@sap/cds 7.4.2 → 7.5.1

package/lib/auth/index.js

@@ -1,38 +1,60 @@
-const cds = require ('../index'), { path, local } = cds.utils
-
-const _require = require; require = cds.lazified (module) // eslint-disable-line no-global-assign
-module.exports = Object.assign (auth_factory, {
-  mocked: require('./basic-auth'),
-  basic:  require('./basic-auth'),
-  dummy:  require('./dummy-auth'),
-  ias:    require('./ias-auth'),
-  jwt:    require('./jwt-auth'),
-  xsuaa:  require('./jwt-auth'),
-})
-require = _require // eslint-disable-line no-global-assign
+const cds = require ('../index')
+
+const _builtin = {
+  mocked: 'basic-auth',
+  basic:  'basic-auth',
+  ias:    'ias-auth',
+  jwt:    'jwt-auth',
+  xsuaa:  'jwt-auth',
+  dummy:  'dummy-auth',
+}
+for (let b in _builtin)  _builtin[b+'-auth'] = _builtin[b]
+
 
 /**
- * Constructs one of the above middlewares as configured
+ * Constructs auth middlewares as configured
  */
-function auth_factory (options) {
-  const o = { ...options, ...cds.requires.auth }
-  let kind = o.impl ? 'custom' : o.kind || o.strategy
-  let middleware = cds.auth[kind] || cds.auth[kind?.replace(/-auth$/, '')]
-  if (middleware) {
-    // REVISIT: here, kind may be misleading, e.g., "basic-auth" instead of "mocked" -> _kind workaround
-    const _kind = (o._kind || kind).replace(/-auth$/, '') //> official auth kinds are NOT postfixed with "-auth"
-    cds.log().info ('using authentication:', { kind: _kind }, '\n')
-  } else {
-    let impl = kind === 'custom' ? cds.resolve (o.impl)?.[0] : path.resolve (__dirname, kind)
-    try { impl = require.resolve (impl) }  catch {
-      const e = o.impl ? `Cannot find custom impl at: ${o.impl}` : `Cannot find unknown auth kind: ${o.kind}`
-      throw cds.error(e)
-    }
-    cds.log().info ('using authentication:', { kind, impl: local(impl) }, '\n')
-    middleware = require(impl)
-  }
-  if ((typeof middleware === 'function' && middleware.length === 3) || Array.isArray(middleware)) {
-    return middleware
+module.exports = function auth_factory (o) {
+
+  // prepare options
+  const options = { ...o, ...cds.requires.auth }
+  let { kind, impl } = options
+
+  // if no impl is given, it's a built-in strategy
+  if (!impl) impl = __dirname + '/' + _builtin[kind]
+  else if (kind in _builtin) kind = 'custom'
+  // NOTE:                   ^^^^^^^^^^^^^^^
+  // This is a workaround to avoid displaying kind:'mocked-auth'
+  // from [development] defaults with impl: './custom-auth'
+  // from cds.requires.auth in the log or error output below.
+
+  // try resolving the impl, throw if not found
+  const config = { kind, impl: cds.utils.local(impl) }
+  // use cds.resolve() to allow './srv/auth.js' and 'srv/auth.js'
+  try { impl = require.resolve (cds.resolve (impl)?.[0], {paths:[cds.root]}) } catch {
+    throw cds.error `Didn't find auth implementation for ${config}`
   }
-  return middleware(o)
+
+  // load the auth middleware from the resolved path
+  cds.log().info ('using auth strategy', config, '\n')
+  let auth = require (impl)
+
+  // if auth is a factory itself, call it to get the middleware
+  if (typeof auth === 'function' && auth.length < 3) auth = auth(options)
+
+  // return the auth middleware followed by a middleware to fill in cds.context
+  return [ auth, ctx_auth ]
 }
+
+/**
+ * Propagate user and tenant from req to cds.context
+ */
+function ctx_auth (req, res, next) {
+  const ctx = cds.context
+  ctx.user = req.user
+  ctx.tenant = req.tenant || ctx.user?.tenant
+  next()
+}
+
+// export ctx_auth for legacy protocol adapter -> remove with cds^8
+module.exports._ctx_auth = ctx_auth

package/lib/auth/jwt-auth.js

@@ -3,76 +3,79 @@ const LOG = cds.log('auth')
 
