@sap/cds 7.6.3 → 7.7.0

package/libx/common/assert/type.js

@@ -0,0 +1,109 @@
+const { cds } = global
+
+const { Readable } = require('stream')
+
+const { getNormalizedDecimal, getTarget, isBase64String } = require('./utils')
+
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i //> "i" is acutally not OK, but we'll leave as is for now to avoid breaking changes
+const RELAXED_UUID_REGEX = /^[0-9a-z]{8}-?[0-9a-z]{4}-?[0-9a-z]{4}-?[0-9a-z]{4}-?[0-9a-z]{12}$/i
+
+const ISO_DATE_PART1 =
+  '[1-9]\\d{3}-(?:(?:0[1-9]|1[0-2])-(?:0[1-9]|1\\d|2[0-8])|(?:0[13-9]|1[0-2])-(?:29|30)|(?:0[13578]|1[02])-31)'
+const ISO_DATE_PART2 = '(?:[1-9]\\d(?:0[48]|[2468][048]|[13579][26])|(?:[2468][048]|[13579][26])00)-02-29'
+const ISO_DATE = `(?:${ISO_DATE_PART1}|${ISO_DATE_PART2})`
+const ISO_TIME_NO_MILLIS = '(?:[01]\\d|2[0-3]):[0-5]\\d:[0-5]\\d'
+const ISO_TIME = `${ISO_TIME_NO_MILLIS}(?:\\.\\d{1,9})?`
+const ISO_DATE_TIME = `${ISO_DATE}T${ISO_TIME_NO_MILLIS}(?:Z|[+-][01]\\d:?[0-5]\\d)`
+const ISO_TIMESTAMP = `${ISO_DATE}T${ISO_TIME}(?:Z|[+-][01]\\d:?[0-5]\\d)`
+const ISO_DATE_REGEX = new RegExp(`^${ISO_DATE}$`, 'i')
+const ISO_TIME_NO_MILLIS_REGEX = new RegExp(`^${ISO_TIME_NO_MILLIS}$`, 'i')
+const ISO_DATE_TIME_REGEX = new RegExp(`^${ISO_DATE_TIME}$`, 'i')
+const ISO_TIMESTAMP_REGEX = new RegExp(`^${ISO_TIMESTAMP}$`, 'i')
+
+const _checkString = value => typeof value === 'string'
+
+const _checkNumber = value => typeof value === 'number' && !Number.isNaN(value)
+
+const _oldCheckDecimal = (value, element) => {
+  const [left, right] = String(value).split('.')
+  return (
+    _checkNumber(value) &&
+    (!element.precision || left.length <= element.precision - (element.scale || 0)) &&
+    (!element.scale || ((right || '').length <= element.scale && parseFloat(right) !== 0))
+  )
+}
+
+// REVISIT: only use a cheaper check if not in strictDecimal mode?
+const _checkDecimal = (v, ele, errs, path, k) => {
+  if (!errs) return _oldCheckDecimal(v, ele)
+
+  const { precision, scale } = ele
+  let val = getNormalizedDecimal(v)
+  if (precision != null && scale != null) {
+    let isValid = true
+    if (!val.match(/\./)) val += '.0'
+    if (precision === scale) {
+      if (!val.match(new RegExp(`^-?0\\.\\d{0,${scale}}$`, 'g'))) isValid = false
+    } else if (scale === 0) {
+      if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.0{0,1}$`, 'g'))) isValid = false
