@sap/cds 7.9.2 → 8.0.3

package/libx/rest/middleware/error.js

@@ -1,3 +1,5 @@
+/*
+
 const cds = require('../../_runtime/cds')
 
 // requesting logger without module on purpose!
@@ -36,23 +38,24 @@ const _log = err => {
   if (_details) err.details = _details
 }
 
-// eslint-disable-next-line no-unused-vars
-module.exports = srv => (err, req, res, next) => {
-  // REVISIT: invoking service.on('error') handlers needs a cleanup with new protocol adapters!!!
-  // invoke srv.on('error', function (err, req) { ... }) here in special situations
-  let ctx = cds.context
-  if (!ctx) {
-    // > error before req was dispatched
-    ctx = new cds.Request({ req, res: req.res, user: req.user || new cds.User.default })
-    for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
-  } else if (ctx._tx?._done !== 'rolled back') {
-    for (const each of srv._handlers._error) each.handler.call(srv, err, ctx)
-  }
+*/
+
+const _log = require('../../_runtime/common/error/log')
 
-  // log the error (4xx -> warn)
-  _log(err)
+const { normalizeError } = require('../../_runtime/common/error/frontend')
 
-  const { error, statusCode } = normalizeError(err, req)
+module.exports = () => {
+  return function rest_error(err, req, res, next) {
+    if (err == 401 || err.code == 401) return next(err) // speed up logins, at least temporary until we reviewed and eliminated overhead that may be involved below
+    // REVISIT: keep?
+    // log the error (4xx -> warn)
+    _log(err)
 
-  res.status(statusCode).send({ error })
+    const { error, statusCode } = normalizeError(err, req)
+
+    // NOTE: express also looks for numbers in err.status or err.statusCode
+    error.statusCode = statusCode
+
+    next(error)
+  }
 }

package/libx/rest/middleware/operation.js

@@ -1,11 +1,10 @@
 const cds = require('../../_runtime/cds')
 
-const RestRequest = require('../RestRequest')
-
 const { checkStatic } = require('../../_runtime/cds-services/util/assert')
 const getError = require('../../_runtime/common/error')
 
-const typeCheckers = require('../../common/assert/type')
+// REVISIT: strict or relaxed type checkers?
+const typeCheckers = require('../../common/assert/type-strict')
 
 // REVISIT: use i18n
 const _enrichErrorDetails = (isPrimitive, error) => {
@@ -38,7 +37,6 @@ const _validateReturnType = (operation, data) => {
 
   // .type of action/function behaves different to .type of other csn elements
   // Return type contains primitives
-  // eslint-disable-next-line no-proto
   const _type = typeof returnType._type === 'object' ? returnType.__proto__._type : returnType._type // REVISIT: super dirty hack for compiler's to.edmx polluting the csn definitions with ._type -> please use Symbols instead
   const typeChecker = typeCheckers[_type] // IMPORTANT: use ._type
   if (typeChecker) {
@@ -71,45 +69,54 @@ const _validateReturnType = (operation, data) => {
   return true
 }
 
-// TODO: add headers to return object to avoid passing _res
-module.exports = srv => async (_req, _res) => {
-  const { _query: query, _operation: operation, _data: data, _params } = _req
-
-  let result
-
-  const req = query
-    ? new RestRequest({ query, event: operation.name, data, params: _params })
-    : new RestRequest({ event: operation.name.replace(`${srv.namespace}.`, ''), data, params: _params })
-  result = await srv.dispatch(req)
-
-  if (!operation.returns) return { status: 204 }
-
-  // REVISIT: do not use from old rest adapter
-  // REVISIT: new impl should return instead of throwing to avoid try catch
-  _validateReturnType(operation, result)
-
-  // set content-type header to text/plain for returned primitive data types, except for boolean
-  const returnType = operation.returns._type
-  if (
-    !_res.get('content-type') &&
-    !operation.returns.items &&
-    returnType &&
-    cds.builtin.types[returnType] &&
-    returnType !== 'cds.Boolean'
-  ) {
-    _res.set('content-type', 'text/plain')
-  }
+module.exports = adapter => {
+  const { service } = adapter
 
