@sap/cds 7.9.1 → 7.9.3

package/CHANGELOG.md

@@ -4,12 +4,34 @@
 - The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](http://semver.org/).
 
+
+## Version 7.9.3 - 2024-06-27
+
+### Fixed
+
+- `cds compile --to serviceinfo` returns the correct URL path for Java applications.
+- Prevent HANA deadlocks when processing outbox table
+- Invalid cache for `SiblingEntity` requests
+- `cds.test` recommends version 7 of `chai-as-promised`.  Version 8 is ESM-only and does not work with `cds.test` at the moment.
+- Loading of `cds.plugins` now respects the (internal!) property `cds.env.plugins` again.
+- `req.data` and `req.INSERT.entries` were not pointing to same object if it contains more than one entry.
+
+## Version 7.9.2 - 2024-05-22
+
+### Fixed
+
+- Server crash in case of certain errors in Cloud SDK
+- Bug in restriction of entities modeled as composition of aspects
+- `$search`: resolve an exception accessing `req.query.elements`
+- Ignore flattened associations in projection on remote entities
+- Falsy keys in `cds.ql` were ignored in usage like `SELECT.from(Books, 0)`
+
 ## Version 7.9.1 - 2024-05-13
 
 ### Fixed
 
 - `cds.compile.to.sql` doesn't fail for older compiler versions if `postgres` keywords aren't defined
-- `cds compile --to serviceinfo` no longer detects a Java project if there is a poml.xml file in a subfolder of `app/`
+- `cds compile --to serviceinfo` no longer detects a Java project if there is a pom.xml file in a subfolder of `app/`
 - `acquireTimeoutMillis` is ensured if custom pool config is provided
 
 ## Version 7.9.0 - 2024-04-30

package/lib/auth/ias-auth.js

@@ -3,7 +3,14 @@ const LOG = cds.log('auth')
 
 // _require for better error message
 const _require = require('../../libx/_runtime/common/utils/require')
-const xssec = _require('@sap/xssec')
+
+let xssec = _require('@sap/xssec')
+let xssec4 = false
+// use v3 compat api
+if (xssec.v3) {
+  xssec = xssec.v3
+  xssec4 = true
+}
 
 // getter function extracted to show deprecation warning only once
 const _getTokenInfo = tokenInfo => tokenInfo
@@ -46,6 +53,13 @@ module.exports = function ias_auth(config) {
 
   return (req, _, next) => {
     const token = req.headers.authorization?.split(/^bearer /i)[1]
+
+    if (!token && xssec4) {
+      LOG._debug && LOG.debug('No authorization header provided, continuing with default user.')
+      req.user = new cds.User.default()
+      return next()
+    }
+
     xssec.createSecurityContext(token, credentials, 'IAS', function (err, securityContext, tokenInfo) {
       // REVISIT: ias impl not as sophisticated as xsuaa impl, so we need to be more tolerant here -> xssec issue 221
       // if (err && !tokenInfo) {

package/lib/auth/jwt-auth.js

@@ -3,7 +3,14 @@ const LOG = cds.log('auth')
 
 // _require for better error message
 const _require = require('../../libx/_runtime/common/utils/require')
-const xssec = _require('@sap/xssec')
+
+let xssec = _require('@sap/xssec')
+let xssec4 = false
+// use v3 compat api
+if (xssec.v3) {
+  xssec = xssec.v3
+  xssec4 = true
+}
 
 // getter function extracted to show deprecation warning only once
 const _getTokenInfo = tokenInfo => tokenInfo
@@ -13,7 +20,7 @@ module.exports = function jwt_auth(config) {
 
   if (!credentials) {
     let msg = `Authentication kind "${kind}" configured, but no XSUAA instance bound to application.`
-    msg += ' Either bind an IAS instance, or switch to an authentication kind that does not require a binding.'
+    msg += ' Either bind an XSUAA instance, or switch to an authentication kind that does not require a binding.'
     throw new Error(msg)
   }
 