+    } else if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.\\d{0,${scale}}$`, 'g'))) {
+      isValid = false
+    }
+    if (!isValid) {
+      const args = [v, `Decimal(${precision},${scale})`]
+      const target = getTarget(path, k)
+      errs.push(new cds.error('ASSERT_DATA_TYPE', { args, target, statusCode: 400, code: '400' }))
+    }
+  } else if (precision != null) {
+    if (!val.match(new RegExp(`^-?\\d{1,${precision}}$`, 'g'))) {
+      const args = [v, `Decimal(${precision})`]
+      const target = getTarget(path, k)
+      errs.push(new cds.error('ASSERT_DATA_TYPE', { args, target, statusCode: 400, code: '400' }))
+    }
+  }
+}
+
+const _checkInt = value => _checkNumber(value) && parseInt(value, 10) === value
+
+const _checkInt64 = value => typeof value === 'string' ? value.match(/^\d+$/) : _checkInt(value)
+
+const _checkBoolean = value => typeof value === 'boolean'
+
+const _checkBuffer = value => Buffer.isBuffer(value) || value.type === 'Buffer' || isBase64String(value)
+
+const _checkStreamOrBuffer = value => value instanceof Readable || _checkBuffer(value)
+
+const _checkUUID = value => _checkString(value) && UUID_REGEX.test(value)
+
+const _checkRelaxedUUID = value => _checkString(value) && RELAXED_UUID_REGEX.test(value)
+
+const _checkISODate = value => (_checkString(value) && ISO_DATE_REGEX.test(value)) || value instanceof Date
+
+const _checkISOTime = value => _checkString(value) && ISO_TIME_NO_MILLIS_REGEX.test(value)
+
+const _checkISODateTime = value => (_checkString(value) && ISO_DATE_TIME_REGEX.test(value)) || value instanceof Date
+
+const _checkISOTimestamp = value => (_checkString(value) && ISO_TIMESTAMP_REGEX.test(value)) || value instanceof Date
+
+module.exports = {
+  'cds.UUID': _checkUUID,
+  'relaxed.UUID': _checkRelaxedUUID,
+  'cds.Boolean': _checkBoolean,
+  'cds.Integer': _checkInt,
+  'cds.UInt8': _checkInt,
+  'cds.Int16': _checkInt,
+  'cds.Int32': _checkInt,
+  'cds.Integer64': _checkInt64,
+  'cds.Int64': _checkInt64,
+  'cds.Decimal': _checkDecimal,
+  'cds.DecimalFloat': _checkNumber,
+  'cds.Double': _checkNumber,
+  'cds.Date': _checkISODate,
+  'cds.Time': _checkISOTime,
+  'cds.DateTime': _checkISODateTime,
+  'cds.Timestamp': _checkISOTimestamp,
+  'cds.String': _checkString,
+  'cds.Binary': _checkBuffer,
+  'cds.LargeString': _checkString,
+  'cds.LargeBinary': _checkStreamOrBuffer
+}