-  // REVISIT: Still needed with cds-mtxs?
-  // mtx compat, modeled as string but object returned
-  if (operation.returns._type === 'cds.String' && typeof result === 'object') {
-    _res.set('content-type', 'application/json')
-  }
+  return async function operation(req, res) {
+    const { _query: query, _operation: operation, _data: data, _params: params } = req
+
+    let result
+
+    result = await service.dispatch(
+      adapter.request4(
+        Object.assign(
+          query
+            ? { query, event: operation.name }
+            : { event: operation.name.replace(`${service.definition.name}.`, '') },
+          { data, params, req, res }
+        )
+      )
+    )
+
+    if (!operation.returns) return { status: 204 }
+
+    // REVISIT: do not use from old rest adapter
+    // REVISIT: new impl should return instead of throwing to avoid try catch
+    _validateReturnType(operation, result)
+
+    // set content-type header to text/plain for returned primitive data types, except for boolean
+    const returnType = operation.returns._type
+    if (
+      !res.get('content-type') &&
+      !operation.returns.items &&
+      returnType &&
+      cds.builtin.types[returnType] &&
+      returnType !== 'cds.Boolean'
+    ) {
+      res.set('Content-Type', 'text/plain')
+    }
 
-  // REVISIT: still needed?
-  if (!operation.returns.items && Array.isArray(result)) result = result[0]
+    // REVISIT: Still needed with cds-mtxs?
+    // mtx compat, modeled as string but object returned
+    if (operation.returns._type === 'cds.String' && typeof result === 'object') {
+      res.set('Content-Type', 'application/json')
+    }
 
-  if (result === undefined) return { status: 204 }
+    // REVISIT: still needed?
+    if (!operation.returns.items && Array.isArray(result)) result = result[0]
 
-  return { result }
+    if (result === undefined) return { status: 204 }
+
+    return { result }
+  }
 }

package/libx/rest/middleware/parse.js

@@ -1,13 +1,13 @@
 const cds = require('../../_runtime/cds')
 const { INSERT, SELECT, UPDATE, DELETE } = cds.ql
 
+const { getKeysAndParamsFromPath } = require('../../common/utils')
+
 const { base64ToBuffer } = require('../../_runtime/common/utils/binary')
-const { deepCopy } = require('../../_runtime/common/utils/copy')
-const { where2obj } = require('../../_runtime/common/utils/cqn')
 const { convertStructured } = require('../../_runtime/common/utils/ucsn')
-
 const getTemplate = require('../../_runtime/common/utils/template')
 const templateProcessor = require('../../_runtime/common/utils/templateProcessor')
+
 const { checkStaticElementByKey } = require('../../_runtime/cds-services/util/assert')
 
 const _processorFn = errors => {
@@ -30,140 +30,142 @@ const _picker = element => {
 
 const _cache = req => `rest-input;skip-key-validation:${req.method !== 'POST'}`
 
-module.exports = srv => (req, res, next) => {
-  // REVISIT: Once we don't display the error message location in terms of an offset, but instead a copy of the
-  // original request including a marker, we don't need to provide the baseUrl here.
-  let query = cds.odata.parse(req.url, { service: srv, baseUrl: req.baseUrl })
-
-  // parser always produces selects
-  const _target = (req._target = query.SELECT && query.SELECT.from)
-  if (!_target) return next()
-
-  // REVISIT: __target is the csn target definition
-  let {
-    __target: definition,
-    SELECT: { one }
-  } = query
-  if (typeof definition === 'string') {
-    definition =
-      srv.model.definitions[definition] ||
-      srv.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
-  }
-  delete query.__target
-
-  // REVISIT: hack for actions and functions
-  let operation, args
-  const last = _target.ref[_target.ref.length - 1]
-  if (last.operation) {
-    operation = last.operation
-    if (last.args) args = last.args
-    _target.ref.pop()
-  }
+module.exports = adapter => {
+  const { service } = adapter
 
