@sap/cds 7.6.4 → 7.7.1

package/libx/common/assert/index.js

@@ -0,0 +1,232 @@
+const { cds } = global
+
+const typeCheckers = require('./type')
+const { checkMandatory, checkEnum, checkRange, checkFormat } = require('./validation')
+const { getNested, getTarget, resolveCDSType, resolveSegment } = require('./utils')
+
+const NUMBER_TYPES = new Set(['cds.UInt8', 'cds.Int16', 'cds.Int32', 'cds.Integer', 'cds.Double'])
+
+const _no_op = () => {}
+
+const _reject_unknown = (_, k, def, errs) =>
+  errs.push(new cds.error(`Property ${k} does not exist in ${def.name}`, { statusCode: 400, code: '400' }))
+
+const _filter_unknown = (obj, k) => delete obj[k]
+
+const _handle_mandatories = (obj, def, errs, path) => {
+  for (const [k, ele] of def._mandatories) {
+    const v = obj[k] === undefined ? getNested(k, obj) : obj[k]
+    checkMandatory(v, ele, errs, path, k)
+  }
+}
+
+const _handle_mandatories_if_insert = (obj, def, errs, path) => {
+  if (!def.keys) return _handle_mandatories(obj, def, errs, path)
+  const allKeysProvided = Object.keys(def.keys).every(k => k in obj)
+  for (const [k, ele] of def._mandatories) {
+    const v = obj[k] === undefined ? getNested(k, obj) : obj[k]
+    if (!allKeysProvided || v !== undefined) checkMandatory(v, ele, errs, path, k)
+  }
+}
+
+function _recurse(obj, prefix, def, errs, opts) {
+  for (const [k, v] of Object.entries(obj)) {
+    if (v != null && typeof v === 'object' && !Array.isArray(v)) {
+      _recurse(v, prefix + k + '_', def, errs, opts)
+      continue
+    }
+    const flat = { [prefix + k]: v }
+    _process(flat, def, errs, opts)
+    if (!Object.keys(flat).length) delete obj[k] //> filtered out inside _process -> propagate to original object
+  }
+}
+
+function _process(obj, def, errs, opts) {
+  if (obj == null) return
+
+  if (Array.isArray(obj)) {
+    for (const row of obj) _process(row, def, errs, opts)
+    return
+  }
+
+  // TODO: path should be cqn
+  const prev = opts.path.length && opts.path[opts.path.length - 1]
+  if (prev?.keys || prev?.index) opts.path[opts.path.length - 1] = resolveSegment(prev, obj, def)
+
+  if (def._mandatories?.length) opts._handle_mandatories(obj, def, errs, opts.path)
+
+  for (let [k, v] of Object.entries(obj)) {
+    let ele = def.elements?.[k] || def.params?.[k] || def.items
+
+    /*
+     * TODO: should we support this? with or without transformation?
+     * structured vs flat
+     *   the combination of the two cases below SHOULD cover mixed cases like
+     *   foo: { bar: { baz: { ... } } } and foo_bar: { baz: { ... } }
+     *   TODO: add tests!!!
+     */
+    // case 1: structured data but flat model
+    if (
+      !ele &&
+      typeof obj[k] === 'object' &&
+      !Array.isArray(obj[k]) &&
+      (def.elements || def.params) &&
+      Object.keys(def.elements || def.params).find(key => key.startsWith(`${k}_`))
+    ) {
+      _recurse(obj[k], k + '_', def, errs, opts)
+      continue
+    }
+    // case 2: flat data but structured model
+    if (!ele && k.split('_').length > 1) {
+      // TODO: handle stuff like foo__bar, i.e., foo_: { bar: ... }
+      const parts = k.split('_')
+      let cur = def.elements || def.params
+      while (cur && parts.length) cur = (cur.elements || cur.params)?.[parts.shift()]
+      if (cur) ele = cur
+    }
+
+    if (!ele) {
+      if (!def['@open']) opts._handle_unknown(obj, k, def, errs)
+      continue
+    }
+
+    if (ele.isAssociation) {
+      const keys = ele.keys?.map(k => k.ref[0]) || Object.keys(ele._target.keys)
+      opts.path.push(ele.is2many || Object.keys(keys).length ? { assoc: k, keys } : k)
+      // NOTE: the assumption is that children with all keys provided are not inserted, but updated
+      // -> incomplete but best we can do without roundtrip
+      _process(v, ele._target, errs, {
+        ...opts,
+        _handle_mandatories:
+          opts.mandatories === false || ele._isAssociationStrict
+            ? _no_op
+            : opts.mandatories === true
+              ? _handle_mandatories
+              : _handle_mandatories_if_insert
+      })
+      opts.path.pop()
+      continue
+    }
+    if (ele._isStructured) {
+      opts.path.push(k)
+      _process(v, ele, errs, opts)
+      opts.path.pop()
+      continue
+    }
+    if (ele instanceof cds.builtin.classes.array) {
+      for (let i = 0; i < v.length; i++) {
+        opts.path.push({ prop: k, index: i })
+        const _def = ele.items?.__proto__.elements ? ele.items.__proto__ : ele.__proto__
+        const _obj = _def.elements ? v[i] : { [k]: v[i] }
+        _process(_obj, _def, errs, opts)
+        opts.path.pop()
+      }
+      continue
+    }
+
+    if (ele.notNull && v === null) {
+      const target = getTarget(opts.path, k)
