@sap/cds 7.4.2 → 7.5.0

package/libx/odata/read.js

@@ -0,0 +1,94 @@
+const metaInfo = require('../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
+const cds = require('../../')
+const { toODataResult } = require('./result')
+const querystring = require('node:querystring')
+const { getPageSize } = require('../_runtime/common/generic/paging')
+
+const _getCount = result =>
+  Array.isArray(result)
+    ? result.reduce((acc, val) => {
+        return acc + ((val && (val.$count || val._counted_)) || (val[0] && (val[0].$count || val[0]._counted_))) || 0
+      }, 0)
+    : result.$count || result._counted_ || 0
+
+const _calculateNextLink = (req, result) => {
+  const $skiptoken = _calculateSkiptoken(req, result)
+  if ($skiptoken) {
+    const queryParamsWithSkipToken = { ...req.http.req.query, $skiptoken }
+    // REVISIT: slice replaces leading '/'. Always starts with '/'?
+    result.$nextLink = (
+      req.http.req.path.slice(1) + '?' + querystring.stringify(queryParamsWithSkipToken, '&', '=', { encodeURIComponent: e => e })
+    )
+  }
+
+}
+
+const _calculateSkiptoken = (req, result) => {
+  const limit = Array.isArray(req.query)
+    ? getPageSize(req.query[0]._target).max
+    : req.query.SELECT.limit?.rows?.val
+  const top = parseInt(req.http.req.query['$top'])
+  if (limit === result.length && limit !== top) {
+    const token = req.http.req.query['$skiptoken']
+    if (cds.env.query.limit.reliablePaging && _reliablePagingPossible(req)) {
+      const decoded = token && JSON.parse(Buffer.from(token, 'base64').toString())
+      const skipToken = {
+        r: (decoded?.r || 0) + limit,
+        c: req.query.SELECT.orderBy.map(o => ({
+          a: o.sort ? o.sort === 'asc' : true,
+          k: o.ref[0],
+          v: result[result.length - 1][o.ref[0]]
+        }))
+      }
+
+      if (limit + (decoded?.r || 0) !== top) {
+        return Buffer.from(JSON.stringify(skipToken)).toString('base64')
+      }
+    } else {
+      return (token ? parseInt(token) : 0) + limit
+    }
+  }
+}
+
+const _reliablePagingPossible = req => {
+  if (req.target._isDraftEnabled) return false
+  if (cds.context?.http.req.query.$apply) return false
+  if (req.query.SELECT.limit.offset?.val ?? req.query.SELECT.limit.offset > 0) return false
+  if (req.query.SELECT.orderBy?.some(o => !o.ref)) return false
+  return (
+    !req.query.SELECT.columns ||
+    req.query.SELECT.columns.some(c => c === '*' || c.ref?.[0] === '*') ||
+    req.query.SELECT.orderBy?.every(o => req.query.SELECT.columns?.some(c => o.ref[0] === c.ref?.[0]))
+  )
+}
+
+module.exports = srv =>
+  function read(req, res, next) {
+    const query = cds.odata.parse(req.url, { service: srv, baseUrl: req.baseUrl })
+
+    // we need the cds request, so we can access the modified query, which is cloned due to lean-draft, so we need to use dispatch here and pass a cds req
+    const cdsReq = new cds.Request({query})
+    return srv
+      .dispatch(cdsReq)
+      .then(result => {
+        if (!result.$nextLink) {
+          _calculateNextLink(cdsReq, result)
+        }
+
+        const lastPathElement = req.path.split('/').slice(-1)[0]
+        if (lastPathElement === '$count') {
+          result = _getCount(result)
+          return res.send(result.toString())
+        } else if (lastPathElement === '$value' && query._propertyAccess) {
+          return res.send(result[query._propertyAccess].toString())
+        }
+
+        // mainly for @odata.context
+        const info = metaInfo(query, 'READ', srv, {}, req, false)
+        result = toODataResult(result, info)
+
+        // Express interprets numbers as HTTP status codes
+        return res.send(typeof result === 'number' ? result.toString() : result)
+      })
+      .catch(next)
+  }

