT<T>
-    <T>(entity: LinkedDefinition | string, key?: any): INSERT<T>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  insert: {
-    <T extends ArrayConstructable<any>>(data: T): INSERT<T>
-    <T>(data: object | object[]): INSERT<T>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  upsert: {
-    <T extends ArrayConstructable<any>>(data: T): UPSERT<T>
-    <T>(data: object | object[]): UPSERT<T>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  update: {
-    <T extends ArrayConstructable<any>>(entity: T, key?: any): UPDATE<T>
-    <T>(entity: LinkedDefinition | string, key?: any): UPDATE<T>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  run: {
-    (query: ConstructedQuery | ConstructedQuery[]): Promise<ResultSet | any>
-    (query: Query): Promise<ResultSet | any>
-    (query: string, args?: any[] | object): Promise<ResultSet | any>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#crud-style-api)
-   */
-  delete<T>(entity: LinkedDefinition | string, key?: any): DELETE<T>
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#srv-foreach-entity)
-   */
-  foreach(query: Query, callback: (row: object) => void): this
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/core-services#srv-stream-column)
-   */
-  stream: {
-    (column: string): {
-      from(entity: LinkedDefinition | string): {
-        where(filter: any): ReadableStream
-      }
-    }
-    (query: Query): Promise<ReadableStream>
-  }
-
-  /**
-   * Starts or joins a transaction
-   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx)
-   */
-
-  tx: {
-    (fn: (tx: Transaction) => {}): Promise<unknown>
-    (context?: object): Transaction
-    (context: object, fn: (tx: Transaction) => {}): Promise<unknown>
-  }
-
-  transaction: {
-    (fn: (tx: Transaction) => {}): Promise<unknown>
-    (context?: object): Transaction
-    (context: object, fn: (tx: Transaction) => {}): Promise<unknown>
-  }
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx#cds-spawn)
-   */
-  spawn(options: {
-    [key: string]: any
-    every?: number
-    after?: number
-  }, fn: (tx: Transaction) => {}): SpawnEventEmitter
-
-  /**
-   * @see [docs](https://cap.cloud.sap/docs/node.js/cds-tx#event-contexts
-   */
-  context?: EventContext
-}
-
-
 /**
- * Class cds.Service
- * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
+ * DO NO LONGER IMPORT THIS FILE
+ *
+ * Instead use:
+ *
+ * @example
+ * ```
+ *   import * as cds from '@sap/cds'
+ *   cds.Request
+ * or
+ *   import { Request } from '@sap/cds'
+ * or
+ *   @type { import('@sap/cds').Request }
+ * ```
+ *
+ * @deprecated
  */
-export class Service extends QueryAPI {
-  constructor(
-    name?: string,
-    model?: CSN,
-    options?: {
-      kind: string
-      impl: string | ServiceImpl
-    }
-  )
-
-  /**
-   * The name of the service
-   */
-  name: string
-
-  /**
-   * The model from which the service's definition was loaded
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  model: LinkedCSN
-
-  /**
-   * Provides access to the entities exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  entities: Definitions & ((namespace: string) => Definitions)
-
-  /**
-   * Provides access to the events declared by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  events: Definitions & ((namespace: string) => Definitions)
-
-  /**
-   * Provides access to the types exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  types: Definitions & ((namespace: string) => Definitions)
-
-  /**
-   * Provides access to the operations, i.e. actions and functions, exposed by a service
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  operations: Definitions & ((namespace: string) => Definitions)
-
-  /**
-   * Acts like a parameter-less constructor. Ensure to call `await super.init()` to have the base class’s handlers added.
-   * You may register own handlers before the base class’s ones, to intercept requests before the default handlers snap in.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#srv-init)
