@sap/cds 7.7.3 → 7.8.1

package/libx/odata/middleware/batch.js

@@ -0,0 +1,340 @@
+const cds = require('../../../')
+const { AsyncResource } = require('async_hooks')
+
+// eslint-disable-next-line cds/no-missing-dependencies
+const express = require('express')
+const { STATUS_CODES } = require('http')
+
+const multipartToJson = require('../parse/multipartToJson')
+
+const HTTP_METHODS = { GET: 1, POST: 1, PUT: 1, PATCH: 1, DELETE: 1 }
+const CT = { JSON: 'application/json', MULTIPART: 'multipart/mixed' }
+const CRLF = '\r\n'
+
+/*
+ * common
+ */
+
+const _deserializationError = message => cds.error(`Deserialization Error: ${message}`, { code: 400 })
+
+// Function must be called with an object containing exactly one key-value pair representing the property name and its value
+const _validateProperty = (name, value, type) => {
+  if (value === undefined) throw _deserializationError(`Parameter '${name}' must not be undefined.`)
+
+  switch (type) {
+    case 'Array':
+      if (!Array.isArray(value)) throw _deserializationError(`Parameter '${name}' must be type of '${type}'.`)
+      break
+    default:
+      if (typeof value !== type) throw _deserializationError(`Parameter '${name}' must be type of '${type}'.`)
+  }
+}
+
+const _validateBatch = body => {
+  const { requests } = body
+
+  _validateProperty('requests', requests, 'Array')
+
+  const ids = {}
+
+  let previousAtomicityGroup
+  requests.forEach((request, i) => {
+    if (typeof request !== 'object')
+      throw _deserializationError(`Element of 'requests' array at index ${i} must be type of 'object'.`)
+
+    const { id, method, url, body, atomicityGroup, dependsOn } = request
+
+    _validateProperty('id', id, 'string')
+
+    if (ids[id]) throw _deserializationError(`Request ID '${id}' is not unique.`)
+    else ids[id] = request
+
+    // TODO: validate allowed methods or let express throw the error?
+    _validateProperty('method', method, 'string')
+    if (!(method.toUpperCase() in HTTP_METHODS))
+      throw _deserializationError(`Method '${method}' is not allowed. Only DELETE, GET, PATCH, POST or PUT are.`)
+
+    _validateProperty('url', url, 'string')
+    // TODO: need similar validation in multipart/mixed batch
+    if (url.startsWith('/$batch')) throw _deserializationError('Nested batch requests are not allowed.')
+
+    // TODO: support for non JSON bodies?
+    if (body !== undefined && typeof body !== 'object')
+      throw _deserializationError('A Content-Type header has to be specified for a non JSON body.')
+
+    // TODO
+    // if (!(method.toUpperCase() in { GET: 1, DELETE: 1 }) && !body)
+    //   throw _deserializationError(`Body is required for ${method} requests.`)
+
+    if (atomicityGroup) {
+      _validateProperty('atomicityGroup', atomicityGroup, 'string')
+
+      // All request objects with the same value for atomicityGroup MUST be adjacent in the requests array
+      if (atomicityGroup !== previousAtomicityGroup) {
+        if (ids[atomicityGroup]) throw _deserializationError(`Atomicity group ID '${atomicityGroup}' is not unique.`)
+        else ids[atomicityGroup] = [request]
+      } else {
+        ids[atomicityGroup].push(request)
+      }
+    }
+
+    if (dependsOn) {
+      _validateProperty('dependsOn', dependsOn, 'Array')
+      dependsOn.forEach(dependsOnId => {
+        _validateProperty('dependent request ID', dependsOnId, 'string')
+
+        const dependency = ids[dependsOnId]
+        if (!dependency)
+          throw _deserializationError(`Request ID '${dependsOnId}' used in dependsOn has not been defined before.`)
+
+        const dependencyAtomicityGroup = dependency.atomicityGroup
+        if (dependencyAtomicityGroup && !dependsOn.includes(dependencyAtomicityGroup))