package/libx/odata/result.js

@@ -0,0 +1,91 @@
+const METADATA = {
+  $context: '@odata.context',
+  $count: '@odata.count',
+  $etag: '@odata.etag',
+  $metadataEtag: '@odata.metadataEtag',
+  $bind: '@odata.bind',
+  $id: '@odata.id',
+  $delta: '@odata.delta',
+  $removed: '@odata.removed',
+  $type: '@odata.type',
+  $nextLink: '@odata.nextLink',
+  $deltaLink: '@odata.deltaLink',
+  $editLink: '@odata.editLink',
+  $readLink: '@odata.readLink',
+  $navigationLink: '@odata.navigationLink',
+  $associationLink: '@odata.associationLink',
+  $mediaEditLink: '@odata.mediaEditLink',
+  $mediaReadLink: '@odata.mediaReadLink',
+  $mediaContentType: '@odata.mediaContentType',
+  $mediaContentDispositionFilename: '@odata.mediaContentDispositionFilename', // > not supported by okra
+  $mediaContentDispositionType: '@odata.mediaContentDispositionType', // > not supported by okra
+  $mediaEtag: '@odata.mediaEtag'
+}
+
+const _cleanupMetadata = (odataResult, result) => {
+  if (typeof result !== 'object') return odataResult
+
+  const keysToCleanup = {
+    // do not set "@odata.context" as it may be inherited of remote service
+    $context: true,
+    // REVISIT: okra doesn't support content disposition
+    $mediaContentDispositionFilename: true,
+    $mediaContentDispositionType: true
+  }
+
+  for (const key in METADATA) {
+    if (!(key in result)) continue
+    if (!keysToCleanup[key]) {
+      odataResult[METADATA[key]] = result[key]
+    }
+    delete result[key]
+  }
+
+  return odataResult
+}
+
+const _setContext = (odataResult, info, isCollection) => {
+  if (info && info.metadata) {
+    const result = isCollection || info.metadata.propertyName ? odataResult : odataResult.value
+
+    if (result != null) Object.assign(result, { [METADATA.$context]: info.metadata.contextUrl })
+  }
+  return odataResult
+}
+
+/**
+ * Convert any result to the result object structure, which is expected of odata-v4.
+ *
+ * @param {*} result
+ * @param {*} [info]
+ * @returns {string | object}
+ */
+const toODataResult = (result, info) => {
+  if (result == null) return ''
+
+  let propertyName, isCollection
+  if (info) {
+    propertyName = info.metadata.propertyName
+    isCollection = info.metadata.isCollection
+  }
+
+  if (isCollection && !Array.isArray(result)) result = [result]
+  else if (!isCollection && Array.isArray(result)) result = result[0]
+
+  let value = result
+  if (typeof result === 'object') {
+    if (propertyName) value = result[propertyName]
+  }
+
+  const odataResult = _cleanupMetadata({ value }, result)
+
+  // REVISIT: Support exponential decimals header
+  // REVISIT: we always assume minimal metadata right now
+  _setContext(odataResult, info, isCollection)
+
+  if (!isCollection && !propertyName) return odataResult.value
+
+  return odataResult
+}
+
+module.exports = { toODataResult }

package/libx/odata/service-document.js

@@ -16,45 +16,39 @@ const generateEtag = s => {
 
 module.exports = srv =>
   function service_document(req, res, next) {
-    if (req.path === '/') {
-      if (req.method === 'HEAD') return res.end()
-      if (req.method !== 'GET')
-        return res
-          .status(405)
-          .json({
-            error: { code: 'METHOD_NOT_ALLOWED', message: `Method ${req.method} not allowed for service document.` }
-          })
-
-      const m = cds.context.model || cds.model
-      const csnService = (cds.context.model || cds.model).definitions[srv.name]
-
-      if (req.headers['if-none-match']) {
-        if (csnService.srvDocEtag) {
-          const unchanged = validate_etag(req.headers['if-none-match'], csnService.srvDocEtag)
-          if (unchanged) {
-            res.set('Etag', csnService.srvDocEtag)
-            return res.status(304).end()
-          }
+    if (req.method === 'HEAD') return res.end()
+    if (req.method !== 'GET')
+      return res.status(405).json({
+        error: { code: 'METHOD_NOT_ALLOWED', message: `Method ${req.method} not allowed for service document.` }
+      })
+
+    const m = cds.context.model || cds.model
+    const csnService = (cds.context.model || cds.model).definitions[srv.name]
+
+    if (req.headers['if-none-match']) {
+      if (csnService.srvDocEtag) {
+        const unchanged = validate_etag(req.headers['if-none-match'], csnService.srvDocEtag)
+        if (unchanged) {
+          res.set('Etag', csnService.srvDocEtag)
+          return res.status(304).end()
         }
       }
-
-      const srvEntities = m.childrenOf(srv.name)
-      // REVISIT: How to identify the exposed entities? api.ignore, autoexposed, ...
-      const exposedEntities = Object.keys(srvEntities).filter(
-        e => !srvEntities[e]['@cds.api.ignore'] && e !== 'DraftAdministrativeData'
-      )
-
-      csnService.srvDocEtag = generateEtag(JSON.stringify(exposedEntities))
-      res.set('Etag', csnService.srvDocEtag)
-      return res.json({
-        '@odata.context': `$metadata`,
-        '@odata.metadataEtag': csnService.srvDocEtag,
-        value: exposedEntities.map(e => {
-          const e_ = e.replace(/\./g, '_')
-          return { name: e_, url: e_ }
-        })
-      })
     }
 