-  const unbound = _target.ref.length === 0
-
-  // query based on method
-  switch (req.method) {
-    case 'HEAD':
-    case 'GET':
-      if (operation) {
-        req._operation = operation = definition
-        if (operation.kind === 'action') cds.error('Action must be called by POST', { code: 400 })
-        if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
-        else query = undefined
-      } else {
-        // read (nothing to do)
-      }
-      break
-    case 'POST':
-      if (operation) {
-        req._operation = operation = definition
-        if (operation.kind === 'function') cds.error('Function must be called by GET', { code: 400 })
-        if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
-        else query = undefined
-      } else {
-        // create
-        if (one) cds.error('POST not allowed on entity', { code: 400 })
-        query = INSERT.into(_target)
-      }
-      break
-    case 'PUT':
-    case 'PATCH':
-      if (operation) {
-        let errorMsg
-        if (definition) {
-          errorMsg = `${definition.kind.charAt(0).toUpperCase() + definition.kind.slice(1)} must be called by ${
-            definition.kind === 'action' ? 'POST' : 'GET'
-          }`
+  return function parse(req, res, next) {
+    // REVISIT: Once we don't display the error message location in terms of an offset, but instead a copy of the
+    // original request including a marker, we don't need to provide the baseUrl here.
+    let query = cds.odata.parse(req.url, { service, baseUrl: req.baseUrl, protocol: 'rest' })
+
+    // parser always produces selects
+    const _target = (req._target = query.SELECT && query.SELECT.from)
+    if (!_target) return next()
+
+    // REVISIT: __target is the csn target definition
+    let {
+      __target: definition,
+      SELECT: { from, one }
+    } = query
+    if (typeof definition === 'string') {
+      definition =
+        service.model.definitions[definition] ||
+        service.model.definitions[definition.split(':$:')[0]].actions[definition.split(':$:')[1]]
+    }
+    delete query.__target
+
+    // req.__proto__.method is set in case of upsert
+    const isUpsert = req.__proto__.method in { PUT: 1, PATCH: 1 }
+
+    // REVISIT: hack for actions and functions
+    let operation, args
+    const last = _target.ref[_target.ref.length - 1]
+    if (last.operation) {
+      operation = last.operation
+      if (last.args) args = last.args
+      _target.ref.pop()
+    }
+
+    const unbound = _target.ref.length === 0
+
+    // query based on method
+    switch (req.method) {
+      case 'HEAD':
+      case 'GET':
+        if (operation) {
+          req._operation = operation = definition
+          if (operation.kind === 'action') cds.error('Action must be called by POST', { code: 400 })
+          if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
+          else query = undefined
         } else {
-          errorMsg = `That action/function must be called by POST/GET`
+          // read (nothing to do)
         }
-        cds.error(errorMsg, { code: 400 })
-      }
-      if (!one) throw { statusCode: 400, code: '400', message: `INVALID_${req.method}` }
-      query = UPDATE(_target)
-      break
-    case 'DELETE':
-      if (operation) {
-        let errorMsg
-        if (definition) {
-          errorMsg = `${definition.kind.charAt(0).toUpperCase() + definition.kind.slice(1)} must be called by ${
-            definition.kind === 'action' ? 'POST' : 'GET'
-          }`
+        break
+      case 'POST':
+        if (operation) {
+          req._operation = operation = definition
+          if (operation.kind === 'function') cds.error('Function must be called by GET', { code: 400 })
+          if (!unbound) query = one ? SELECT.one(_target) : SELECT.from(_target)
+          else query = undefined
         } else {
-          errorMsg = `That action/function must be called by POST/GET`
+          // create
+          if (one && !isUpsert) cds.error('POST not allowed on entity', { code: 400 })
+          query = INSERT.into(_target)
         }
-        cds.error(errorMsg, { code: 400 })
-      }
-      if (!one) cds.error('DELETE not allowed on collection', { code: 400 })
-      query = DELETE.from(_target)
-      break
-    default:
-    // anything to do?
-  }
-  req._query = query // REVISIT: req._query should not be a standard API