+          throw _deserializationError(
+            `The group '${dependencyAtomicityGroup}' of the referenced request '${dependsOnId}' must be listed in dependsOn of request '${id}'.`
+          )
+      })
+    }
+
+    // TODO: validate if, and headers
+
+    previousAtomicityGroup = atomicityGroup
+  })
+
+  return ids
+}
+
+const _createExpressReqResLookalike = (request, _req, _res) => {
+  const { id, method, url } = request
+  const ret = { id }
+
+  const req = (ret.req = new express.request.constructor())
+  req.__proto__ = express.request
+
+  // express internals
+  req.app = _req.app
+
+  req.method = method.toUpperCase()
+  req.url = url
+  req.query = {}
+  req.headers = request.headers || {}
+  req.body = request.body
+
+  // propagate user, tenant and locale
+  req.user = _req.user
+  req.tenant = _req.tenant
+  req.locale = _req.locale
+
+  const res = (ret.res = new express.response.constructor(req))
+  res.__proto__ = express.response
+
+  // express internals
+  res.app = _res.app
+
+  // back link
+  req.res = res
+
+  // resolve promise for subrequest via res.end()
+  ret.promise = new Promise((resolve, _reject) => {
+    res.end = (chunk, encoding) => {
+      res._chunk = chunk
+      res._encoding = encoding
+      resolve(ret)
+    }
+  })
+
+  return ret
+}
+
+const _transaction = async (srv, router) => {
+  return new Promise(res => {
+    const ret = {}
+    srv.tx(
+      async () =>
+        (ret.promise = new Promise((resolve, reject) => {
+          const proms = []
+          ret.add = AsyncResource.bind(function (request, req, res) {
+            const lookalike = _createExpressReqResLookalike(request, req, res)
+            router.handle(lookalike.req, lookalike.res)
+            request.promise = lookalike.promise
+            proms.push(request.promise)
+            return request.promise
+          })
+          ret.done = function () {
+            return Promise.allSettled(proms).then(resolve, reject)
+          }
+          res(ret)
+        }))
+    )
+  })
+}
+
+const _processBatch = async (srv, router, req, res, next, body, ct, boundary) => {
+  body ??= req.body
+  ct ??= 'JSON'
+  const isJson = ct === 'JSON'
+  const _formatResponse = isJson ? _formatResponseJson : _formatResponseMultipart
+
+  try {
+    const ids = _validateBatch(body) // REVISIT: we will not be able to validate the whole once we stream
+
+    // TODO: if (!requests || !requests.length) throw new Error('At least one request, buddy!')
+
+    let previousAtomicityGroup
+    let separator
+    let tx
+
+    res.setHeader('content-type', CT[ct] + (!isJson ? ';boundary=' + boundary : ''))
+    res.setHeader('OData-Version', '4.0') //> REVISIT: Fiori/ UI5 wants this
+    res.status(200)
+    res.write(isJson ? '{"responses":[' : '')
+
+    const { requests } = body
+    for await (const request of requests) {
+      const { atomicityGroup } = request
+
+      if (!atomicityGroup || atomicityGroup !== previousAtomicityGroup) {
+        if (tx) await tx.done()
+        tx = await _transaction(srv, router)
+        if (atomicityGroup) ids[atomicityGroup].promise = tx.promise
+      }
+
+      const dependencies = request.dependsOn?.map(id => ids[id].promise)
+      if (dependencies) {
+        // TODO: fail the dependent request if dependency fails
+        await Promise.allSettled(dependencies)
+      }
+
+      tx.add(request, req, res).then(request => {
+        if (separator) res.write(separator)
+        else separator = isJson ? Buffer.from(',') : Buffer.from(CRLF)
+        _formatResponse(request, res, boundary)
+      })
+
+      if (!atomicityGroup) tx.done()
+
+      previousAtomicityGroup = atomicityGroup