package/libx/common/assert/utils.js

@@ -0,0 +1,125 @@
+function getNested(k, obj) {
+  let cur = obj
+  let p = ''
+  const parts = k.split('_')
+  while (parts.length) {
+    const q = parts.shift()
+    if (q in cur) {
+      cur = cur[q]
+      p = ''
+    } else {
+      p = p ? p + '_' + q : q
+      if (p in cur) {
+        cur = cur[p]
+        p = ''
+      } else {
+        if (Object.keys(cur).some(k => k.startsWith(p + '_'))) {
+          // continue for now as there's still a chance
+        } else {
+          // abort
+          return undefined
+        }
+      }
+    }
+  }
+  return cur[p] || cur !== obj ? cur : undefined
+}
+
+const getNormalizedDecimal = val => {
+  let v = `${val}`
+  const cgs = v.match(/^(\d*\.*\d*)e([+|-]*)(\d*)$/)
+  if (cgs) {
+    let [l, r = ''] = cgs[1].split('.')
+    const dir = cgs[2] || '+'
+    const exp = Number(cgs[3])
+    if (dir === '+') {
+      // move decimal point to the right
+      r = r.padEnd(exp, '0')
+      l += r.substring(0, exp)
+      r = r.slice(exp)
+      v = `${l}${r ? '.' + r : ''}`
+    } else {
+      // move decimal point to the left
+      l = l.padStart(exp, '0')
+      r = l.substring(0, exp) + r
+      l = l.slice(exp)
+      v = `${l ? l : '0'}.${r}`
+    }
+  }
+  return v
+}
+
+function getTarget(path, k) {
+  return path.length && path[path.length - 1].match(/\[\d+\]$/) ? path.join('/') : path.concat(k).join('/')
+}
+
+// non-strict mode also allows url-safe base64 strings
+function isBase64String(string, strict = false) {
+  if (typeof string !== 'string') return false
+
+  if (strict && string.length % 4 !== 0) return false
+
+  let length = string.length
+  if (string.endsWith('==')) length -= 2
+  else if (string.endsWith('=')) length -= 1
+
+  let char
+  for (let i = 0; i < length; i++) {
+    char = string[i]
+    if (char >= 'A' && char <= 'Z') continue
+    else if (char >= 'a' && char <= 'z') continue
+    else if (char >= '0' && char <= '9') continue
+    else if (char === '+' || char === '/') continue
+    else if (!strict && (char === '-' || char === '_')) continue
+    return false
+  }
+
+  return true
+}
+
+const resolveCDSType = ele => {
+  // REVISIT: when is ele._type not set and sufficient?
+  if (ele._type?.match(/^cds\./)) return ele._type
+  if (ele.type) {
+    if (ele.type.match(/^cds\./)) return ele.type
+    return resolveCDSType(ele.__proto__)
+  }
+  if (ele.items) return resolveCDSType(ele.items)
+  return ele
+}
+
+function resolveSegment(prev, obj, def) {
+  if (prev.keys) {
+    let keys = []
+    for (const k of prev.keys) {
+      let val
+      if (k in obj) val = obj[k]
+      else val = getNested(k, obj)
+      if (val == null) {
+        // in some cases, k is not given, e.g., POST into collection via navigation
+        // TODO: what to put in target? "null", "transient", ...?
+        if (k === 'IsActiveEntity')
+          keys.push(`${k}=false`) //> always false if not in obj as it must be a draft activate
+        else keys.push(`${k}=null`)
+      } else {
+        const type = resolveCDSType(def.elements[k])
+        if (type === 'cds.String') val = `'${val}'`
+        // TODO: more proper val encoding based on type
+        keys.push(`${k}=${val}`)
+      }
+    }
+    return `${prev.assoc}(${keys.join(',')})`
+  }
+  if (prev.index) {
+    return `${prev.prop}[${prev.index}]`
+  }
+}
+
+module.exports = {
+  getNested,
+  getNormalizedDecimal,
+  getTarget,
+  isBase64String,
+  resolveCDSType,
+  resolveSegment
+}