-    return next()
+    const srvEntities = m.childrenOf(srv.name)
+    // REVISIT: How to identify the exposed entities? api.ignore, autoexposed, ...
+    const exposedEntities = Object.keys(srvEntities).filter(
+      e => !srvEntities[e]['@cds.api.ignore'] && e !== 'DraftAdministrativeData'
+    )
+
+    csnService.srvDocEtag = generateEtag(JSON.stringify(exposedEntities))
+    res.set('Etag', csnService.srvDocEtag)
+    return res.json({
+      '@odata.context': `$metadata`,
+      '@odata.metadataEtag': csnService.srvDocEtag,
+      value: exposedEntities.map(e => {
+        const e_ = e.replace(/\./g, '_')
+        return { name: e_, url: e_ }
+      })
+    })
   }

package/libx/odata/utils.js

@@ -153,9 +153,10 @@ const _v4 = (val, element) => {
   }
 }
 
-const formatVal = (val, elementName, csnTarget, kind, func) => {
+const formatVal = (val, elementName, csnTarget, kind, func, literal) => {
   if (val === null || val === 'null') return 'null'
   if (typeof val === 'boolean') return val
+  if (typeof val === 'string' && literal === 'number' ) return `${val}`
   if (typeof val === 'string') {
     if (!csnTarget && UUID.test(val)) return kind === 'odata-v2' ? `guid'${val}'` : val
     if (func in MATH_FUNC) return val

package/libx/outbox/index.js

@@ -12,6 +12,7 @@ const { isStandardError } = require('../_runtime/common/error/standardError')
 const cdsUser = 'cds.internal.user'
 const $messageProcessorRegistered = Symbol('message processor registered')
 const $outboxed = Symbol('outboxed')
+const $unboxed = Symbol('unboxed')
 
 const _get100NanosecondTimestampISOString = () => {
   const [now, nanoseconds] = [new Date(), process.hrtime()[1]]
@@ -159,7 +160,7 @@ const processMessages = async (service, tenant, _opts = {}) => {
         }
       }
 
-      const process = service.outbox?.process || this.process || processDefault
+      const process = service.options.outbox?.process || this.process || processDefault
       const toBeDeleted = []
       const toBeUpdated = []
       try {
@@ -256,6 +257,10 @@ const writeInOutbox = async (name, msg, context) => {
 //   onProcess(msgs){ ... }
 // })
 
+function unboxed(srv) {
+  return srv[$unboxed] || srv
+}
+
 function outboxed(srv, customOpts) {
   // outbox max. once
   if (!new.target) {
@@ -263,9 +268,9 @@ function outboxed(srv, customOpts) {
     if (former) return former
   }
 
-  const originalSrv = srv.immediate || srv
+  const originalSrv = srv[$unboxed] || srv
   const outboxedSrv = Object.create(originalSrv)
-  outboxedSrv.immediate = originalSrv
+  outboxedSrv[$unboxed] = originalSrv
 
   if (!new.target) Object.defineProperty(srv, $outboxed, { value: outboxedSrv })
 
@@ -307,4 +312,4 @@ function outboxed(srv, customOpts) {
   return outboxedSrv
 }
 
-module.exports = outboxed
+module.exports = { outboxed, unboxed }

package/libx/rest/RestAdapter.js

@@ -3,67 +3,35 @@ const cds = require('../_runtime/cds')
 // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
 const express = require('express')
 
-const parse = require('./middleware/parse')
-const input = require('./middleware/input')
+const parse_factory = require('./middleware/parse')
+const input_factory = require('./middleware/input')
 