-   */
-  init(): Promise<void>
-
-  /**
-   * Constructs and emits an asynchronous event.
-   * @see [capire docs](https://cap.cloud.sap/docs/core-services#srv-emit-event)
-   */
-  emit: {
-    <T = any>(details: { event: types.event; data?: object; headers?: object }): Promise<T>
-    <T = any>(event: types.event, data?: object, headers?: object): Promise<T>
-  }
-
-  /**
-   * Constructs and sends a synchronous request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#srv-send-request)
-   */
-  send: {
-    <T = any>(event: types.event, path: string, data?: object, headers?: object): Promise<T>
-    <T = any>(event: types.event, data?: object, headers?: object): Promise<T>
-    <T = any>(details: { event: types.event; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { query: ConstructedQuery; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { method: types.eventName; path: string; data?: object; headers?: object }): Promise<T>
-    <T = any>(details: { event: types.eventName; entity: LinkedDefinition | string; data?: object; params?: object }): Promise<T>
-  }
-
-  /**
-   * Constructs and sends a GET request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
-   */
-  get<T = any>(entityOrPath: types.target, data?: object): Promise<T>
-  /**
-   * Constructs and sends a POST request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
-   */
-  post<T = any>(entityOrPath: types.target, data?: object): Promise<T>
-  /**
-   * Constructs and sends a PUT request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
-   */
-  put<T = any>(entityOrPath: types.target, data?: object): Promise<T>
-  /**
-   * Constructs and sends a PATCH request.
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services#rest-style-api)
-   */
-  patch<T = any>(entityOrPath: types.target, data?: object): Promise<T>
-  /**
-   * Constructs and sends a DELETE request.
-   */
-  delete: {
-    <T = any>(entityOrPath: types.target, data?: object): DELETE<T>
-    <T extends ArrayConstructable<any>>(entity: T, key?: any): DELETE<T>
-    <T>(entity: LinkedDefinition | string, key?: any): DELETE<T>
-  }
-
-  // The central method to dispatch events
-  dispatch(msg: types.event): Promise<any>
-
-  // Provider API
-  prepend(fn: ServiceImpl): Promise<this>
-  on<T extends Constructable>(eve: types.event, entity: T, handler: CRUDEventHandler.On<InstanceType<T>, InstanceType<T> | void | Error>): this
-  on<F extends CdsFunction>(boundAction: F, service: string, handler: ActionEventHandler<F['__parameters'], void | Error | F['__returns']>): this
-  on<F extends CdsFunction>(unboundAction: F, handler: ActionEventHandler<F['__parameters'], void | Error | F['__returns']>): this
-  on(eve: types.event, entity: types.target, handler: OnEventHandler): this
-  on(eve: types.event, handler: OnEventHandler): this
-
-
-  // onSucceeded (eve: types.Events, entity: types.Target, handler: types.EventHandler): this
-  // onSucceeded (eve: types.Events, handler: types.EventHandler): this
-  // onFailed (eve: types.Events, entity: types.Target, handler: types.EventHandler): this
-  // onFailed (eve: types.Events, handler: types.EventHandler): this
-  before<T extends Constructable>(eve: types.event, entity: T, handler: CRUDEventHandler.Before<InstanceType<T>, InstanceType<T> | void | Error>): this
-  before(eve: types.event, entity: types.target, handler: EventHandler): this
-  before(eve: types.event, handler: EventHandler): this
-  after<T extends Constructable>(eve: types.event, entity: T, handler: CRUDEventHandler.After<InstanceType<T>, InstanceType<T> | void | Error>): this
-  after(eve: types.event, entity: types.target, handler: ResultsHandler): this
-  after(eve: types.event, handler: ResultsHandler): this
-  reject(eves: types.event, ...entity: types.target[]): this
-}
-
-export class ApplicationService extends Service {}
-export class MessagingService extends Service {}
-export class RemoteService extends Service {}