 // _require for better error message
 const _require = require('../../libx/_runtime/common/utils/require')
-const express = _require('express')
-const passport = _require('passport')
-const { JWTStrategy } = _require('@sap/xssec')
+const xssec = _require('@sap/xssec')
 
 module.exports = function jwt_auth(config) {
-  if (!config.credentials) {
-    let msg = `Authentication kind "${config.kind}" configured, but no XSUAA instance bound to application.`
+  const { kind, credentials } = config
+
+  if (!credentials) {
+    let msg = `Authentication kind "${kind}" configured, but no XSUAA instance bound to application.`
     msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
     throw new Error(msg)
   }
 
-  passport.use('JWT', new JWTStrategy(config.credentials))
-
-  return express
-    .Router()
-    .use((req, res, next) => {
-      // callback needed in order to suppress 401 and continue with anonymous to allow @requires: 'any'/ restrict_all_services=false
-      const callback = (err, user, info, _status) => {
-        if (err) return next(err)
-
-        if (user) {
-          req.user = user
-          req.authInfo = info
-        } else {
-          req.user = new cds.User.default
-          if (LOG._debug && req.tokenInfo)
-            LOG.debug('Error during token validation:', req.tokenInfo.getErrorObject().message)
-        }
+  function getUser(tokenInfo) {
+    const payload = tokenInfo.getPayload()
 
-        next()
-      }
-      passport.authenticate('JWT', { session: false }, callback)(req, res, next)
-    })
-    .use((req, res, next) => {
-      if (!('authInfo' in req)) return next()
+    let id = payload.user_name
 
-      const payload = req.tokenInfo.getPayload()
+    // Roles = scope names w/o xsappname
+    const xsappname = new RegExp(`^${credentials.xsappname}\\.`)
+    let roles = payload.scope.map(s => s.replace(xsappname, ''))
 
-      let id = req.user.id
+    // Disallow setting system roles from external
+    roles = roles.filter(r => !(r in { 'internal-user': 1, 'system-user': 1 }))
 
-      // Roles = scope names w/o xsappname
-      let xsappname = new RegExp(`^${config.credentials.xsappname}\\.`)
-      let roles = payload.scope.map(s => s.replace(xsappname, ''))
+    if (payload.grant_type in { client_credentials: 1, client_x509: 1 }) {
+      id = 'system'
+      roles.push('system-user')
+      if (tokenInfo.getClientId() === credentials.clientid) roles.push('internal-user')
+    }
 
-      // Disallow setting system roles from external
-      roles = roles.filter(r => !(r in { 'internal-user': 1, 'system-user': 1 }))
+    const attr = Object.assign({}, payload['xs.user.attributes'])
+    if (kind === 'xsuaa') {
+      attr.logonName = payload.user_name
+      attr.givenName = payload.given_name
+      attr.familyName = payload.family_name
+      attr.email = payload.email
+    }
 
-      roles.push('identified-user')
-      if (payload.grant_type) {
-        // > not "weak"
-        roles.push('authenticated-user')
+    return new cds.User({ id, roles, attr })
+  }
 
-        if (payload.grant_type in { client_credentials: 1, client_x509: 1 }) {
-          id = 'system'
-          roles.push('system-user')
-          if (req.tokenInfo.getClientId() === config.credentials.clientid) roles.push('internal-user')
-        }
+  return (req, _, next) => {
+    const token = req.headers.authorization?.split(/^bearer /i)[1]
+    xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
+      if (err && !tokenInfo) {
+        // here, there is a general problem, .e.g., bad credentials -> throw the error
+        return next(err)
       }
 
-      let attr = req.authInfo.getAttributes() || {}
-      if (config.kind === 'xsuaa') {
-        attr.logonName = req.authInfo.getLogonName()
-        attr.givenName = req.authInfo.getGivenName()
-        attr.familyName = req.authInfo.getFamilyName()
-        attr.email = req.authInfo.getEmail()
+      if (err && LOG._debug) LOG.debug('User could not be authenticated due to error:', err)
+
+      // if no general problem, tokenInfo object is always available -> add to req via getter for compat reasons
+      Object.defineProperty(req, 'tokenInfo', {
+        get() {
+          cds._logDeprecation('req.tokenInfo was added for compatibility purposes but will be removed in the next major version.')
+          return tokenInfo
+        }
+      })
+
+      if (!securityContext) {
+        if (!req.headers.authorization) {
+          LOG._debug && LOG.debug('No authorization header provided, continuing with default user.')
+          req.user = new cds.User.default()
+          return next()
+        }
+        return next(new cds.error('Unauthorized', { statusCode: 401 }))
       }
 