-const create = require('./middleware/create')
-const read = require('./middleware/read')
-const update = require('./middleware/update')
-const deleet = require('./middleware/delete')
-const operation = require('./middleware/operation')
-const payload = require('./middleware/payload')
+const create_factory = require('./middleware/create')
+const read_factory = require('./middleware/read')
+const update_factory = require('./middleware/update')
+const delete_factory = require('./middleware/delete')
+const operation_factory = require('./middleware/operation')
+const payload_factory = require('./middleware/payload')
 
-const error = require('./middleware/error')
-const { alias2ref } = require('../_runtime/common/utils/csn')
-const { bufferToBase64 } = require('../_runtime/common/utils/binary')
+const error_factory = require('./middleware/error')
 
+const { bufferToBase64 } = require('../_runtime/common/utils/binary')
+const { alias2ref } = require('../_runtime/common/utils/csn')
 const { getAccessRestrictions } = require('../_runtime/common/utils/restrictions')
 
 const RestAdapter = function (srv) {
-  alias2ref(srv) // REVISIT: that's an anti pattern in new prototocol adapter setups
+  const parse = parse_factory(srv)
+  const input = input_factory(srv)
+  const payload = payload_factory(srv)
 
-  const accessRestrictions = getAccessRestrictions(srv)
+  alias2ref(srv)
 
   const router = express.Router()
 
-  // pass srv-related stuff to middlewares via req
-  router.use((req, res, next) => {
-    req._srv = srv // FIXME: That's only because of how we organized our rest adapater code into fragmented files -> don't do that
-
-    // cds/libx/rest/middleware/create.js:
-    //   12:   const { _srv: srv, _query: query, _target, _data } = _req
-
-    // cds/libx/rest/middleware/delete.js:
-    //   4:   const { _srv: srv, _query: query, _target, _params } = _req
-
-    // cds/libx/rest/middleware/error.js:
-    //   40:   const { _srv: srv } = req
-
-    // cds/libx/rest/middleware/input.js:
-    //   40:   const { _srv, _query, _data, _operation } = req
-    //   43:   if (!(_data && _srv && definition)) return next()
-    //   47:   const template = getTemplate(_cache(req), _srv, definition, { pick: _picker(req) })
-
-    // cds/libx/rest/middleware/operation.js:
-    //   7:   const { _srv: srv, _query: query, _operation: operation, _data: data } = _req
-
-    // cds/libx/rest/middleware/parse.js:
-    //   10:   const { _srv: service } = req
-
-    // cds/libx/rest/middleware/read.js:
-    //   4:   const { _srv: srv, _query: query, _target, _params } = _req
-
-    // cds/libx/rest/middleware/update.js:
-    //   11:   let { _srv: srv, _query: query, _target, _data, _params } = _req
-
-    next()
-  })
-
-  // req.user + req.tenant -> cds.context = { user, tenant }
-  // NOT ALLOWED: cds.context.user = 'me'
-  // req.requiresLogin() -> login -> redirect to referrer
-
+  // -----------------------------------------------------------------------------------------
   // check @requires as soon as possible (DoS)
+  //
+  const accessRestrictions = getAccessRestrictions(srv)
   router.use((req, res, next) => {
     // ensure there always is a user going forward (not always the case with old or custom auth)
     if (!req.user) req.user = new cds.User.default()
@@ -85,6 +53,7 @@ const RestAdapter = function (srv) {
 
   // -----------------------------------------------------------------------------------------
   // service root
+  //
   router.head('/', (_, res) => res.json({}))
   router.get('/', (_, res) =>
     res.json({
@@ -94,7 +63,7 @@ const RestAdapter = function (srv) {
 
   // -----------------------------------------------------------------------------------------
   // parse / validate
-
+  //
   // content-type check
   router.use((req, res, next) => {
     // REVISIT: move that into parse function
@@ -112,6 +81,8 @@ const RestAdapter = function (srv) {
           throw cds.error(`INVALID_${req.method}`, { statusCode: 400, code: '400' }) // FIXME: better i18n + use res.status
         }
 
+        // REVISIT: empty object length is not 0
+        // REVISIT: also check for POST?
         // check for empty payload body
         if (req.headers['content-length'] === '0') {
           res.status(400).json({ error: { message: 'Malformed patch document', statusCode: 400, code: '400' } })
@@ -129,6 +100,7 @@ const RestAdapter = function (srv) {
 