@@ -48,6 +55,13 @@ module.exports = function jwt_auth(config) {
 
   return (req, _, next) => {
     const token = req.headers.authorization?.split(/^bearer /i)[1]
+
+    if (!token && xssec4) {
+      LOG._debug && LOG.debug('No authorization header provided, continuing with default user.')
+      req.user = new cds.User.default()
+      return next()
+    }
+
     xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
       if (err && !tokenInfo) {
         // here, there is a general problem, .e.g., bad credentials -> throw the error

package/lib/compile/to/srvinfo.js

@@ -90,7 +90,7 @@ module.exports = (model, options={}) => {
     const javaPrefixDefault = 'odata/v4/'
     const roots = [ cds.env.folders.db, cds.env.folders.srv ].map(d => join(root, d))
     for (let r of roots) {
-      const file = isfile (join (r,'../src/main/resources/application.yaml'))
+      const file = isfile (join (r,'./src/main/resources/application.yaml'))
       if (file) {
         const yaml = cds.load.yaml(file)
         for (let yamlDoc of Array.isArray(yaml) ? yaml : [yaml]) {

package/lib/env/cds-requires.js

@@ -142,6 +142,7 @@ const _databases = {
   },
 
   "hana": {
+    '[legacy-hana]': { impl: `${_runtime}/hana/Service.js` },
     '[better-hana]': { impl: '@cap-js/hana' },
     impl: `${_runtime}/hana/Service.js`,
   },

package/lib/plugins.js

@@ -30,7 +30,7 @@ exports.fetch = function (DEV = process.env.NODE_ENV !== 'production') {
 exports.activate = async function () {
   const DEBUG = cds.debug ('plugins', {label:'cds'})
   DEBUG && console.time ('[cds] - loaded plugins in')
-  const plugins = exports.fetch(), { local } = cds.utils
+  const { plugins } = cds.env, { local } = cds.utils
   await Promise.all (Object.entries(plugins) .map (async ([ plugin, conf ]) => {
     DEBUG?.(`loading plugin ${plugin}:`, { impl: local(conf.impl) })
     // TODO: support ESM plugins. But see cap/cds/pull/1838#issuecomment-1177200 !

package/lib/ql/DELETE.js

@@ -10,7 +10,7 @@ module.exports = class Query extends Whereable {
 
   from(entity, key) {
     this.DELETE.from = this._target4 (...arguments) // supporting tts
-    if (key) this.byKey(key)
+    if (key !== undefined) this.byKey(key)
     return this
   }
 

package/lib/ql/SELECT.js

@@ -76,7 +76,7 @@ module.exports = class Query extends Whereable {
 
   from (target, second, third) {
     this.SELECT.from = target === '*' || this._target_ref4 (...arguments)
-    if (!target.raw && second) {
+    if (!target.raw && second !== undefined) {
       if (third) {
         this.byKey(second)
         this.columns(third)

package/lib/ql/UPDATE.js

@@ -11,7 +11,7 @@ module.exports = class Query extends Whereable {
 
   entity (e, key) {
     this.UPDATE.entity = this._target4 (...arguments) // supporting tts
-    if (key) this.byKey(key)
+    if (key !== undefined) this.byKey(key)
     return this
   }
 

package/lib/ql/Whereable.js

@@ -41,7 +41,7 @@ class Query extends require('./Query') {
   }
 
   byKey(key) {
-    if (typeof key !== 'object') key = { [Object.keys(this._target.keys||{ID:1})[0]]: key }
+    if (typeof key !== 'object' || key === null) key = { [Object.keys(this._target.keys||{ID:1})[0]]: key }
     if (this.SELECT) this.SELECT.one = true
     if (cds.env.features.keys_into_where) return this.where(key)
     if (this.UPDATE) { this.UPDATE.entity = { ref: [{ id: cds.env.ql.quirks_mode ? this.UPDATE.entity : this.UPDATE.entity.ref.at(-1), where: predicate4([key]) }] }; return this }

package/lib/utils/cds-test.js

@@ -170,7 +170,7 @@ class Test extends require('./axios') {
     function require (mod) { try { return module.require(mod) } catch(e) {
       if (e.code === 'MODULE_NOT_FOUND') throw new Error (`
       Failed to load required package '${mod}'. Please add it thru:
-      npm add -D chai@4 chai-as-promised chai-subset
+      npm add -D chai@4 chai-as-promised@7 chai-subset
     `)}}
   }
   get assert() { return this.chai.assert }

package/libx/_runtime/cds-services/adapter/odata-v4/okra/odata-commons/edm/AbstractEdmStructuredType.js