-export class DatabaseService extends Service {
-  deploy(model?: CSN | string): Promise<CSN>
-  begin(): Promise<void>
-  commit(): Promise<void>
-  rollback(): Promise<void>
-}
-
-
-export default class cds {
-  /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/core-services)
-   */
-  Service: typeof Service
-
-  /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/app-services)
-   */
-  ApplicationService: typeof ApplicationService
-
-  /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/remote-services)
-   */
-  RemoteService: typeof RemoteService
-
-  /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/messaging)
-   */
-  MessagingService: typeof MessagingService
-
-  /**
-   * @see [capire docs](https://cap.cloud.sap/docs/node.js/databases)
-   */
-  DatabaseService: typeof DatabaseService
-}
-
-
-interface Transaction extends Service {
-  commit(): Promise<void>
-  rollback(): Promise<void>
-}
-
-interface ResultSet extends Array<{}> {}
-
-interface ServiceImpl {
-  (this: Service, srv: Service): any
-}
-
-interface EventHandler {
-  // (msg : types.EventMessage) : Promise<any> | any | void
-  (req: Request): Promise<any> | any | void
-}
-
-interface OnEventHandler {
-  (req: Request, next: Function): Promise<any> | any | void
-}
-
-// `Partial` wraps any type and allows all properties to be undefined
-// in addition to their actual type.
-// This is important in the context of CRUD events, where
-// entities could be lacking any properties, like a non-existing ID
-// or when DB fields are corrupted, etc.
-type Partial<T> = { [Key in keyof T]: undefined | T[Key] }
-
-// Naming the first parameter in a handler `each` has special voodoo
-// semantic which makes it impossible for us to infer the exact behaviour on a type level.
-// So we always have to expect scalars as well as arrays in some callbacks.
-type OneOrMany<T> = T | T[];
-
-// functions generated by cds-typer explicitly carry types for
-// parameters and return type, as their names are not accessible from
-// function signatures to the type system.
-// This meta information is required in .on action handlers.
-type CdsFunction = {
-  (...args: any[]): any,
-  __parameters: object,
-  __returns: unknown
-}
-
-type TypedRequest<T> = Omit<Request, 'data'> & { data: T }
-
-// https://cap.cloud.sap/docs/node.js/core-services#srv-on-before-after
-declare namespace CRUDEventHandler {
-  type Before<P,R> = (req: TypedRequest<P>) => Promise<R> | R
-  type On<P,R> = (req: TypedRequest<P>, next: (...args: any) => Promise<R> | R) => Promise<R> | R
-  type After<P,R> = (data: undefined | P, req: TypedRequest<P>) => Promise<R> | R
-}
-
-// Handlers for actions try to infer the passed .data property
-// as strictly as possible and therefore have to remove
-// { data: any } (inherited EventMessage} with a more restricted
-// type, based on the parameters of the action.
-interface ActionEventHandler<P,R> {
-  (req: Omit<Request, 'data'> & { data: P }, next: Function): Promise<R> | R
-}
-
-// Note: the behaviour of ResultsHandler changes based on the name of the parameter.
-// If the parameter in the hook is called "each", it is called once for each row in the result,
-// otherwise it gets called exactly one time with the entire result.
-// This runtime behaviour can not be described on type level
-// (in a way that would benefit the user).
-// The user will therefore receive "any" as their result/ each. If we could some day differentiate,
-// we may want to add a generic to ResultsHandler which is passed from the EventHandlers down below.
-interface ResultsHandler {
-  (results: any[], req: Request): void
-  (each: any, req: Request): void
-}
-
-interface SpawnEvents {
-  'succeeded': (res: any) => void
-  'failed': (error: any) => void
-  'done': () => void
-}
-
-declare class SpawnEventEmitter {
-  on<U extends keyof SpawnEvents>(
-    event: U, listener: SpawnEvents[U]
-  ): this;
+export * from '@cap-js/cds-types/apis/services'
 