package/libx/common/assert/validation.js

@@ -0,0 +1,109 @@
+const { cds } = global
+
+const {
+  'cds.Date': checkISODate,
+  'cds.Time': checkISOTime,
+  'cds.DateTime': checkISODateTime,
+  'cds.Timestamp': checkISOTimestamp,
+  'cds.String': checkString
+} = require('./type')
+const { getTarget, resolveCDSType } = require('./utils')
+
+const _isNavigationColumn = (col, as) => col.ref?.length > 1 && (col.as === as || col.ref[col.ref.length - 1] === as)
+
+// REVISIT: mandatory is actually not the same as not null or empty string
+const _isNotFilled = val => val === null || val === undefined || (typeof val === 'string' && val.trim() === '')
+
+const _getEnumElement = ele => ((ele['@assert.range'] && ele.enum) || ele['@assert.enum'] ? ele.enum : undefined)
+
+const _enumValues = ele => {
+  return Object.keys(ele).map(enumKey => {
+    const enum_ = ele[enumKey]
+    const enumValue = enum_ && enum_.val
+    if (enumValue !== undefined) {
+      if (enumValue['=']) return enumValue['=']
+      if (enum_ && enum_.literal && enum_.literal === 'number') return Number(enumValue)
+      return enumValue
+    }
+    return enumKey
+  })
+}
+
+const _checkDateValue = (val, r1, r2) => {
+  const dateVal = new Date(val)
+  return (dateVal - new Date(r1)) * (dateVal - new Date(r2)) <= 0
+}
+
+const _toDate = val => `2000-01-01T${val}Z`
+
+const _checkInRange = (val, range, type) => {
+  switch (type) {
+    case 'cds.Date':
+      return checkISODate(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.DateTime':
+      return checkISODateTime(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.Timestamp':
+      return checkISOTimestamp(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.Time':
+      return checkISOTime(val) && _checkDateValue(_toDate(val), _toDate(range[0]), _toDate(range[1]))
+    default:
+      return (val - range[0]) * (val - range[1]) <= 0
+  }
+}
+
+// process.env.CDS_ASSERT_FORMAT_FLAGS is not official!
+const _checkRegExpFormat = (val, format) =>
+  checkString(val) && val.match(new RegExp(format, process.env.CDS_ASSERT_FORMAT_FLAGS || 'u'))
+
+const checkMandatory = (v, ele, errs, path, k) => {
+  // REVISIT: correct to not complain?
+  // do not complain about missing foreign keys in children
+  if (path.length && ele['@odata.foreignKey4']) return
+
+  // TODO: which case is this?
+  // do not complain about ???
+  if (ele.parent?.query?.SELECT?.columns?.find(col => _isNavigationColumn(col, ele.name))) return
+
+  if (!ele.default && _isNotFilled(v)) {
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_NOT_NULL', { target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkEnum = (v, ele, errs, path, k) => {
+  const enumElements = _getEnumElement(ele)
+  const enumValues = enumElements && _enumValues(enumElements)
+  if (enumElements && !enumValues.includes(v)) {
+    const args =
+      typeof v === 'string'
+        ? ['"' + v + '"', enumValues.map(ele => '"' + ele + '"').join(', ')]
+        : [v, enumValues.join(', ')]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_ENUM', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkRange = (v, ele, errs, path, k) => {
+  const rangeElements = ele['@assert.range'] && !_getEnumElement(ele) ? ele['@assert.range'] : undefined
+  if (rangeElements && !_checkInRange(v, rangeElements, resolveCDSType(ele))) {
+    const args = [v, ...ele['@assert.range']]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_RANGE', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkFormat = (v, ele, errs, path, k) => {
+  const formatElements = ele['@assert.format']
+  if (formatElements && !_checkRegExpFormat(v, formatElements)) {
+    const args = [v, formatElements]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_FORMAT', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+module.exports = {
+  checkMandatory,
+  checkEnum,
+  checkRange,
+  checkFormat
+}

package/libx/odata/index.js

@@ -1,11 +1,11 @@
-const cds = require('../_runtime/cds'),
-  { decodeURIComponent } = cds.utils
+const cds = require('../../')
 const { SELECT } = cds.ql
+const { decodeURIComponent } = cds.utils
 
-const odata2cqn = require('./parser').parse
-const cqn2odata = require('./cqn2odata')
+const odata2cqn = require('./parse/parser').parse
+const cqn2odata = require('./parse/cqn2odata')
 
-const afterburner = require('./afterburner')
+const afterburner = require('./parse/afterburner')
 const { getSafeNumber: safeNumber } = require('./utils')
 const getError = require('../_runtime/common/error')
 