-  if (query && definition) req._query.__target = definition.name
-
-  // REVISIT: query._data hack
-  if ((query && (query.INSERT || query.UPDATE || query.DELETE)) || (operation && operation.kind === 'action') || args) {
-    if (operation && (operation.kind === 'action' || operation.kind === 'function') && !operation.params) {
-      req._data = {}
-    } else {
-      // TODO: add keys from url into payload (overwriting if already present) -> document this behavior, also for OData
-      const payload = deepCopy(args || req.body)
-      let errs
-      if (cds.env.features.cds_assert) {
-        const assertOptions = {
-          filter: true,
-          http: { req },
-          mandatories: req.method === 'POST' || req.method === 'PUT' || undefined
+        break
+      case 'PUT':
+      case 'PATCH':
+        if (operation) {
+          let errorMsg
+          if (definition) {
+            errorMsg = `${definition.kind.charAt(0).toUpperCase() + definition.kind.slice(1)} must be called by ${
+              definition.kind === 'action' ? 'POST' : 'GET'
+            }`
+          } else {
+            errorMsg = `That action/function must be called by POST/GET`
+          }
+          cds.error(errorMsg, { code: 400 })
+        }
+        if (!one) throw { statusCode: 400, code: '400', message: `INVALID_${req.method}` }
+        query = UPDATE(_target)
+        break
+      case 'DELETE':
+        if (operation) {
+          let errorMsg
+          if (definition) {
+            errorMsg = `${definition.kind.charAt(0).toUpperCase() + definition.kind.slice(1)} must be called by ${
+              definition.kind === 'action' ? 'POST' : 'GET'
+            }`
+          } else {
+            errorMsg = `That action/function must be called by POST/GET`
+          }
+          cds.error(errorMsg, { code: 400 })
         }
-        errs = cds.assert(payload, definition, assertOptions)
+        if (!one) cds.error('DELETE not allowed on collection', { code: 400 })
+        query = DELETE.from(_target)
+        break
+      default:
+      // anything to do?
+    }
+    req._query = query // REVISIT: req._query should not be a standard API
+    if (query && definition) req._query.__target = definition.name
+
+    const { keys, params } = getKeysAndParamsFromPath(from, service)
+    req._data = keys
+    if (params) req._params = params
+
+    // REVISIT: query._data hack
+    if (
+      (query && (query.INSERT || query.UPDATE || query.DELETE)) ||
+      (operation && operation.kind === 'action') ||
+      args
+    ) {
+      if (operation && (operation.kind === 'action' || operation.kind === 'function') && !operation.params) {
+        req._data = {}
       } else {
-        convertStructured(srv, operation || definition, payload, { cleanupStruct: cds.env.features.rest_struct_data })
-        const template = getTemplate(_cache(req), srv, definition, { pick: _picker })
-        if (template && template.elements.size) {
-          errs = []
-          for (const row of Array.isArray(payload) ? payload : [payload]) {
-            templateProcessor({ processFn: _processorFn(errs), row, template })
+        const payload = args || req.body
+        if (!operation) Object.assign(payload, keys)
+        if (!cds.env.features.cds_validate) {
+          const errs = []
+          convertStructured(service, operation || definition, payload, {
+            cleanupStruct: cds.env.features.rest_struct_data
+          })
+          const template = getTemplate(_cache(req), service, definition, { pick: _picker })
+          if (template && template.elements.size) {
+            for (const row of Array.isArray(payload) ? payload : [payload]) {
+              templateProcessor({ processFn: _processorFn(errs), row, template })
+            }
+          }
+          if (errs.length) {
+            if (errs.length === 1) throw errs[0]
+            throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
           }
         }
+        base64ToBuffer(payload, service, definition)
+        req._data = payload
       }
-      if (errs?.length) {
-        if (errs.length === 1) throw errs[0]
-        throw Object.assign(new Error('MULTIPLE_ERRORS'), { statusCode: 400, details: errs })
-      }
-      base64ToBuffer(payload, srv, definition)
-      req._data = payload
     }
-  }
 