+      errs.push(new cds.error('ASSERT_NOT_NULL', { target, statusCode: 400, code: '400' }))
+      continue
+    }
+
+    const type = resolveCDSType(ele)
+    if (type?.match(/^cds\.hana\./)) continue
+
+    let typeChecker = typeCheckers[type]
+    if (typeChecker) {
+      if (v == null) continue
+
+      // if used in protocol adapter, adjust val/ checker if necessary
+      if (opts.http) {
+        if (typeof v !== 'boolean') {
+          if (NUMBER_TYPES.has(type)) v = Number(v)
+          else if (type === 'cds.Double') v = parseFloat(v)
+
+          // REVISIT: consider ieee754 and exp dec headers?
+          // const ieee = opts.http.req?.headers['content-type'].match(/IEEE754Compatible=(\w+)/i)
+          // const exp = opts.http.req?.headers['content-type'].match(/ExponentialDecimals=(\w+)/i)
+          // if (type === 'cds.Decimal') {
+          //   TODO
+          // }
+        }
+      }
+
+      // use relaxed uuid check if not in strict mode
+      if (type === 'cds.UUID' && !opts.strict) typeChecker = typeCheckers['relaxed.UUID']
+
+      // type check
+      // REVISIT: all checkers should add errors themselves!
+      if (type === 'cds.Decimal')
+        typeChecker(v, ele, errs, opts.path, k) //> _checkDecimal adds error itself
+      else if (!typeChecker(v, ele) || (opts.strict && typeChecker.name === '_checkBuffer' && typeof v === 'string')) {
+        errs.push(
+          new cds.error('ASSERT_DATA_TYPE', {
+            args: [typeof obj[k] === 'string' ? `"${obj[k]}"` : obj[k], ele._type],
+            target: getTarget(opts.path, k),
+            statusCode: 400,
+            code: '400'
+          })
+        )
+      }
+
+      // propagate correction if necessary
+      if (obj[k] !== v) obj[k] = v
+
+      // @assert
+      if (ele['@assert.enum'] || (ele['@assert.range'] && ele.enum)) checkEnum(v, ele, errs, opts.path, k)
+      if (ele['@assert.range']) checkRange(v, ele, errs, opts.path, k)
+      if (ele['@assert.format']) checkFormat(v, ele, errs, opts.path, k)
+      // REVISIT: @assert.target? -> no because async, but maybe return the necessary query to execute?
+
+      continue
+    }
+
+    throw new Error(`Missing type check for "${ele.type}" (property "${k}" of "${def.name}")`)
+  }
+}
+
+/**
+ * Asserts the given data against the given CSN definition and returns an array of errors or undefined.
+ *
+ * @param {object} data - the data to be checked
+ * @param {LinkedCSN} definition - the CSN definition to which the data should be checked against
+ * @param {object} [options] - options
+ * @param {boolean} [options.strict] - if true, an error is thrown if a property is not defined in the CSN
+ * @param {boolean} [options.filter] - if true, properties not defined in the CSN are filtered out
+ * @param {boolean} [options.mandatories] - if false, mandatory properties are never checked.
+ *   if true, mandatory properties are always checked.
+ *   if undefined, mandatory properties are checked for presumed insert rows only (determined by a heuristic to avoid roundtrip).
+ * @param {object} [options.http] - the HTTP request object providing access to headers, etc.
+ * @param {*[]} [options.path] - collector for the current path, should not be set manually
+ * @return {Array} - an array of errors or undefined if no errors
+ */
+module.exports = (data, definition, options = {}) => {
+  if (!data) throw new Error('Argument "data" was not provided')
+  if (typeof data !== 'object') throw new Error('Argument "data" must be an object (or an array)')
+
+  if (!definition) throw new Error('Argument "entity" was not provided')
+  // FIXME: definition instanceof cds.builtin.classes.any doesn't always work for some reason
+  if (!(definition instanceof cds.builtin.classes.any) && !(definition.kind in { entity: 1, action: 1, function: 1 })) {
+    throw new Error('Argument "definition" is not a valid CSN element')
+  }
+
+  // TODO: feature flags instead of process env vars
+  options.strict ??= process.env.CDS_ASSERT_STRICT === 'true'
+  options.filter ??= process.env.CDS_ASSERT_FILTER === 'true'
+  options.path ??= []
+
+  // materialize what is done ...
+  // ... in case of unknown elements
+  if (options.strict) options._handle_unknown = _reject_unknown
+  else if (options.filter) options._handle_unknown = _filter_unknown
+  else options._handle_unknown = _no_op
+  // ... regarding mandatory elements
+  if (options.mandatories === false) options._handle_mandatories = _no_op
+  else if (options.mandatories === true) options._handle_mandatories = _handle_mandatories
+  else options._handle_mandatories = _handle_mandatories_if_insert
+
+  const errs = []
+  _process(data, definition, errs, options)
+  return errs.length ? errs : undefined
+}