package/libx/odata/middleware/create.js

@@ -0,0 +1,83 @@
+const cds = require('../../../')
+const { INSERT } = cds.ql
+
+const { toODataResult } = require('../utils/result')
+const { odataError, getKeysFromPath } = require('../utils')
+
+const { deepCopy } = require('../../_runtime/common/utils/copy')
+
+// REVISIT: move to or rewrite in libx/odata
+const { readAfterWrite } = require('../../_runtime/cds-services/adapter/odata-v4/utils/readAfterWrite')
+const metaInfo = require('../../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
+
+const _calculateLocationHeader = (target, srv, result) => {
+  const targetName = target.name.replace(`${srv.name}.`, '')
+
+  const keyValuePairs = Object.keys(target.keys).reduce((acc, key) => {
+    acc[key] = result[key]
+    return acc
+  }, {})
+
+  let keys
+  const entries = Object.entries(keyValuePairs)
+  if (entries.length === 1) {
+    keys = entries[0][1]
+  } else {
+    keys = entries.map(([key, value]) => `${key}=${value}`).join(',')
+  }
+
+  return `${targetName}(${keys})`
+}
+
+module.exports = srv =>
+  function create(req, res, next) {
+    const { _query: query } = req
+
+    const {
+      SELECT: { one, from }
+    } = query
+
+    if (one) {
+      const singleton = query.target._isSingleton
+      const error = odataError('405', `Method ${req.method} not allowed for ${singleton ? 'SINGLETON' : 'ENTITY'}`)
+      return res.status(405).json(error)
+    }
+
+    const data = deepCopy(req.body)
+
+    // add keys from url into payload (overwriting if already present)
+    Object.assign(data, getKeysFromPath(from, srv))
+
+    // assert payload
+    const assertOptions = { filter: true, http: { req }, mandatories: true }
+    const errs = cds.assert(data, query.target, assertOptions)
+    if (errs) {
+      if (errs.length === 1) throw errs[0]
+      throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
+    }
+
+    const insertQuery = INSERT.into(from).entries(data)
+
+    // we need the cds request, so we can access req._.readAfterWrite
+    const cdsReq = new cds.Request({ query: insertQuery })
+
+    // rewrite event for draft-enabled entities
+    if (query.target._isDraftEnabled) cdsReq.event = 'NEW'
+
+    return srv
+      .dispatch(cdsReq)
+      .then(async result => {
+        if (cdsReq._.readAfterWrite) {
+          // TODO see if in old odata impl for other checks that should happen
+          result = await readAfterWrite(cdsReq, srv, { operation: { result } })
+        }
+
+        if (result == null || req._preferReturn === 'minimal') return res.sendStatus(204)
+
+        const location = _calculateLocationHeader(cdsReq.target, srv, result)
+        const info = metaInfo(insertQuery, 'CREATE', srv, result, req)
+        result = toODataResult(result, info)
+        res.set('location', location).status(201).send(result)
+      })
+      .catch(next)
+  }

package/libx/odata/middleware/delete.js

@@ -0,0 +1,38 @@
+const cds = require('../../../')
+const { UPDATE, DELETE } = cds.ql
+
+const { odataError, getKeysFromPath } = require('../utils')
+
+module.exports = srv =>
+  function deleete(req, res, next) {
+    if (req._preferReturn) {
+      const message = `The 'return' preference is not allowed in ${req.method} requests`
+      return res.status(400).json({ error: { code: '400', message } })
+    }
+
+    const { _query: query } = req
+
+    const {
+      SELECT: { one, from }
+    } = query
+
+    if (!one) {
+      // REVISIT: don't use "ENTITY.COLLECTION" as that's an okra term
+      return res.status(405).json(odataError('405', `Method DELETE not allowed for ENTITY.COLLECTION`))
+    }
+
+    // for read and delete, we provide keys in req.data
+    const data = getKeysFromPath(query.SELECT.from, srv)
+
+    // REVISIT: better
+    if (query._propertyAccess) data[query._propertyAccess] = null
+
+    // REVISIT: maybe also just dispatch a cds request here?
+    return srv
+      .run(query._propertyAccess ? UPDATE(from).set({ [query._propertyAccess]: null }) : DELETE.from(from), data)
+      .then(result => {
+        if (result === 0) return res.status(404).json({ error: { code: '404', message: 'Not Found' } })
+        res.sendStatus(204)
+      })
+      .catch(next)
+  }

package/libx/odata/middleware/error.js

@@ -0,0 +1,8 @@
+const { normalizeError } = require('../../_runtime/common/error/frontend')
+
+module.exports = _srv => (err, req, res, _next) => {
+  const { error, statusCode } = normalizeError(err, req)
+
+  // NOTE: normalizeError already does sanatization -> we can use as is
+  res.status(statusCode).json({ error })
+}

package/libx/odata/{metadata.js → middleware/metadata.js}

@@ -1,7 +1,9 @@
-const cds = require('../../lib')
+const cds = require('../../../')
 const LOG = cds.log('odata')
+
 const crypto = require('crypto')
-const { odataError } = require('./utils')
+
+const { odataError } = require('../utils')
 