-      req.user = new cds.User({ id, roles, attr })
-      req.tenant = req.tokenInfo.getZoneId?.()
+      req.user = getUser(tokenInfo)
+      req.tenant = tokenInfo.getZoneId()
+
+      req.authInfo = securityContext //> compat req.authInfo
 
       next()
     })
+  }
 }

package/lib/compile/cdsc.js

@@ -63,8 +63,8 @@ const _options = {for: Object.assign (_options4, {
 
   sql(o,_env) {
     // REVISIT: compiler requires to only provide assertIntegrityType if defined
-    let assertIntegrity = cds.env.features.assert_integrity
-    let constraints = assertIntegrity && { assertIntegrityType: cds.env.features.assert_integrity_type }
+    let { assert_integrity } = cds.env.features
+    let constraints = assert_integrity && { assertIntegrityType: assert_integrity.toUpperCase() }
     return _options4 ({ ...constraints, ..._env||cds.env.sql, ...o }, {
       sql_mapping  : 'names', //> legacy
       sqlDialect   : 'dialect', //> legacy

package/lib/compile/to/edm.js

@@ -3,12 +3,12 @@ const cds = require ('../../index')
 
 if (cds.env.features.precompile_edms !== false) {
   const _precompiled = new WeakMap
+  const to_edm = cdsc.to.edm
   cdsc.to.edm = Object.assign((csn, o) => {
-    if (o.to === 'openapi') return cdsc.to.edm.all(csn, o)[o.service]
+    if (o.to === 'openapi') return to_edm(csn, o)
     if (!_precompiled.has(csn)) {
-      // only for services that are served via odata
-      const serviceNames = o.serviceNames || Object.values(csn.definitions).filter(d => d.kind === 'service' && d.endpoints?.some(e => e.kind.match(/odata/i))).map(d => d.name)
-      _precompiled.set(csn, cdsc.to.edm.all(csn, Object.assign({ serviceNames }, o)))
+      if (!o.serviceNames) o = { ...o, serviceNames: cds.linked(csn).services.filter(srv => srv._serves_odata).map(d => d.name) }
+      _precompiled.set(csn, cdsc.to.edm.all(csn, o))
     }
     return _precompiled.get(csn)[o.service]
   }, { all: cdsc.to.edm.all })

package/lib/compile/to/hdbtabledata.js

@@ -2,13 +2,9 @@ const cds = require('../../../lib')
 const { getElementCdsPersistenceName, getArtifactCdsPersistenceName } = require('@sap/cds-compiler')
 const { fs, path, isdir, csv } = cds.utils
 const { readdir } = fs.promises
-let logger = cds.log('cds')
+let LOG = cds.log('hdbtabledata|build|all')
 
 module.exports = async (model, options = {}) => {
-  if (options.logger) {
-    logger = options.logger
-  }
-
   model = cds.minify(model)
   const baseDir = options.baseDir  // where the hdbtabledata will be located, for usage in the file_name path
   const dirs = Array.isArray(options.dirs) ? options.dirs : _csvDirs(model.$sources.map(path.dirname))
@@ -36,7 +32,7 @@ async function _tabledata4(dir, csvFile, model, baseDir, naming) {
       .filter(name => !name.startsWith('localized.'))
       .find(name => name.toLowerCase().includes(entityName.toLowerCase()))
     if (candidate) message += `. Did you mean '${candidate}'?`
-    return logger.warn(`[hdbtabledata] ${message}`)
+    return LOG.warn(`[hdbtabledata] ${message}`)
   }
 
   const tableName = getArtifactCdsPersistenceName(entity.name, naming, model, 'hana')
@@ -95,7 +91,7 @@ function _entity4(name, csn) {
     }
     return
   }
-  if (entity['@cds.persistence.skip'] === true) return logger.warn(`[hdbtabledata] exclude skipped entity '${name}'`)
+  if (entity['@cds.persistence.skip'] === true) return LOG.warn(`[hdbtabledata] exclude skipped entity '${name}'`)
   const p = entity.query && entity.query.SELECT || entity.projection
   if (p) {
     let from = p.from
@@ -120,6 +116,7 @@ function _csvDirs(sources) {
   return folders
 }
 