package/libx/common/assert/type.js

@@ -0,0 +1,109 @@
+const { cds } = global
+
+const { Readable } = require('stream')
+
+const { getNormalizedDecimal, getTarget, isBase64String } = require('./utils')
+
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i //> "i" is acutally not OK, but we'll leave as is for now to avoid breaking changes
+const RELAXED_UUID_REGEX = /^[0-9a-z]{8}-?[0-9a-z]{4}-?[0-9a-z]{4}-?[0-9a-z]{4}-?[0-9a-z]{12}$/i
+
+const ISO_DATE_PART1 =
+  '[1-9]\\d{3}-(?:(?:0[1-9]|1[0-2])-(?:0[1-9]|1\\d|2[0-8])|(?:0[13-9]|1[0-2])-(?:29|30)|(?:0[13578]|1[02])-31)'
+const ISO_DATE_PART2 = '(?:[1-9]\\d(?:0[48]|[2468][048]|[13579][26])|(?:[2468][048]|[13579][26])00)-02-29'
+const ISO_DATE = `(?:${ISO_DATE_PART1}|${ISO_DATE_PART2})`
+const ISO_TIME_NO_MILLIS = '(?:[01]\\d|2[0-3]):[0-5]\\d:[0-5]\\d'
+const ISO_TIME = `${ISO_TIME_NO_MILLIS}(?:\\.\\d{1,9})?`
+const ISO_DATE_TIME = `${ISO_DATE}T${ISO_TIME_NO_MILLIS}(?:Z|[+-][01]\\d:?[0-5]\\d)`
+const ISO_TIMESTAMP = `${ISO_DATE}T${ISO_TIME}(?:Z|[+-][01]\\d:?[0-5]\\d)`
+const ISO_DATE_REGEX = new RegExp(`^${ISO_DATE}$`, 'i')
+const ISO_TIME_NO_MILLIS_REGEX = new RegExp(`^${ISO_TIME_NO_MILLIS}$`, 'i')
+const ISO_DATE_TIME_REGEX = new RegExp(`^${ISO_DATE_TIME}$`, 'i')
+const ISO_TIMESTAMP_REGEX = new RegExp(`^${ISO_TIMESTAMP}$`, 'i')
+
+const _checkString = value => typeof value === 'string'
+
+const _checkNumber = value => typeof value === 'number' && !Number.isNaN(value)
+
+const _oldCheckDecimal = (value, element) => {
+  const [left, right] = String(value).split('.')
+  return (
+    _checkNumber(value) &&
+    (!element.precision || left.length <= element.precision - (element.scale || 0)) &&
+    (!element.scale || ((right || '').length <= element.scale && parseFloat(right) !== 0))
+  )
+}
+
+// REVISIT: only use a cheaper check if not in strictDecimal mode?
+const _checkDecimal = (v, ele, errs, path, k) => {
+  if (!errs) return _oldCheckDecimal(v, ele)
+
+  const { precision, scale } = ele
+  let val = getNormalizedDecimal(v)
+  if (precision != null && scale != null) {
+    let isValid = true
+    if (!val.match(/\./)) val += '.0'
+    if (precision === scale) {
+      if (!val.match(new RegExp(`^-?0\\.\\d{0,${scale}}$`, 'g'))) isValid = false
+    } else if (scale === 0) {
+      if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.0{0,1}$`, 'g'))) isValid = false