   // -----------------------------------------------------------------------------------------
   // begin tx
+  //
   router.use((req, res, next) => {
     // REVISIT: -> move to actual handler(s)
     const tenant = req.tenant || req.user?.tenant
@@ -140,23 +112,49 @@ const RestAdapter = function (srv) {
   // -----------------------------------------------------------------------------------------
   // Actual handlers for HEAD, GET, PUT, POST, PATCH, DELETE
   //
-  router.head('/*', (req, res, next) => {
-    read(req, res, next) // REVISIT: HEAD is doing a full read ?
-  })
-  router.post('/*', (req, res, next) => {
-    if (req._operation) operation(req, res, next)
-    else create(req, res, next)
-  })
-  router.get('/*', (req, res, next) => {
-    if (req._operation) operation(req, res, next)
-    else read(req, res, next)
+  const operation = operation_factory(srv)
+  const create = create_factory(srv)
+  const read = read_factory(srv)
+  const update = update_factory(srv)
+  const deleet = delete_factory(srv)
+  router.use(async (req, res, next) => {
+    try {
+      let result, status, location
+
+      if (req._operation) {
+        // actions and functions
+        ;({ result, status } = await operation(req, res))
+      } else {
+        // CRUD
+        switch (req.method) {
+          case 'POST':
+            ;({ result, status, location } = await create(req))
+            break
+          case 'HEAD':
+          case 'GET':
+            ;({ result, status } = await read(req))
+            break
+          case 'PUT':
+          case 'PATCH':
+            ;({ result, status } = await update(req))
+            break
+
+          case 'DELETE':
+            ;({ result, status } = await deleet(req))
+            break
+        }
+      }
+
+      req._result = { result, status, location }
+      return next()
+    } catch (e) {
+      next(e)
+    }
   })
-  router.put('/*', update)
-  router.patch('/*', update)
-  router.delete('/*', (req, res, next) => deleet(req, res).then(next).catch(next))
 
   // -----------------------------------------------------------------------------------------
   // end tx (i.e., commit or rollback)
+  //
   router.use(async (req, res, next) => {
     const { result, status, location } = req._result // REVISIT: Ugly voodoo _req._result channel -> eliminate
 
@@ -170,10 +168,12 @@ const RestAdapter = function (srv) {
     // if authentication or something else within the processing of a cds.Request terminates the request, no need to continue
     if (res.headersSent) return
 
-
     // convert binaries
     let definition = req._operation || req._query.__target
-    if (typeof definition === 'string') definition = srv.model.definitions[definition] || srv.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
+    if (typeof definition === 'string')
+      definition =
+        srv.model.definitions[definition] ||
+        srv.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
     if (result && srv && definition) bufferToBase64(result, srv, definition)
 
     // only set status if not yet modified
@@ -193,6 +193,7 @@ const RestAdapter = function (srv) {
 
   // -----------------------------------------------------------------------------------------
   // error handling
+  //
   router.use(async (err, req, res, next) => {
     // REVISIT: should not be neccessary!
     // request may fail during processing or during commit -> both caught here
@@ -204,7 +205,7 @@ const RestAdapter = function (srv) {
   })
 
   if (!cds.env.features.rest_error_handler) {
-    router.use(error) // FIXME: nope -> call next()
+    router.use(error_factory(srv)) // FIXME: nope -> call next()
   }
 
   return router

package/libx/rest/middleware/create.js

@@ -8,35 +8,29 @@ const _error4 = rejected =>
     ? Object.assign(new Error('MULTIPLE_ERRORS'), { details: rejected.map(r => r.reason) })
     : rejected[0].reason
 
-module.exports = async (_req, _res, next) => {
-  const { _srv: srv, _query: query, _target, _data, _params } = _req
+module.exports = srv => async _req => {
+  const { _query: query, _target, _data, _params } = _req
 