 const _requestedFormat = (queryOption, header) => {
   if (queryOption) return queryOption.match(/json/i) ? 'json' : 'xml'
@@ -91,10 +93,10 @@ module.exports = srv =>
         // REVISIT: remove check later
         if (mpSupportsEmptyLocale()) {
           // If no extensibility nor fts, do not provide model to mtxs
-          const modelNeeded =
-            cds.env.requires.extensibility ||
-            (cds.env.requires.toggles && Object.keys(cds.context.features || {}).length)
-          edmx = metadataCache.edm || (await mps.getEdmx({ tenant, model: modelNeeded && srv.model, service: srv.definition.name }))
+          const modelNeeded = cds.env.requires.extensibility || cds.context.features?.given
+          edmx =
+            metadataCache.edm ||
+            (await mps.getEdmx({ tenant, model: modelNeeded && srv.model, service: srv.definition.name }))
           metadataCache.edm = edmx
           const extBundle = cds.env.requires.extensibility && (await mps.getI18n({ tenant, locale }))
           edmx = cds.localize(srv.model, locale, edmx, extBundle)

package/libx/odata/middleware/operation.js

@@ -0,0 +1,78 @@
+const cds = require('../../../')
+
+const { toODataResult } = require('../utils/result')
+const { cds2edm } = require('../utils')
+
+const { deepCopy } = require('../../_runtime/common/utils/copy')
+
+// REVISIT: move to or rewrite in libx/odata
+const metaInfo = require('../../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
+
+module.exports = srv => (req, res, next) => {
+  let { operation, args } = req._query.SELECT.from.ref.slice(-1)[0]
+  if (!operation) return next() //> create or read
+
+  // unbound vs. bound
+  let entity
+  if (srv.model.definitions[operation]) {
+    operation = srv.model.definitions[operation]
+  } else {
+    req._query.SELECT.from.ref.pop()
+    // TODO: this does not work when navigating to the entity
+    const lastRef = req._query.SELECT.from.ref.slice(-1)[0]
+    entity = lastRef.id || lastRef
+    entity = srv.model.definitions[entity]
+    operation = entity.actions[operation]
+  }
+
+  const data = args || deepCopy(req.body)
+
+  // assert payload
+  const assertOptions = { filter: true, http: { req }, mandatories: true }
+  const errs = cds.assert(data, operation, assertOptions)
+  if (errs) {
+    if (errs.length === 1) throw errs[0]
+    throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
+  }
+
+  // REVISIT: when is operation.name actually prefixed with the service name?
+  const event = operation.name.replace(`${srv.name}.`, '')
+
+  // TODO: params
+  const cdsReq = new cds.Request({ query: entity ? req._query : undefined, event, data, params: [] })
+
+  srv
+    .dispatch(cdsReq)
+    .then(result => {
+      // REVISIT:  result === undefined valid for modelled return type?
+      if (!operation.returns || result === undefined) return res.sendStatus(204)
+
+      if (operation.returns._type?.match?.(/^cds\./)) {
+        // TODO: check result type
+        return res.json({
+          '@odata.context': `${entity ? '../' : ''}$metadata#${cds2edm[operation.returns._type]}`,
+          value: result
+        })
+      }
+
+      const assertOptions = { mandatories: true } //> TODO: more needed?
+      // TODO: error targets are not correct if return type is "many X"
+      const assertDefinition = operation.returns.items || operation.returns
+      const errs = cds.assert(result, assertDefinition, assertOptions)
+      if (errs) {
+        // TODO: proper error handling
+      }
+
+      const info = metaInfo(req._query, event, srv, result, req)
+      // FIXME: info.metadata.isCollection is incorrect for draftActivate
+      if (event === 'draftActivate') info.metadata.isCollection = false
+      result = toODataResult(result, info)
+
+      // TODO: toODataResult() doesn't seem to handle this case
+      if (entity && !result['@odata.context'].match(/^\.\.\//))
+        result['@odata.context'] = '../' + result['@odata.context']
+
+      res.json(result)
+    })
+    .catch(next)
+}

package/libx/odata/middleware/parse.js

@@ -0,0 +1,11 @@
+const cds = require('../../../')
+
+module.exports = srv => (req, _, next) => {
+  // if not a GET, use req.path instead of req.url to ignore query parameters
+  req._query = cds.odata.parse(req.method === 'GET' ? req.url : req.path, { service: srv, baseUrl: req.baseUrl })
+
+  const preferReturn = req.headers.prefer?.match(/\W?return=(\w+)/i)
+  if (preferReturn) req._preferReturn = preferReturn[1]
+
+  next()
+}