+    } else if (!val.match(new RegExp(`^-?\\d{1,${precision - scale}}\\.\\d{0,${scale}}$`, 'g'))) {
+      isValid = false
+    }
+    if (!isValid) {
+      const args = [v, `Decimal(${precision},${scale})`]
+      const target = getTarget(path, k)
+      errs.push(new cds.error('ASSERT_DATA_TYPE', { args, target, statusCode: 400, code: '400' }))
+    }
+  } else if (precision != null) {
+    if (!val.match(new RegExp(`^-?\\d{1,${precision}}$`, 'g'))) {
+      const args = [v, `Decimal(${precision})`]
+      const target = getTarget(path, k)
+      errs.push(new cds.error('ASSERT_DATA_TYPE', { args, target, statusCode: 400, code: '400' }))
+    }
+  }
+}
+
+const _checkInt = value => _checkNumber(value) && parseInt(value, 10) === value
+
+const _checkInt64 = value => typeof value === 'string' ? value.match(/^\d+$/) : _checkInt(value)
+
+const _checkBoolean = value => typeof value === 'boolean'
+
+const _checkBuffer = value => Buffer.isBuffer(value) || value.type === 'Buffer' || isBase64String(value)
+
+const _checkStreamOrBuffer = value => value instanceof Readable || _checkBuffer(value)
+
+const _checkUUID = value => _checkString(value) && UUID_REGEX.test(value)
+
+const _checkRelaxedUUID = value => _checkString(value) && RELAXED_UUID_REGEX.test(value)
+
+const _checkISODate = value => (_checkString(value) && ISO_DATE_REGEX.test(value)) || value instanceof Date
+
+const _checkISOTime = value => _checkString(value) && ISO_TIME_NO_MILLIS_REGEX.test(value)
+
+const _checkISODateTime = value => (_checkString(value) && ISO_DATE_TIME_REGEX.test(value)) || value instanceof Date
+
+const _checkISOTimestamp = value => (_checkString(value) && ISO_TIMESTAMP_REGEX.test(value)) || value instanceof Date
+
+module.exports = {
+  'cds.UUID': _checkUUID,
+  'relaxed.UUID': _checkRelaxedUUID,
+  'cds.Boolean': _checkBoolean,
+  'cds.Integer': _checkInt,
+  'cds.UInt8': _checkInt,
+  'cds.Int16': _checkInt,
+  'cds.Int32': _checkInt,
+  'cds.Integer64': _checkInt64,
+  'cds.Int64': _checkInt64,
+  'cds.Decimal': _checkDecimal,
+  'cds.DecimalFloat': _checkNumber,
+  'cds.Double': _checkNumber,
+  'cds.Date': _checkISODate,
+  'cds.Time': _checkISOTime,
+  'cds.DateTime': _checkISODateTime,
+  'cds.Timestamp': _checkISOTimestamp,
+  'cds.String': _checkString,
+  'cds.Binary': _checkBuffer,
+  'cds.LargeString': _checkString,
+  'cds.LargeBinary': _checkStreamOrBuffer
+}