+
 function _csvs(filename, _, allFiles) {
   if (filename[0] === '-' || !filename.endsWith('.csv')) return false
   // ignores 'Books_texts.csv' if there is any 'Books_texts_LANG.csv'
@@ -127,7 +124,7 @@ function _csvs(filename, _, allFiles) {
     const basename = RegExp.$1
     const monoLangFiles = allFiles.filter(file => new RegExp(basename + '_texts_').test(file))
     if (monoLangFiles.length > 0) {
-      logger._debug && logger.debug(`[hdbtabledata] ignoring '${filename}' in favor of [${monoLangFiles}]`)
+      LOG.debug(`[hdbtabledata] ignoring '${filename}' in favor of [${monoLangFiles}]`)
       return false
     }
   }

package/lib/compile/to/srvinfo.js

@@ -1,6 +1,6 @@
 
 const cds = require('../..')
-const { isfile, path: { join, posix: { normalize } } } = cds.utils
+const { isfile, path: { join } } = cds.utils
 
 // Produces information on provided services in the model:
 //   name, expected URL path at runtime,...
@@ -37,7 +37,7 @@ module.exports = (model, options={}) => {
   function _makeNode(service) {
     return {
       name: service.name,
-      urlPath: _url4 (cds.service.path4(service)),
+      urlPath: _url4 (cds.service.protocols.path4(service)),
       destination: 'srv-api', // the name to register in xs-app.json
       runtime: 'Node.js',
       location: service.$location

package/lib/env/cds-env.js

@@ -1,7 +1,6 @@
 const { isdir, isfile, fs, path } = require('../utils/cds-utils')
 const DEFAULTS = require('./defaults'), defaults = require.resolve ('./defaults')
 const compat = require('./compat')
-const presets = require('./presets')
 const serviceBindings = require('./serviceBindings');
 
 
@@ -88,10 +87,6 @@ class Config {
     // Complete service configurations from cloud service bindings
     this._add_cloud_service_bindings(process.env)
 
-    // Apply presets
-    presets (this)
-
-
     // Only if feature is enabled
     if (this.features && this.features.emulate_vcap_services) {
       this._emulate_vcap_services()
@@ -127,8 +122,7 @@ class Config {
 
 
   get plugins() {
-    let DEV = this._profiles.has('development')
-    return super.plugins = require('../plugins').fetch(DEV)
+    return super.plugins = require('../plugins').fetch()
   }
 
 
@@ -390,7 +384,7 @@ class Config {
       _fetch ({ type: conf.dialect || conf.kind })
 
     function _fetch (predicate) {
-      for (let k of Object.keys(predicate).reverse()) {
+      for (let k in predicate) {
         const v = predicate[k]; if (!v) continue
         const filter = k === 'tag' ? e => _array(e,'tags').includes(v) : e => e[k] === v
         for (let stype in vcaps) {
@@ -472,7 +466,7 @@ function _merge (dst, src, _profiles) {
     }
 
     const v = pd.value
-    if (typeof v === 'object' && !Array.isArray(v)) {
+    if (typeof v === 'object' && !Array.isArray(v) && v != null) {
       if (!dst[p]) dst[p] = {}
       if (typeof dst[p] !== 'object') dst[p] = v
       else _merge (dst[p], v, _profiles)

package/lib/env/cds-requires.js

@@ -14,7 +14,6 @@ exports = module.exports = {
     '[production]': { kind: 'jwt-auth' }
   },
 
-
   /**
    * This is the implementation for `cds.requires` which is `cds.env.requires`
    * plus additional entries for all cds.required.<name>.service
@@ -36,18 +35,16 @@ exports = module.exports = {
 
 const admin = [ 'cds.Subscriber', 'admin' ]
 const builder = [ 'cds.ExtensionDeveloper', 'cds.UIFlexDeveloper' ]
-
 const _authentication_strategies = {
 