-  emit<U extends keyof SpawnEvents>(
-    event: U, ...args: Parameters<SpawnEvents[U]>
-  ): boolean;
-  timer: any
-}
+// this got moved to 'events' in 7.4
+export  { Request } from '@cap-js/cds-types/apis/events'
 
-declare namespace types {
-  type event = eventName | eventName[]
-  type eventName = (string & {})
-    | 'CREATE' | 'READ' | 'UPDATE' | 'DELETE'
-    | 'NEW' | 'EDIT' | 'PATCH' | 'SAVE'
-    | 'GET' | 'PUT' | 'POST' | 'PATCH' | 'DELETE'
-    | 'COMMIT' | 'ROLLBACK'
-  type target = string | LinkedDefinition | LinkedEntity | (string | LinkedDefinition | LinkedEntity)[] | ArrayConstructable<any>
-}

package/bin/cds-serve.js

@@ -31,11 +31,14 @@ const cli = {
       else if (_global.test(a)) add_global(a, _flags[a] || argv[++i])
       else throw 'Invalid option: '+ a
     }
+    // consistent production setting for NODE_ENV and CDS_ENV
+    if (process.env.NODE_ENV !== 'production') process.env.NODE_ENV = process.env.CDS_ENV?.split(',').find(p => p === 'production') || process.env.NODE_ENV
+    else process.env.CDS_ENV = Array.from(new Set([...process.env.CDS_ENV?.split(',') ?? [], 'production']))
 
     function add (k,v) { options[k.slice(2)] = v || true }
     function add_global (k,v='') {
-      if (k === '--production') return process.env.NODE_ENV = 'production'
-      if (k === '--profile') return process.env.CDS_ENV = v.split(',')
+      if (k === '--production') return process.env.CDS_ENV = Array.from(new Set([...process.env.CDS_ENV?.split(',') ?? [], 'production']))
+      if (k === '--profile')    return process.env.CDS_ENV = Array.from(new Set([...process.env.CDS_ENV?.split(',') ?? [], ...v.split(',')]))
       if (k === '--odata') v = { flavor:v }
       let e=env || (env={}), path = k.slice(2).split('-')
       while (path.length > 1) { let p = path.shift(); e = e[p]||(e[p]={}) }

package/bin/serve.js

@@ -127,7 +127,7 @@ module.exports = Object.assign ( serve, {
 `})
 
 
-const cds = require('../lib'), { exists, isfile, local, path } = cds.utils
+const cds = require('../lib'), { exists, isfile, local, path, _redacted } = cds.utils
 const COLORS = !!process.stdout.isTTY && !!process.stderr.isTTY && !process.env.NO_COLOR
 
 // provisional loggers, see _prepare_logging
@@ -261,7 +261,12 @@ function _prepare_logging () { // NOSONAR
   // print information when model is loaded
   cds.on ('loaded', (model)=>{
     LOG.info (`loaded model from ${model.$sources.length} file(s):\n${COLORS ? '\x1b[2m' : ''}`)
-    for (let each of model.$sources)  console.log (' ', local(each))
+    const limit = 30, shown = model.$sources.length === limit + 1 ? limit + 1 : limit // REVISIT: configurable limit?
+    for (let each of model.$sources.slice(0, shown))  console.log (' ', local(each))
+    if (model.$sources.length > shown) {
+      if (LOG._debug) for (let each of model.$sources.slice(shown))  console.log (' ', local(each))
+      else console.log (`  ...${model.$sources.length-shown} more. Run with DEBUG=serve to show all files.`)
+    }
     COLORS && console.log ('\x1b[0m')
   })
 
@@ -337,20 +342,6 @@ function _with_mocks (o) {
   }
 }
 
-const SECRETS = /(password)|(certificate)|(ca)|(secret)|(key)/i // 'certificate' and 'ca' on HANA
-/** mascades password-like strings, also reducing clutter in output */
-function _redacted(cred) {
-  if (!cred) return cred
-  if (Array.isArray(cred)) return cred.map(_redacted)
-  if (typeof cred === 'object') {
-    const newCred = Object.assign({}, cred)
-    Object.keys(newCred).forEach(k => (typeof newCred[k] === 'string' && SECRETS.test(k)) ? (newCred[k] = '...') : (newCred[k] = _redacted(newCred[k])))
-    return newCred
-  }
-  return cred
-}
-
-
 const _warn_if_cds_was_loaded_from_different_locations = ()=> global.__cds_loaded_from?.size > 1 && console.warn(`
 -----------------------------------------------------------------------
 WARNING: Package '@sap/cds' was loaded from different installations:`,