package/libx/common/assert/utils.js

@@ -0,0 +1,125 @@
+function getNested(k, obj) {
+  let cur = obj
+  let p = ''
+  const parts = k.split('_')
+  while (parts.length) {
+    const q = parts.shift()
+    if (q in cur) {
+      cur = cur[q]
+      p = ''
+    } else {
+      p = p ? p + '_' + q : q
+      if (p in cur) {
+        cur = cur[p]
+        p = ''
+      } else {
+        if (Object.keys(cur).some(k => k.startsWith(p + '_'))) {
+          // continue for now as there's still a chance
+        } else {
+          // abort
+          return undefined
+        }
+      }
+    }
+  }
+  return cur[p] || cur !== obj ? cur : undefined
+}
+
+const getNormalizedDecimal = val => {
+  let v = `${val}`
+  const cgs = v.match(/^(\d*\.*\d*)e([+|-]*)(\d*)$/)
+  if (cgs) {
+    let [l, r = ''] = cgs[1].split('.')
+    const dir = cgs[2] || '+'
+    const exp = Number(cgs[3])
+    if (dir === '+') {
+      // move decimal point to the right
+      r = r.padEnd(exp, '0')
+      l += r.substring(0, exp)
+      r = r.slice(exp)
+      v = `${l}${r ? '.' + r : ''}`
+    } else {
+      // move decimal point to the left
+      l = l.padStart(exp, '0')
+      r = l.substring(0, exp) + r
+      l = l.slice(exp)
+      v = `${l ? l : '0'}.${r}`
+    }
+  }
+  return v
+}
+
+function getTarget(path, k) {
+  return path.length && path[path.length - 1].match(/\[\d+\]$/) ? path.join('/') : path.concat(k).join('/')
+}
+
+// non-strict mode also allows url-safe base64 strings
+function isBase64String(string, strict = false) {
+  if (typeof string !== 'string') return false
+
+  if (strict && string.length % 4 !== 0) return false
+
+  let length = string.length
+  if (string.endsWith('==')) length -= 2
+  else if (string.endsWith('=')) length -= 1
+
+  let char
+  for (let i = 0; i < length; i++) {
+    char = string[i]
+    if (char >= 'A' && char <= 'Z') continue
+    else if (char >= 'a' && char <= 'z') continue
+    else if (char >= '0' && char <= '9') continue
+    else if (char === '+' || char === '/') continue
+    else if (!strict && (char === '-' || char === '_')) continue
+    return false
+  }
+
+  return true
+}
+
+const resolveCDSType = ele => {
+  // REVISIT: when is ele._type not set and sufficient?
+  if (ele._type?.match(/^cds\./)) return ele._type
+  if (ele.type) {
+    if (ele.type.match(/^cds\./)) return ele.type
+    return resolveCDSType(ele.__proto__)
+  }
+  if (ele.items) return resolveCDSType(ele.items)
+  return ele
+}
+
+function resolveSegment(prev, obj, def) {
+  if (prev.keys) {
+    let keys = []
+    for (const k of prev.keys) {
+      let val
+      if (k in obj) val = obj[k]
+      else val = getNested(k, obj)
+      if (val == null) {
+        // in some cases, k is not given, e.g., POST into collection via navigation
+        // TODO: what to put in target? "null", "transient", ...?
+        if (k === 'IsActiveEntity')
+          keys.push(`${k}=false`) //> always false if not in obj as it must be a draft activate
+        else keys.push(`${k}=null`)
+      } else {
+        const type = resolveCDSType(def.elements[k])
+        if (type === 'cds.String') val = `'${val}'`
+        // TODO: more proper val encoding based on type
+        keys.push(`${k}=${val}`)
+      }
+    }
+    return `${prev.assoc}(${keys.join(',')})`
+  }
+  if (prev.index) {
+    return `${prev.prop}[${prev.index}]`
+  }
+}
+
+module.exports = {
+  getNested,
+  getNormalizedDecimal,
+  getTarget,
+  isBase64String,
+  resolveCDSType,
+  resolveSegment
+}