@@ -194,7 +194,7 @@ class AbstractEdmStructuredType extends EdmType {
     if (!this._navigationProperties) {
       this._navigationProperties = new Map(this.getBaseType() ? this.getBaseType().getNavigationProperties() : [])
       for (const [name, property] of this.getOwnNavigationProperties()) {
-        if (ignoreSibling && name === 'SiblingEntity') continue;
+        if (!cds.env.fiori.lean_draft && ignoreSibling && name === 'SiblingEntity') continue; // This will cause subtle caching bugs but will enable expand=* in old draft
         this._navigationProperties.set(name, property)
       }
     }

package/libx/_runtime/common/generic/auth/index.js

@@ -9,6 +9,54 @@ const restrictHandler = require('./restrict')
 const restrictExpandHandler = require('./expand')
 
 module.exports = cds.service.impl(function authorization() {
+  // REVISIT: general approach to dependent auth:
+  //          add restrictions to auth-dependent entities as if modeled to allow static access during request processing
+  // // TODO: where to do?
+  // // add restrictions to auth-dependent entities
+  // const defs = this.model.definitions
+  // const deps = []
+  // for (const each of this.entities) {
+  //   for (const k in each.compositions) {
+  //     const c = each.compositions[k]
+  //     const ct = defs[c.target]
+  //     if (defs[ct?.elements.up_?.target] === each && !ct['@requires'] && !ct['@restrict']) {
+  //       deps.push(c.target)
+  //     }
+  //   }
+  // }
+  // for (const each of deps) {
+  //   const e = defs[each]
+  //   let rstr
+  //   let cur = defs[e.elements.up_.target]
+  //   while (cur && !rstr) {
+  //     rstr = cur['@requires'] || cur['@restrict']
+  //     cur = defs[cur.elements.up_?.target]
+  //   }
+  //   if (rstr) {
+  //     // TODO: normalize restriction to @restrict syntax
+  //     // TODO: add rewrite paths in instance-based auth
+  //     e['@restrict'] = rstr
+  //   }
+  // }
+
+  // mark entities that depend on ancestor for auth with that ancestor
+  const defs = this.model.definitions
+  for (const each of this.entities) {
+    for (const k in each.compositions) {
+      const c = each.compositions[k]
+      const ct = defs[c.target]
+      if (defs[ct?.elements.up_?.target] === each && !ct['@requires'] && !ct['@restrict']) {
+        let rstr
+        let cur = defs[ct.elements.up_.target]
+        while (!rstr && cur) {
+          if (cur['@requires'] || cur['@restrict']) rstr = cur
+          cur = defs[cur.elements.up_?.target]
+        }
+        if (rstr) Object.defineProperty(ct, '_auth_depends_on', { value: rstr })
+      }
+    }
+  }
+
   /*
    * @requires
    */

package/libx/_runtime/common/generic/auth/utils.js

@@ -140,9 +140,10 @@ const resolveUserAttrs = (restrict, req) => {
   return restrict
 }
 
-const _authDependsOnParent = (entity, annotations) => {
+const _authDependsOnAncestor = (entity, annotations) => {
   // @cds.autoexposed and not @cds.autoexpose -> not explicitly exposed by modeling
   return (
+    entity._auth_depends_on ||
     entity.name.match(/\.DraftAdministrativeData$/) ||
     (entity['@cds.autoexposed'] && !entity['@cds.autoexpose'] && !annotations.some(a => a in entity))
   )
@@ -159,7 +160,10 @@ const cqnFrom = req => {
 
 const getAuthRelevantEntity = (req, model, annotations) => {
   if (!req.target || !(req.event in CRUD_EVENTS)) return
-  if (!_authDependsOnParent(req.target, annotations)) return req.target
+
+  const it = _authDependsOnAncestor(req.target, annotations)
+  if (!it) return req.target
+  if (it?.kind === 'entity' && req.subject.ref?.length === 1) return it
 
   let cqn = cqnFrom(req)
 