   let result, location
 
-  // unfortunately, express doesn't catch async errors -> try catch needed
-  try {
-    // add the data
-    query.entries(_data)
-    if (query.INSERT.entries.length > 1) {
-      // > batch insert
-      const reqs = query.INSERT.entries.map(
-        entry => new RestRequest({ query: INSERT.into(query.INSERT.into).entries(entry), _target, params: _params })
-      )
-      const ress = await Promise.allSettled(reqs.map(req => srv.dispatch(req)))
-      const rejected = ress.filter(r => r.status === 'rejected')
-      if (rejected.length) throw _error4(rejected)
-      result = ress.map(r => r.value)
-    } else {
-      // > single insert
-      const req = new RestRequest({ query, _target, params: _params })
-      result = await srv.dispatch(req)
-      location = `../${req.entity.replace(srv.name + '.', '')}` // REVISIT: Is it guaranteed that the GET works? Why do we need relative urls?
-      for (const k in req.target.keys) location += `/${result[k]}`
-    }
-  } catch (e) {
-    return next(e)
+  // add the data
+  query.entries(_data)
+  if (query.INSERT.entries.length > 1) {
+    // > batch insert
+    const reqs = query.INSERT.entries.map(
+      entry => new RestRequest({ query: INSERT.into(query.INSERT.into).entries(entry), _target, params: _params })
+    )
+    const ress = await Promise.allSettled(reqs.map(req => srv.dispatch(req)))
+    const rejected = ress.filter(r => r.status === 'rejected')
+    if (rejected.length) throw _error4(rejected)
+    result = ress.map(r => r.value)
+  } else {
+    // > single insert
+    const req = new RestRequest({ query, _target, params: _params })
+    result = await srv.dispatch(req)
+    location = `../${req.entity.replace(srv.name + '.', '')}` // REVISIT: Is it guaranteed that the GET works? Why do we need relative urls?
+    for (const k in req.target.keys) location += `/${result[k]}`
   }
 
-  _req._result = { result, status: 201, location } // REVISIT: Do a res.status(201).send(...) instead
-  next()
+  return { result, status: 201, location }
 }

package/libx/rest/middleware/delete.js

@@ -1,12 +1,14 @@
 const RestRequest = require('../RestRequest')
 
-module.exports = async _req => {
-  const { _srv: srv, _query: query, _target, _data, _params } = _req
+module.exports = srv => async _req => {
+  const { _query: query, _target, _data, _params } = _req
 
   const req = new RestRequest({ query, _target, params: _params, data: _data })
+
   // req.data is filled with keys during read and delete
   if (_params) req.data = Object.assign(_data, _params[_params.length - 1]) // REVISIT: We should avoid that!
 
   await srv.dispatch(req)
-  _req._result = { result: null, status: 204 } // REVISIT: Ugly voodoo _re._result channel -> eliminate
+
+  return { result: null, status: 204 }
 }

package/libx/rest/middleware/error.js

@@ -12,6 +12,7 @@ const i18n = (...args) => {
 const { normalizeError, isClientError } = require('../../_runtime/common/error/frontend')
 
 const _log = err => {
+  // REVISIT: how does level behave compared to _log in (legacy) odata adapter?
   const level = isClientError(err) ? 'warn' : 'error'
   if ((level === 'warn' && !LOG._warn) || (level === 'error' && !LOG._error)) return
 
@@ -36,9 +37,7 @@ const _log = err => {
 }
 
 // eslint-disable-next-line no-unused-vars
-module.exports = (err, req, res, next) => {
-  const { _srv: srv } = req
-
+module.exports = srv => (err, req, res, next) => {
   // REVISIT: invoking service.on('error') handlers needs a cleanup with new protocol adapters!!!
   // invoke srv.on('error', function (err, req) { ... }) here in special situations
   let ctx = cds.context

package/libx/rest/middleware/input.js

@@ -30,16 +30,16 @@ const _processorFn = errors => {
 
 const _cache = req => `rest-input;skip-key-validation:${req.method !== 'POST'}`
 
-module.exports = (req, res, next) => {
-  const { _srv, _query, _data, _operation } = req
+module.exports = srv => (req, res, next) => {
+  const { _query, _data, _operation } = req
   let definition = _operation || _query.__target
-  if (typeof definition === 'string') definition = _srv.model.definitions[definition] || _srv.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
+  if (typeof definition === 'string') definition = srv.model.definitions[definition] || srv.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
 
-  if (!(_data && _srv && definition)) return next()
+  if (!(_data && srv && definition)) return next()
 
   const errors = []
 
-  const template = getTemplate(_cache(req), _srv, definition, { pick: _picker(req) })
+  const template = getTemplate(_cache(req), srv, definition, { pick: _picker(req) })
   if (template && template.elements.size) {
     const rows = Array.isArray(_data) ? _data : [_data]
     for (const row of rows) {