package/libx/common/assert/validation.js

@@ -0,0 +1,109 @@
+const { cds } = global
+
+const {
+  'cds.Date': checkISODate,
+  'cds.Time': checkISOTime,
+  'cds.DateTime': checkISODateTime,
+  'cds.Timestamp': checkISOTimestamp,
+  'cds.String': checkString
+} = require('./type')
+const { getTarget, resolveCDSType } = require('./utils')
+
+const _isNavigationColumn = (col, as) => col.ref?.length > 1 && (col.as === as || col.ref[col.ref.length - 1] === as)
+
+// REVISIT: mandatory is actually not the same as not null or empty string
+const _isNotFilled = val => val === null || val === undefined || (typeof val === 'string' && val.trim() === '')
+
+const _getEnumElement = ele => ((ele['@assert.range'] && ele.enum) || ele['@assert.enum'] ? ele.enum : undefined)
+
+const _enumValues = ele => {
+  return Object.keys(ele).map(enumKey => {
+    const enum_ = ele[enumKey]
+    const enumValue = enum_ && enum_.val
+    if (enumValue !== undefined) {
+      if (enumValue['=']) return enumValue['=']
+      if (enum_ && enum_.literal && enum_.literal === 'number') return Number(enumValue)
+      return enumValue
+    }
+    return enumKey
+  })
+}
+
+const _checkDateValue = (val, r1, r2) => {
+  const dateVal = new Date(val)
+  return (dateVal - new Date(r1)) * (dateVal - new Date(r2)) <= 0
+}
+
+const _toDate = val => `2000-01-01T${val}Z`
+
+const _checkInRange = (val, range, type) => {
+  switch (type) {
+    case 'cds.Date':
+      return checkISODate(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.DateTime':
+      return checkISODateTime(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.Timestamp':
+      return checkISOTimestamp(val) && _checkDateValue(val, range[0], range[1])
+    case 'cds.Time':
+      return checkISOTime(val) && _checkDateValue(_toDate(val), _toDate(range[0]), _toDate(range[1]))
+    default:
+      return (val - range[0]) * (val - range[1]) <= 0
+  }
+}
+
+// process.env.CDS_ASSERT_FORMAT_FLAGS is not official!
+const _checkRegExpFormat = (val, format) =>
+  checkString(val) && val.match(new RegExp(format, process.env.CDS_ASSERT_FORMAT_FLAGS || 'u'))
+
+const checkMandatory = (v, ele, errs, path, k) => {
+  // REVISIT: correct to not complain?
+  // do not complain about missing foreign keys in children
+  if (path.length && ele['@odata.foreignKey4']) return
+
+  // TODO: which case is this?
+  // do not complain about ???
+  if (ele.parent?.query?.SELECT?.columns?.find(col => _isNavigationColumn(col, ele.name))) return
+
+  if (!ele.default && _isNotFilled(v)) {
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_NOT_NULL', { target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkEnum = (v, ele, errs, path, k) => {
+  const enumElements = _getEnumElement(ele)
+  const enumValues = enumElements && _enumValues(enumElements)
+  if (enumElements && !enumValues.includes(v)) {
+    const args =
+      typeof v === 'string'
+        ? ['"' + v + '"', enumValues.map(ele => '"' + ele + '"').join(', ')]
+        : [v, enumValues.join(', ')]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_ENUM', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkRange = (v, ele, errs, path, k) => {
+  const rangeElements = ele['@assert.range'] && !_getEnumElement(ele) ? ele['@assert.range'] : undefined
+  if (rangeElements && !_checkInRange(v, rangeElements, resolveCDSType(ele))) {
+    const args = [v, ...ele['@assert.range']]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_RANGE', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+const checkFormat = (v, ele, errs, path, k) => {
+  const formatElements = ele['@assert.format']
+  if (formatElements && !_checkRegExpFormat(v, formatElements)) {
+    const args = [v, formatElements]
+    const target = getTarget(path, k)
+    errs.push(new cds.error('ASSERT_FORMAT', { args, target, statusCode: 400, code: '400' }))
+  }
+}
+
+module.exports = {
+  checkMandatory,
+  checkEnum,
+  checkRange,
+  checkFormat
+}