+    }
+
+    if (tx) await tx.done()
+
+    res.write(isJson ? ']}' : `${CRLF}--${boundary}--${CRLF}`)
+    res.end()
+
+    return
+  } catch (e) {
+    next(e)
+  }
+}
+
+/*
+ * multipart/mixed
+ */
+
+const _multipartBatch = (srv, router) => async (req, res, next) => {
+  const boundary = req.headers['content-type']?.match(/boundary=([\w_-]+)/i)?.[1]
+  if (!boundary) return next(cds.error('No boundary found in Content-Type header', { code: 400 }))
+
+  try {
+    const { requests } = await multipartToJson(req.body, boundary)
+    _processBatch(srv, router, req, res, next, { requests }, 'MULTIPART', boundary)
+  } catch (e) {
+    next(e)
+  }
+}
+
+const _formatResponseMultipart = (request, res, boundary) => {
+  const { /* id, */ res: response } = request
+
+  let txt = `--${boundary}${CRLF}content-type: application/http${CRLF}content-transfer-encoding: binary${CRLF}${CRLF}`
+  txt += `HTTP/1.1 ${response.statusCode} ${STATUS_CODES[response.statusCode]}${CRLF}`
+
+  // REVISIT: tests require specific sequence
+  const headers = {
+    'odata-version': '4.0',
+    'content-type': 'DUMMY',
+    ...response.getHeaders()
+  }
+  headers['content-type'] = 'application/json;odata.metadata=minimal' //> REVISIT: expected by tests
+  delete headers['content-length'] //> REVISIT: expected by tests
+  for (const key in headers) {
+    txt += key + ': ' + headers[key] + CRLF
+  }
+  txt += CRLF
+
+  if (response._chunk) {
+    let _json
+    try {
+      // REVISIT: tests require specific sequence -> fix and simply use res._chunk
+      _json = JSON.parse(response._chunk)
+      if (typeof _json !== 'object') throw new Error('not an object')
+      let meta = [],
+        data = []
+      for (const [k, v] of Object.entries(_json)) {
+        if (k.startsWith('@')) meta.push(`"${k}":"${v}"`)
+        else data.push(JSON.stringify({ [k]: v }).slice(1, -1))
+      }
+      const _json_as_txt = '{' + meta.join(',') + (meta.length && data.length ? ',' : '') + data.join(',') + '}'
+      txt += _json_as_txt
+    } catch {
+      // ignore error and take chunk as is (a text)
+      txt += response._chunk
+      txt = txt.replace('content-type: application/json;odata.metadata=minimal', 'content-type: text/plain')
+    }
+  }
+
+  res.write(txt)
+}
+
+/*
+ * application/json
+ */
+
+const _formatStatics = {
+  comma: ','.charCodeAt(0),
+  body: Buffer.from('"body":'),
+  close: Buffer.from('}')
+}
+
+const _formatResponseJson = (request, res) => {
+  const { id, res: response } = request
+  const raw = Buffer.from(
+    JSON.stringify({
+      id,
+      status: response.statusCode,
+      headers: {
+        'odata-version': '4.0',
+        'content-type': 'application/json',
+        ...response.getHeaders()
+      }
+    })
+  )
+  // change last "}" into ","
+  raw[raw.byteLength - 1] = _formatStatics.comma
+  res.write(raw)
+  res.write(_formatStatics.body)
+  res.write(response._chunk)
+  res.write(_formatStatics.close)
+}
+
+const _jsonBatch = (srv, router) => (req, res, next) => {
+  _processBatch(srv, router, req, res, next)
+}
+
+module.exports = (srv, router) => {
+  const handleJsonBatch = _jsonBatch(srv, router)
+  const handleMultipartBatch = _multipartBatch(srv, router)
+
+  return function batch(req, res, next) {
+    if (req.headers['content-type'].includes('application/json')) {
+      return handleJsonBatch(req, res, next)
+    }
+
+    if (req.headers['content-type'].includes('multipart/mixed')) {
+      return express.text({ type: '*/*' })(req, res, () => {
+        handleMultipartBatch(req, res, next)
+      })
+    }
+
+    throw cds.error('Batch requests must have content type multipart/mixed or application/json', { code: 400 })
+  }
+}