package/lib/auth/basic-auth.js

@@ -12,13 +12,15 @@ module.exports = function basic_auth (options) {
     // get basic authorization header
     let auth = req.headers.authorization
     // enforce login if requested
-    if (!auth || !auth.match(/^basic/i)) return login_required ? req._login('Logged in user required!') : req.user = new cds.User.default, next()
+    if (!auth?.match(/^basic/i)) return login_required ? req._login('Logged-in user required!') : next()
     // decode user credentials from autorization header
     let [id,pwd] = Buffer.from(auth.slice(6),'base64').toString().split(':')
     // verify user credentials and set req.user
     let u = req.user = await users.verify (id, pwd)
     // re-request login in case of wrong credentials
     if (u.failed) return req._login (u)
+    // set req.tenant
+    if (u.tenant) req.tenant = u.tenant
     // support for feature toggles via req.headers.features
     if (req.headers.features) u = req.user = { ...u, features: req.headers.features } // NOTE: need to clone u
     // done...

package/lib/auth/ias-auth.js

@@ -3,65 +3,79 @@ const LOG = cds.log('auth')
 
 // _require for better error message
 const _require = require('../../libx/_runtime/common/utils/require')
-const express = _require('express')
-const passport = _require('passport')
-const { JWTStrategy } = _require('@sap/xssec')
-
-const RESERVED_ATTRIBUTES = new Set(['aud', 'azp', 'exp', 'ext_attr', 'iat', 'ias_iss', 'iss', 'jti', 'sub', 'user_uuid', 'zone_uuid', 'zid'])
+const xssec = _require('@sap/xssec')
 
 module.exports = function ias_auth(config) {
-  if (!config.credentials) {
-    let msg = `Authentication kind "${config.kind}" configured, but no IAS instance bound to application.`
+  const { kind, credentials, known_claims } = config
+
+  if (!credentials) {
+    let msg = `Authentication kind "${kind}" configured, but no IAS instance bound to application.`
     msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
     throw new Error(msg)
   }
 
-  passport.use('IAS', new JWTStrategy(config.credentials))
-
-  return express
-    .Router()
-    .use((req, res, next) => {
-      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
-      const callback = (err, user, info, _status) => {
-        if (err) return next(err)
-
-        if (user) {
-          req.user = user
-          req.authInfo = info
-        } else {
-          req.user = new cds.User.default
-          if (LOG._debug && req.tokenInfo)
-            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
+  // cds.env.requires.auth.known_claims is not an official config!
+  const KNOWN_CLAIMS = new Set(known_claims || require('./ias-claims'))
+
+  function getUser(tokenInfo) {
+    const payload = tokenInfo.getPayload()
+
+    const clientid = tokenInfo.getClientId()
+    if (clientid === payload.sub) {
+      //> grant_type === client_credentials or x509
+      const roles = ['system-user']
+      if (clientid === credentials.clientid) roles.push('internal-user')
+      return new cds.User({ id: 'system', roles })
+    }
+
+    // add all unknown attributes to req.user.attr in order to keep public API small
+    const attr = Object.keys(payload)
+      .filter(k => !KNOWN_CLAIMS.has(k))
+      .reduce((attr, k) => { attr[k] = payload[k]; return attr }, {})
+
+    // same api as xsuaa-auth for easier migration
+    if (attr.user_name) attr.logonName = attr.user_name
+    if (attr.given_name) attr.givenName = attr.given_name
+    if (attr.family_name) attr.familyName = attr.family_name
+
+    return new cds.User({ id: payload.sub, attr })
+  }
+
+  return (req, _, next) => {
+    const token = req.headers.authorization?.split(/^bearer /i)[1]
+    xssec.createSecurityContext(token, credentials, 'IAS', function (err, securityContext, tokenInfo) {
+      // REVISIT: ias impl not as sophisticated as xsuaa impl, so we need to be more tolerant here -> xssec issue 221
+      // if (err && !tokenInfo) {
+      //   // here, there is a general problem, .e.g., bad credentials -> throw the error
+      //   return next(err)
+      // }
+
+      if (err && LOG._debug) LOG.debug('User could not be authenticated due to error:', err)
+
+      // if no general problem, tokenInfo object is always available -> add to req via getter for compat reasons
+      // -> the "always available" part is not true for ias (see REVISIT above)
+      tokenInfo && Object.defineProperty(req, 'tokenInfo', {
+        get() {
+          cds._logDeprecation('req.tokenInfo was added for compatibility purposes but will be removed in the next major version.')
+          return tokenInfo
         }
+      })
 