   "basic-auth": {
-    kind: 'basic-auth', // this is to override kind from cds.requires.auth
-    strategy: 'mock', // REVISIT: Can be removed when we switch to new auth middlewars
+    kind: 'basic',
     users: {},
     tenants: {}
   },
   "mocked-auth": {
-    _kind: 'mocked', // REVISIT: workaround to distinguish from 'basic-auth' (cf. restrict_all_services)
-    kind: 'basic-auth',
+    restrict_all_services: false,
+    kind: 'mocked',
     users: {
       alice: { tenant: 't1', roles: [ ...admin ] },
       bob:   { tenant: 't1', roles: [ ...builder ] },
@@ -65,25 +62,30 @@ const _authentication_strategies = {
     }
   },
   "jwt-auth": {
-    strategy: 'JWT', // REVISIT: Can be removed when we switch to new auth middlewars
-    kind: 'jwt-auth',
+    kind: 'jwt',
     vcap: { label: 'xsuaa' }
   },
   "ias-auth": {
-    kind: 'ias-auth',
+    kind: 'ias',
     vcap: { label: 'identity' }
   },
-  "xsuaa": { // CLARIFY why is this not -auth postfixed?
-    strategy: 'xsuaa', // REVISIT: Can be removed when we switch to new auth middlewars
+  "xsuaa-auth": {
     kind: 'xsuaa',
     vcap: { label: 'xsuaa' }
   },
   "dummy-auth": {
-    strategy: 'dummy', // REVISIT: Can be removed when we switch to new auth middlewars
+    kind: 'dummy',
   },
 
 }
 
+for (let each of Object.values(_authentication_strategies)) {
+  Object.defineProperty (each, 'strategy', {get() {
+    if (process.env.NODE_ENV !== 'production') console.trace('WARNING: auth.strategy is deprecated, use auth.kind instead')
+    return { jwt: 'JWT', mocked: 'mock' }[this.kind] || this.kind
+  }})
+}
+
 
 const _services = {
 
@@ -127,7 +129,6 @@ const _databases = {
     impl: `${_runtime}/sqlite/Service.js`,
     credentials: { url: 'db.sqlite' },
   },
-
   "better-sqlite": {
     credentials: { url: ":memory:" },
     impl: "@cap-js/sqlite",
@@ -162,16 +163,14 @@ const _databases = {
 
 const _outbox = {
 
-  outbox: {
-    kind: "persistent-outbox",
-    parallel: true
-  },
+  outbox: "persistent-outbox",
 
   "in-memory-outbox": {},
   "persistent-outbox": {
     model: "@sap/cds/srv/outbox",
     maxAttempts: 20,
     chunkSize: 100,
+    parallel: true,
     storeLastError: true
   }
 

package/lib/env/compat.js

@@ -7,15 +7,6 @@ module.exports = function (conf) {
       set(x) { _.log.levels.cli = x },
     },
 
-    auth: {value:{
-      get passport() {
-        return _.requires.auth
-      },
-      set passport(v) {
-        _.requires.auth = v
-      }
-    }},
-
     data: {value:{
       get model(){
         const db = _.requires.db;  if (!db)  return undefined

package/lib/env/defaults.js

@@ -5,8 +5,6 @@ const defaults = module.exports = {
 
   production,
 
-  cov2ap: false, // REVISIT: workaround for bug in @cap-js-community/odata-v2-adapter/cds-plugin -> cds/tests/_runtime/remote/__tests__/integration/mocked-v2-consumption/v2.test.js
-
   requires: require('./cds-requires'),
 
   server: {
@@ -14,6 +12,13 @@ const defaults = module.exports = {
     port: 4004,
   },
 
+  protocols: {
+    'odata-v4' : { path: '/odata/v4' },
+    'odata-v2' : { path: '/odata/v2' },
+    'rest' : { path: '/rest' },
+    'hcql' : { path: '/hcql' },
+  },
+
   // kept for backwards compatibility
   schemas: {
     'cds-rc.json': join(__dirname, 'schemas/cds-rc.json'),
@@ -56,21 +61,27 @@ const defaults = module.exports = {
 
   log: {
     Logger: undefined, //> use default
+    '[development]': { format: 'plain' },
+    '[production]': { format: 'json' },
     levels: {
       compile: 'warn',
       cli: 'warn',
       deploy: 'info',
       serve:  'info',
-      server: 'info',
+      server: 'info'
     },
     service: false,
+    // the rest is only applicable for the json formatter
+    user: false,
+    mask_headers: ['/authorization/i', '/cookie/i'],
+    aspects: ['./aspects/cf', './aspects/als'], //> EXPERIMENTAL!!!
     // adds custom fields in kibana's error rendering (unknown fields are ignored); key: index
-    kibana_custom_fields: {
+    // note: custom fields are a feature of Application Logging Service (ALS) and not Kibana per se
+    als_custom_fields: {
       // sql
       query: 0,
       // generic validations
-      target: 1,
-      details: 2
+      target: 1, details: 2
     }
   },