package/libx/odata/middleware/create.js

@@ -1,8 +1,8 @@
 const cds = require('../../../')
 const { INSERT } = cds.ql
 
-const { toODataResult } = require('../utils/result')
-const { odataError, getKeysFromPath } = require('../utils')
+const { toODataResult, postProcess } = require('../utils/result')
+const { calculateLocationHeader, getKeysAndParamsFromPath, handleSapMessages } = require('../utils')
 
 const { deepCopy } = require('../../_runtime/common/utils/copy')
 
@@ -10,74 +10,71 @@ const { deepCopy } = require('../../_runtime/common/utils/copy')
 const { readAfterWrite } = require('../../_runtime/cds-services/adapter/odata-v4/utils/readAfterWrite')
 const metaInfo = require('../../_runtime/cds-services/adapter/odata-v4/utils/metaInfo')
 
-const _calculateLocationHeader = (target, srv, result) => {
-  const targetName = target.name.replace(`${srv.name}.`, '')
-
-  const keyValuePairs = Object.keys(target.keys).reduce((acc, key) => {
-    acc[key] = result[key]
-    return acc
-  }, {})
-
-  let keys
-  const entries = Object.entries(keyValuePairs)
-  if (entries.length === 1) {
-    keys = entries[0][1]
-  } else {
-    keys = entries.map(([key, value]) => `${key}=${value}`).join(',')
-  }
-
-  return `${targetName}(${keys})`
-}
-
 module.exports = srv =>
   function create(req, res, next) {
-    const { _query: query } = req
-
     const {
-      SELECT: { one, from }
-    } = query
+      SELECT: { one, from },
+      target
+    } = req._query
 
     if (one) {
-      const singleton = query.target._isSingleton
-      const error = odataError('405', `Method ${req.method} not allowed for ${singleton ? 'SINGLETON' : 'ENTITY'}`)
-      return res.status(405).json(error)
+      // REVISIT: don't use "SINGLETON" or "ENTITY" as that are okra terms
+      throw Object.assign(
+        new Error(`Method ${req.method} not allowed for ${target._isSingleton ? 'SINGLETON' : 'ENTITY'}`),
+        { statusCode: 405 }
+      )
     }
 
+    // payload & params
     const data = deepCopy(req.body)
-
+    const { keys, params } = getKeysAndParamsFromPath(from, srv)
     // add keys from url into payload (overwriting if already present)
-    Object.assign(data, getKeysFromPath(from, srv))
+    Object.assign(data, keys)
 
     // assert payload
     const assertOptions = { filter: true, http: { req }, mandatories: true }
-    const errs = cds.assert(data, query.target, assertOptions)
+    const errs = cds.assert(data, target, assertOptions)
     if (errs) {
       if (errs.length === 1) throw errs[0]
       throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
     }
 
-    const insertQuery = INSERT.into(from).entries(data)
+    // query
+    const query = INSERT.into(from).entries(data)
 
-    // we need the cds request, so we can access req._.readAfterWrite
-    const cdsReq = new cds.Request({ query: insertQuery })
+    // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
+    const cdsReq = new cds.Request({ query, params, req, res })
+    Object.defineProperty(cdsReq, 'protocol', { value: 'odata-v4' })
 
     // rewrite event for draft-enabled entities
-    if (query.target._isDraftEnabled) cdsReq.event = 'NEW'
+    if (target._isDraftEnabled) cdsReq.event = 'NEW'
 
+    // REVISIT: only via srv.run in combination with srv.dispatch inside
+    //          we automatically either use a single auto-managed tx for the req (i.e., insert and read after write in same tx)
+    //          or the auto-managed tx opened for the respective atomicity group, if exists
     return srv
-      .dispatch(cdsReq)
-      .then(async result => {
-        if (cdsReq._.readAfterWrite) {
-          // TODO see if in old odata impl for other checks that should happen
-          result = await readAfterWrite(cdsReq, srv, { operation: { result } })
-        }
+      .run(() => {
+        return srv.dispatch(cdsReq).then(result => {
+          handleSapMessages(cdsReq, req, res)
 