@@ -188,7 +192,7 @@ const getAuthRelevantEntity = (req, model, annotations) => {
   let authRelevantEntity
   for (let i = segments.length - 1; i >= 0; i--) {
     const segment = segments[i]
-    if (segment.kind === 'entity' && !_authDependsOnParent(segment, annotations)) {
+    if (segment.kind === 'entity' && !_authDependsOnAncestor(segment, annotations)) {
       authRelevantEntity = segment
       break
     }

package/libx/_runtime/common/utils/resolveView.js

@@ -33,6 +33,9 @@ const _inverseTransition = transition => {
 
       const ref0 = value.ref[0]
       if (value.ref.length > 1) {
+        // ignore flattened columns like author.name
+        if (transition.target.elements[ref0].isAssociation) continue
+
         const nested = inverseTransition.mapping.get(ref0) || {}
         if (!nested.transition) nested.transition = { mapping: new Map() }
         let current = nested.transition.mapping

package/libx/_runtime/db/generic/rewrite.js

@@ -2,20 +2,44 @@ const cds = require('../../cds')
 const { cqn2cqn4sql } = require('../../common/utils/cqn2cqn4sql')
 const { generateAliases } = require('../utils/generateAliases')
 
+/**
+ * Restores the link of `req.data` and `req.query` in case `req.query` was overwritten.
+ * Only applicable for `UPDATE`s and `INSERT`s.
+ *
+ * @param { import('@sap/cds').Request } req
+ */
 const _restoreLink = req => {
   if (req.query.INSERT?.entries) {
-    return (req.data = Array.isArray(req.query.INSERT.entries) ? req.query.INSERT.entries[0] : req.query.INSERT.entries)
+    if (Array.isArray(req.query.INSERT.entries)) req.data = req.query.INSERT.entries[0]
+    else req.data = req.query.INSERT.entries
+  } else if (req.query.UPDATE?.data) {
+    req.data = req.query.UPDATE.data
   }
+}
+
+const _isLinked = req => {
+  if (req.query.INSERT?.entries) {
+    if (Array.isArray(req.query.INSERT.entries)) return req.data === req.query.INSERT.entries[0]
+    return req.data === req.query.INSERT.entries
+  }
+
   if (req.query.UPDATE?.data) {
-    return (req.data = req.query.UPDATE.data)
+    return req.data === req.query.UPDATE.data
   }
+
+  return false
 }
 
 function handler(req) {
   if (typeof req.query === 'string') return
 
-  // invoke req.subject before it gets modified
+  // invoke req.subject and req.query.elements before it gets modified
   req.subject
+  try {
+    req.query.elements
+  } catch {
+    // ignore potential errors (no x4 support in req.query.elements)
+  }
 
   if (!this.model) {
     // best-effort rewrite of path in from
@@ -25,14 +49,17 @@ function handler(req) {
 
   const _streaming = cds.env.features.stream_compat && req.query._streaming
 
+  // for restore link to req.data
+  const linked = _isLinked(req)
+
   // convert to sql cqn
   req.query = cqn2cqn4sql(req.query, this.model, { service: this })
 
+  // REVISIT: should not be necessary
   // restore link to req.data
-  _restoreLink(req)
+  if (linked) _restoreLink(req)
 
   if (_streaming) req.query._streaming = _streaming
-
   generateAliases(req.query)
 }
 

package/libx/_runtime/db/utils/generateAliases.js

@@ -132,7 +132,7 @@ const _addAliasToElement = (expr, alias) => {
     return { ...expr, args }
   }
 
-  if (expr.SELECT && expr.SELECT.where) {
+  if (expr?.SELECT?.where) {
     // special case in lambda functions
     _addParentAlias(expr.SELECT.where, alias)
   }

package/libx/_runtime/remote/utils/client.js

@@ -205,8 +205,10 @@ const _getSanitizedError = (e, reqOptions, options = { suppressRemoteResponseBod
   }
 
   // AxiosError's toJSON() method doesn't include the request and response objects
-  e.toJSON = function () {
-    return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+  if (e.__proto__.toJSON) {
+    e.toJSON = function () {
+      return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+    }
   }
 
   return e

package/libx/outbox/index.js

@@ -61,7 +61,7 @@ const processMessages = async (service, tenant, _opts = {}) => {
       try {
         const messagesQuery = SELECT.from(messagesEntity)
           .where({ target: name })
-          .orderBy('timestamp')
+          .orderBy(['timestamp', 'ID'])
           .limit(opts.chunkSize)
           .forUpdate()
         if (opts.maxAttempts) messagesQuery.where({ attempts: { '<': opts.maxAttempts } })

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "7.9.1",
+  "version": "7.9.3",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -37,10 +37,5 @@
     "@sap/cds-compiler": "^4",
     "@sap/cds-fiori": "^1",
     "@sap/cds-foss": "^5.0.0"
-  },
-  "cds": {
-    "plugins": [
-      "@sap/cds-fiori"
-    ]
   }
 }