package/libx/odata/index.js

@@ -1,11 +1,11 @@
-const cds = require('../_runtime/cds'),
-  { decodeURIComponent } = cds.utils
+const cds = require('../../')
 const { SELECT } = cds.ql
+const { decodeURIComponent } = cds.utils
 
-const odata2cqn = require('./parser').parse
-const cqn2odata = require('./cqn2odata')
+const odata2cqn = require('./parse/parser').parse
+const cqn2odata = require('./parse/cqn2odata')
 
-const afterburner = require('./afterburner')
+const afterburner = require('./parse/afterburner')
 const { getSafeNumber: safeNumber } = require('./utils')
 const getError = require('../_runtime/common/error')
 

package/libx/odata/middleware/create.js

@@ -0,0 +1,83 @@
+const cds = require('../../../')
+const { INSERT } = cds.ql
+
+const { toODataResult } = require('../utils/result')
+const { odataError, getKeysFromPath } = require('../utils')
+
+const { deepCopy } = require('../../_runtime/common/utils/copy')
+
+// REVISIT: move to or rewrite in libx/odata
+const { readAfterWrite } = require('../../_runtime/cds-services/adapter/odata-v4/utils/readAfterWrite')
+const metaInfo = require('../../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
+
+const _calculateLocationHeader = (target, srv, result) => {
+  const targetName = target.name.replace(`${srv.name}.`, '')
+
+  const keyValuePairs = Object.keys(target.keys).reduce((acc, key) => {
+    acc[key] = result[key]
+    return acc
+  }, {})
+
+  let keys
+  const entries = Object.entries(keyValuePairs)
+  if (entries.length === 1) {
+    keys = entries[0][1]
+  } else {
+    keys = entries.map(([key, value]) => `${key}=${value}`).join(',')
+  }
+
+  return `${targetName}(${keys})`
+}
+
+module.exports = srv =>
+  function create(req, res, next) {
+    const { _query: query } = req
+
+    const {
+      SELECT: { one, from }
+    } = query
+
+    if (one) {
+      const singleton = query.target._isSingleton
+      const error = odataError('405', `Method ${req.method} not allowed for ${singleton ? 'SINGLETON' : 'ENTITY'}`)
+      return res.status(405).json(error)
+    }
+
+    const data = deepCopy(req.body)
+
+    // add keys from url into payload (overwriting if already present)
+    Object.assign(data, getKeysFromPath(from, srv))
+
+    // assert payload
+    const assertOptions = { filter: true, http: { req }, mandatories: true }
+    const errs = cds.assert(data, query.target, assertOptions)
+    if (errs) {
+      if (errs.length === 1) throw errs[0]
+      throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
+    }
+
+    const insertQuery = INSERT.into(from).entries(data)
+
+    // we need the cds request, so we can access req._.readAfterWrite
+    const cdsReq = new cds.Request({ query: insertQuery })
+
+    // rewrite event for draft-enabled entities
+    if (query.target._isDraftEnabled) cdsReq.event = 'NEW'
+
+    return srv
+      .dispatch(cdsReq)
+      .then(async result => {
+        if (cdsReq._.readAfterWrite) {
+          // TODO see if in old odata impl for other checks that should happen
+          result = await readAfterWrite(cdsReq, srv, { operation: { result } })
+        }
+
+        if (result == null || req._preferReturn === 'minimal') return res.sendStatus(204)
+
+        const location = _calculateLocationHeader(cdsReq.target, srv, result)
+        const info = metaInfo(insertQuery, 'CREATE', srv, result, req)
+        result = toODataResult(result, info)
+        res.set('location', location).status(201).send(result)
+      })
+      .catch(next)
+  }