-  // REVISIT: req.params as documented
-  for (let i = 0; i < _target.ref.length; i++) {
-    req._params = req._params || []
-    if (_target.ref[i].where) req._params.push(where2obj(_target.ref[i].where))
-    else if (_target.ref.length !== 1) req._params.push({})
+    next()
   }
-
-  next()
 }

package/libx/rest/middleware/read.js

@@ -1,35 +1,28 @@
-const RestRequest = require('../RestRequest')
+module.exports = adapter => {
+  const { service } = adapter
 
-module.exports = srv => async _req => {
-  const { _query: query, _target, _params } = _req
+  return async function read(req, res) {
+    const { _query: query, _target: target, _data: data, _params: params } = req
 
-  let result,
-    status = 200
+    let result,
+      status = 200
 
-  const req = new RestRequest({ query, _target, params: _params, _req })
+    result = await service.dispatch(adapter.request4({ query, data, params, req, res }))
 
-  // req.data is filled with keys during read and delete
-  if (_params) req.data = _params[_params.length - 1]
-
-  result = await srv.dispatch(req)
-
-  // 204 or 404?
-  if (result == null && query.SELECT.one) {
-    if (_target.ref.length > 1) status = 204
-    else throw { code: 404 }
-  }
+    // 204 or 404?
+    if (result == null && query.SELECT.one) {
+      if (target.ref.length > 1) status = 204
+      else throw { code: 404 }
+    }
 
-  // REVISIT: Still needed with cds-mtxs?
-  // compat for mtx returning strings instead of objects
-  if (typeof result === 'object' && result !== null && '$count' in result) {
-    result = {
-      count: result.$count,
-      value: result
+    // REVISIT: Still needed with cds-mtxs?
+    // compat for mtx returning strings instead of objects
+    if (typeof result === 'object' && result !== null && '$count' in result) {
+      result = { count: result.$count, value: result }
+    } else if (typeof result === 'number') {
+      result = result.toString()
     }
-  } else if (typeof result === 'number') {
-    // TODO check if this is needed
-    result = result.toString()
-  }
 
-  return { result, status }
+    return { result, status }
+  }
 }

package/libx/rest/middleware/update.js

@@ -1,40 +1,35 @@
 const cds = require('../../_runtime/cds')
-const { INSERT } = cds.ql
-
-const RestRequest = require('../RestRequest')
 
 const UPSERT_ALLOWED = !(cds.env.runtime && cds.env.runtime.allow_upsert === false)
 
-const { deepCopyObject } = require('../../_runtime/common/utils/copy')
-
-module.exports = srv => async _req => {
-  let { _query: query, _target, _data, _params } = _req
-
-  let result,
-    status = 200
+module.exports = adapter => {
+  const { router, service } = adapter
+
+  return async function update(req, res, next) {
+    let { _query: query, _data: data, _params: params } = req
+
+    let result,
+      status = 200
+
+    // if upsert it allowed, we need to catch 404 and retry with create
+    try {
+      query.data(data)
+      // REVISIT: if PUT, req.method should be PUT -> Crud2Http maps UPSERT to PUT
+      result = await service.dispatch(adapter.request4({ query, method: req.method, params, req, res }))
+    } catch (e) {
+      const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
+      const isForcedInsert =
+        (e.code === 412 || e.status === 412 || e.statusCode === 412) && req.headers['if-none-match'] === '*'
+      if ((is404 || isForcedInsert) && UPSERT_ALLOWED) {
+        // -> redirect to POST
+        const _body = JSON.parse(req._raw)
+        const _req = Object.assign(Object.create(req), { method: 'POST', body: _body })
+        return router.handle(_req, res, next)
+      }
 