-        next()
-      }
-      passport.authenticate('IAS', { session: false }, callback)(req, res, next)
-    })
-    .use((req, res, next) => {
-      if (!('authInfo' in req)) return next()
-
-      const payload = req.tokenInfo.getPayload()
-      if (req.tokenInfo.getClientId() === req.tokenInfo.getSubject()) {
-        //> grant_type === client_credentials or x509
-        const roles = ['authenticated-user', 'system-user']
-        if (payload.azp === config.credentials.clientid) roles.push('internal-user')
-        req.user = new cds.User({ id: 'system', roles, attr: {} })
-      } else {
-        // add all unknown attributes to req.user.attr in order to keep public API small
-        const attributes = Object.keys(payload)
-          .filter(k => !RESERVED_ATTRIBUTES.has(k))
-          .reduce((attrs, k) => { attrs[k] = payload[k]; return attrs }, {})
-
-        req.user = new cds.User({
-          id: req.user.id,
-          roles: ['authenticated-user'],
-          attr: attributes
-        })
+      if (!securityContext) {
+        if (!req.headers.authorization) {
+          LOG._debug && LOG.debug('No authorization header provided, continuing with default user.')
+          req.user = new cds.User.default()
+          return next()
+        }
+        return next(new cds.error('Unauthorized', { statusCode: 401 }))
       }
 
-      req.tenant = req.tokenInfo.getZoneId()
+      req.user = getUser(tokenInfo)
+      req.tenant = tokenInfo.getZoneId()
+
+      req.authInfo = securityContext //> compat req.authInfo
 
       next()
     })
+  }
 }

package/lib/auth/ias-claims.js

@@ -0,0 +1,34 @@
+module.exports = Object.values({
+  /*
+   * JWT claims (https://datatracker.ietf.org/doc/html/rfc7519#section-4)
+   */
+  ISSUER: 'iss',
+  SUBJECT: 'sub',
+  AUDIENCE: 'aud',
+  EXPIRATION_TIME: 'exp',
+  NOT_BEFORE: 'nbf',
+  ISSUED_AT: 'iat',
+  JWT_ID: 'jti',
+  /*
+   * TokenClaims (com.sap.cloud.security.token.TokenClaims)
+   */
+  // ISSUER: "iss", //> already in JWT claims
+  IAS_ISSUER: 'ias_iss',
+  // EXPIRATION: "exp", //> already in JWT claims
+  // AUDIENCE: "aud", //> already in JWT claims
+  // NOT_BEFORE: "nbf", //> already in JWT claims
+  // SUBJECT: "sub", //> already in JWT claims
+  // USER_NAME: 'user_name', //> do not exclude
+  // GIVEN_NAME: 'given_name', //> do not exclude
+  // FAMILY_NAME: 'family_name', //> do not exclude
+  // EMAIL: 'email', //> do not exclude
+  SAP_GLOBAL_SCIM_ID: 'scim_id',
+  SAP_GLOBAL_USER_ID: 'user_uuid', //> exclude for now
+  SAP_GLOBAL_ZONE_ID: 'zone_uuid',
+  // GROUPS: 'groups', //> do not exclude
+  AUTHORIZATION_PARTY: 'azp',
+  CNF: 'cnf',
+  CNF_X5T: 'x5t#S256',
+  // own
+  APP_TENANT_ID: 'app_tid'
+})