-        if (result == null || req._preferReturn === 'minimal') return res.sendStatus(204)
+          if (cdsReq._.readAfterWrite) {
+            return readAfterWrite(cdsReq, srv, { operation: { result } })
+          }
 
-        const location = _calculateLocationHeader(cdsReq.target, srv, result)
-        const info = metaInfo(insertQuery, 'CREATE', srv, result, req)
+          return result
+        })
+      })
+      .then(result => {
+        // we use an extra then block, after getting the result, so the transaction is commited, before sending the response
+        if (result == null) return res.sendStatus(204)
+        const isMinimal = req._preferReturn === 'minimal'
+        postProcess(cdsReq.target, srv, result, isMinimal)
+        if (result['$etag']) res.set('etag', result['$etag'])
+        res.set('location', calculateLocationHeader(cdsReq.target, srv, result))
+        if (isMinimal) return res.sendStatus(204)
+        const info = metaInfo(query, 'CREATE', srv, result, req)
         result = toODataResult(result, info)
-        res.set('location', location).status(201).send(result)
+        res.status(201).set('Content-Type', 'application/json;IEEE754Compatible=true').send(result)
       })
-      .catch(next)
+      .catch(next) // should be outside, so tx can be rolled back in case of errors
   }

package/libx/odata/middleware/delete.js

@@ -1,37 +1,49 @@
 const cds = require('../../../')
 const { UPDATE, DELETE } = cds.ql
 
-const { odataError, getKeysFromPath } = require('../utils')
+const { getKeysAndParamsFromPath, handleSapMessages } = require('../utils')
 
 module.exports = srv =>
   function deleete(req, res, next) {
     if (req._preferReturn) {
-      const message = `The 'return' preference is not allowed in ${req.method} requests`
-      return res.status(400).json({ error: { code: '400', message } })
+      throw Object.assign(new Error(`The 'return' preference is not allowed in ${req.method} requests`), {
+        statusCode: 400
+      })
     }
 
-    const { _query: query } = req
-
+    // REVISIT: better solution for query._propertyAccess
     const {
-      SELECT: { one, from }
-    } = query
+      SELECT: { one, from },
+      target,
+      _propertyAccess
+    } = req._query
 
     if (!one) {
       // REVISIT: don't use "ENTITY.COLLECTION" as that's an okra term
-      return res.status(405).json(odataError('405', `Method DELETE not allowed for ENTITY.COLLECTION`))
+      throw Object.assign(new Error('Method DELETE not allowed for ENTITY.COLLECTION'), { statusCode: 405 })
     }
 
-    // for read and delete, we provide keys in req.data
-    const data = getKeysFromPath(query.SELECT.from, srv)
+    // payload & params
+    const { keys, params } = getKeysAndParamsFromPath(from, srv)
+    const data = keys //> for read and delete, we provide keys in req.data
+    if (_propertyAccess) data[_propertyAccess] = null //> delete of property -> set to null
+
+    // query
+    const query = _propertyAccess ? UPDATE(from).set({ [_propertyAccess]: null }) : DELETE.from(from)
 
-    // REVISIT: better
-    if (query._propertyAccess) data[query._propertyAccess] = null
+    // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
+    const cdsReq = new cds.Request({ query, data, params, req, res })
+    Object.defineProperty(cdsReq, 'protocol', { value: 'odata-v4' })
+
+    // rewrite event for draft-enabled entities
+    if (target._isDraftEnabled && cdsReq.data.IsActiveEntity === false) cdsReq.event = 'CANCEL'
 