-  // if upsert it allowed, we need to catch 404 and retry with create
-  try {
-    // add the data (as copy, if upsert allowed)
-    query.data(UPSERT_ALLOWED ? deepCopyObject(_data) : _data)
-
-    // REVISIT: if PUT, req.method should be PUT -> Crud2Http maps UPSERT to PUT
-    result = await srv.dispatch(new RestRequest({ query, _target, method: _req.method, params: _params }))
-    if (_params && result) Object.assign(result, _params[_params.length - 1])
-  } catch (e) {
-    const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
-    const isForcedInsert =
-      (e.code === 412 || e.status === 412 || e.statusCode === 412) && _req.headers['if-none-match'] === '*'
-    if ((is404 || isForcedInsert) && UPSERT_ALLOWED) {
-      query = INSERT.into(query.UPDATE.entity).entries(
-        _params ? Object.assign(_data, _params[_params.length - 1]) : _data
-      )
-      result = await srv.dispatch(new RestRequest({ query, _target, params: _params }))
-      status = 201
-    } else {
       throw e
     }
-  }
 
-  return { result, status }
+    return { result, status }
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "7.9.2",
+  "version": "8.0.3",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -9,38 +9,42 @@
   ],
   "author": "SAP SE (https://www.sap.com)",
   "license": "SEE LICENSE IN LICENSE",
-  "typings": "apis/cds.d.ts",
   "main": "lib/index.js",
   "bin": {
     "cds-deploy": "lib/dbs/cds-deploy.js",
-    "cds-serve": "bin/cds-serve.js"
+    "cds-serve": "bin/serve.js",
+    "cds-test": "bin/test.js",
+    "chest": "bin/test.js"
   },
   "files": [
+    "_i18n/",
     "apis/",
     "app/",
     "bin/",
     "lib/",
     "libx/",
-    "tasks/",
     "srv/",
-    "_i18n/",
+    "tasks/",
     "server.js",
     "common.cds",
+    "eslint.config.mjs",
     "CHANGELOG.md",
     "LICENSE"
   ],
   "engines": {
-    "node": ">=16"
+    "node": ">=18"
   },
   "dependencies": {
-    "@cap-js/cds-types": "<1",
-    "@sap/cds-compiler": "^4",
+    "@sap/cds-compiler": ">=5",
     "@sap/cds-fiori": "^1",
     "@sap/cds-foss": "^5.0.0"
   },
-  "cds": {
-    "plugins": [
-      "@sap/cds-fiori"
-    ]
+  "peerDependencies": {
+    "express": ">=4"
+  },
+  "peerDependenciesMeta": {
+    "express": {
+      "optional": true
+    }
   }
 }

package/server.js

@@ -1,4 +1,4 @@
-const express = require('express')// eslint-disable-line cds/no-missing-dependencies
+const express = require('express')
 const cds = require('./lib')
 
 /**
@@ -62,6 +62,7 @@ const defaults = {
     return cds.utils.isdir (cds.env.folders.app)
   },
   get index() {
+    if (!cds.env.server.index)  return undefined
     const index = require ('./app/index.js')
     return (_,res) => res.send (index.html)
   },
@@ -70,7 +71,8 @@ const defaults = {
     return express.static (favicon, {maxAge:'14d'})
   },
   get cors() {
-    return process.env.NODE_ENV === 'production' ? null : (req, res, next) => {
+    if (!cds.env.server.cors)  return undefined
+    return function cds_cors (req, res, next) {
       const { origin } = req.headers
       if (origin) {
         res.set('access-control-allow-origin', origin)