-    // REVISIT: maybe also just dispatch a cds request here?
     return srv
-      .run(query._propertyAccess ? UPDATE(from).set({ [query._propertyAccess]: null }) : DELETE.from(from), data)
+      .dispatch(cdsReq)
       .then(result => {
-        if (result === 0) return res.status(404).json({ error: { code: '404', message: 'Not Found' } })
+        handleSapMessages(cdsReq, req, res)
+
+        if (result === 0) throw Object.assign(new Error('Not found'), { statusCode: 404 })
         res.sendStatus(204)
       })
       .catch(next)

package/libx/odata/middleware/error.js

@@ -1,8 +1,9 @@
 const { normalizeError } = require('../../_runtime/common/error/frontend')
 
-module.exports = _srv => (err, req, res, _next) => {
-  const { error, statusCode } = normalizeError(err, req)
+module.exports = _srv =>
+  function error(err, req, res, _next) {
+    const { error, statusCode } = normalizeError(err, req)
 
-  // NOTE: normalizeError already does sanatization -> we can use as is
-  res.status(statusCode).json({ error })
-}
+    // NOTE: normalizeError already does sanatization -> we can use as is
+    res.status(statusCode).json({ error })
+  }

package/libx/odata/middleware/metadata.js

@@ -3,8 +3,6 @@ const LOG = cds.log('odata')
 
 const crypto = require('crypto')
 
-const { odataError } = require('../utils')
-
 const _requestedFormat = (queryOption, header) => {
   if (queryOption) return queryOption.match(/json/i) ? 'json' : 'xml'
   if (header) {
@@ -36,9 +34,9 @@ const normalize_header = value => {
   return value.split(',').map(str => str.trim())
 }
 
-const validate_etag = (ifNoneMatch, etag) => {
-  const ifNoneMatchEtags = normalize_header(ifNoneMatch)
-  return ifNoneMatchEtags.includes(etag) || ifNoneMatchEtags.includes('*')
+const validate_etag = (header, etag) => {
+  const normalized = normalize_header(header)
+  return normalized.includes(etag) || normalized.includes('*') || normalized.includes('"*"')
 }
 
 const generateEtag = s => {
@@ -54,7 +52,7 @@ const mpSupportsEmptyLocale = () => {
 module.exports = srv =>
   async function metadata(req, res, _next) {
     if (req.method !== 'GET')
-      return res.status(405).json(odataError('METHOD_NOT_ALLOWED', `Method ${req.method} not allowed for $metadata.`))
+      throw Object.assign(new Error(`Method ${req.method} not allowed for $metadata.`), { statusCode: 405 })
 
     const tenant = cds.context.tenant
     const locale = cds.context.locale
@@ -66,6 +64,13 @@ module.exports = srv =>
 
     const etag = format === 'json' ? metadataCache.jsonEtag?.[locale] : metadataCache.xmlEtag?.[locale]
 
+    if (req.headers['if-match']) {
+      if (etag) {
+        const valid = validate_etag(req.headers['if-match'], etag)
+        if (!valid) return res.status(412).end()
+      }
+    }
+
     if (req.headers['if-none-match']) {
       if (etag) {
         const unchanged = validate_etag(req.headers['if-none-match'], etag)
@@ -79,14 +84,10 @@ module.exports = srv =>
     const { 'cds.xt.ModelProviderService': mps } = cds.services
     if (mps) {
       if (format === 'json')
-        res
-          .status(400)
-          .json(
-            odataError(
-              'UNSUPPORTED_METADATA_TYPE',
-              'JSON metadata is not supported if cds.requires.extensibilty: true.'
-            )
-          )
+        throw Object.assign(new Error('JSON metadata is not supported if cds.requires.extensibilty: true.'), {
+          statusCode: 400,
+          code: 'UNSUPPORTED_METADATA_TYPE'
+        })
 
       try {
         let edmx
@@ -113,7 +114,7 @@ module.exports = srv =>
           LOG.error(e)
         }
 
-        return res.status(503).json(odataError('SERVICE_UNAVAILABLE', 'Service unavailable'))
+        throw Object.assign(new Error('Service Unavailable'), { statusCode: 503 })
       }
     }