@sap/cds 7.9.3 → 8.0.3

package/lib/req/user.js

@@ -1,12 +1,23 @@
+/**
+ * Users factory function which can be used as follows:
+ * - `User(<string>)` - returns a new user instance with the given string as id
+ * - `User(<object>)` - returns a new user instance with the given properties
+ * - `User(<none>)`   - returns the default user if the argument is undefined
+ * - `User(<user>)`   - returns the given user if it's an instance of `User`
+ * - `new User(...)`  - always constructs a new instance of User
+ */
+module.exports = exports = function (u) {
+  return new.target ? new User(u) :
+    u === undefined ? exports.default :
+    u instanceof User ? u :
+    new User(u)
+}
+
+/** Class representing users */
 class User {
 
   constructor (_) {
-    if (_ === undefined) {
-      if (new.target === Privileged) return
-      if (new.target === Anonymous) return
-      else return new User.default
-    }
-    else if (typeof _ === 'string') this.id = _
+    if (typeof _ === 'string') this.id = _
     else Object.assign(this,_)
   }
 
@@ -15,50 +26,51 @@ class User {
 
   get roles() { return super.roles = {} }
   set roles(r) {
-    super.roles = Array.isArray(r) ? r.reduce((p, n) => { p[n]=1; return p }, {}) : r
+    super.roles = Array.isArray(r) ? r.reduce((p,n) => (p[n]=1, p), {}) : r
   }
 
+  has (role) { return this.is(role) }
   is (role) {
     return (
       role === 'authenticated-user' ||
       role === 'identified-user' ||
       role === 'any' ||
-      !!this.roles[role]
+      role in this.roles // REVISIT: This may break something, did in the past, but we don't know anymore. we should know.
     )
   }
   valueOf() { return this.id }
-
-  // compatibility
-  get _roles(){ return this.roles }
-  set _roles(r){ this.roles = r }
 }
 
-/**
- * Subclass representing non-identified unauthenticated users.
- */
-class Anonymous extends User { is(role) { return role === 'any' }}
-Object.defineProperties (Anonymous.prototype, {
-  id: {value:'anonymous',writable:true},
-  roles: {value:{}},
-  attr: {value:{}},
-  _is_anonymous: {value:true},
+
+/** Subclass representing unauthenticated users. */
+class Anonymous extends User {}
+Object.assign (Anonymous.prototype, {
+  is: role => role === 'any',
+  _is_anonymous: true,
+  id: 'anonymous',
+  roles: {},
+  attr: {},
 })
+exports.anonymous = exports.default = Object.seal (new Anonymous)
+exports.Anonymous = Anonymous
 
-/**
- * Subclass for executing code with superuser privileges.
- */
-class Privileged extends User { is(){ return true }}
-Object.defineProperties (Privileged.prototype, {
-  id: {value:'privileged',writable:true},
-  roles: {value:{},writable:true},
-  attr: {value:{},writable:true},
-  _is_privileged: {value:true},
+
+/** Subclass for executing code with superuser privileges. */
+class Privileged extends User {}
+Object.assign (Privileged.prototype, {
+  is: () => true,
+  _is_privileged: true,
+  id: 'privileged',
+  roles: {},
+  attr: {},
 })
+exports.privileged = Object.seal (new Privileged)
+exports.Privileged = Privileged
 
 
-// exports -----------------
-module.exports = exports = Object.assign (User, {
-  Anonymous,  anonymous  : Object.seal (new Anonymous),
-  Privileged, privileged : Object.seal (new Privileged),
-  default: Anonymous,
+// Allow setting default user by class for compatibility, e.g.: User.default = User.Privileged
+Object.defineProperty (exports, 'default', {
+  set(v) { this._default = typeof v === 'function' ? new v : v },
+  get() { return this._default },
 })
+exports._default = exports.anonymous

package/lib/srv/bindings.js

@@ -26,7 +26,7 @@ module.exports = class Bindings {
   async load (sync) {
     DEBUG?.('reading bindings from:', this._source)
     try { Object.assign (this, JSON.parse (sync ? readFileSync (this._source) : await read (this._source))) }
-    catch (e) { /* ignored */ }
+    catch { /* ignored */ }
     return this
   }
   async store (sync) {

package/lib/srv/cds-connect.js

@@ -1,4 +1,4 @@
-const cds = require('..'), {one_model} = cds.env.features, LOG = cds.log('cds.connect')
+const cds = require('..'), LOG = cds.log('cds.connect')
 const _pending = cds.services._pending || {} // used below to chain parallel connect.to(<same>)
 const TRACE = cds.debug('trace')
 
@@ -72,7 +72,7 @@ function options4 (name, _o) {
 }
 
 function model4 (o) {
-  if (o.model && o.model.definitions) return o.model
-  if (one_model && cds.model) return cds.model
-  else return o.model && cds.load(o.model)
+  if (o.model?.definitions) return o.model // got a CSN already? -> use it
+  if (cds.model) return cds.model         // use global model if available
+  if (o.model) return cds.load (o.model) // load specified model from file
 }

package/lib/srv/cds-serve.js

@@ -3,7 +3,7 @@ const { Service } = cds.service.factory
 const { serve } = cds.service.protocols
 const _ready = Symbol(), _pending = cds.services._pending || {}
 const TRACE = cds.debug('trace')
-if (TRACE && !cds.env.features.odata_new_adapter) require('./../../libx/_runtime').to.odata_v4
+if (TRACE && !cds.env.features.odata_new_adapter) require('./../../libx/_runtime/cds-services/adapter/odata-v4/to')
 
 
 /** @param som - a service name or a model (name or csn) */
@@ -36,7 +36,7 @@ module.exports = function cds_serve (som, _options) { // NOSONAR
   const loaded = options.then (async ({from}=o) => {
     if (!from || from === 'all' || from === '*') from = cds.model || '*'
     if (from.definitions) return from
-    if (from === '?') try { return await cds.load('*',o) } catch(e){ return }
+    if (from === '?') try { return await cds.load('*',o) } catch { return }
     return cds.load(from, {...o, silent:true })
   })
 

package/lib/srv/factory.js

@@ -41,7 +41,7 @@ const _require = (it,d) => {
   DEBUG && d && DEBUG ('requires',{ service: d.name, source:_source(d), impl:it })
   if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)  //> for local tests in @sap/cds dev
   if (it.startsWith('./')) it = _relative (d,it.slice(2))     //> relative to <service>.cds
-  try { var resolved = require.resolve(it,{paths}) } catch(e) {
+  try { var resolved = require.resolve(it,{paths}) } catch {
     try { resolved = require.resolve(path.join(cds.root,it)) } catch(e) { // compatibility
       throw cds.error `Failed loading service implementation from '${it}' ${{ Reason:e, paths, 'cds.root':cds.root }}`
     }

package/lib/srv/middlewares/cds-context.js

@@ -1,27 +1,16 @@
-module.exports = ()=> {
-
-  const cds = require ('../../index')
+const cds = require ('../../index')
+const corr_id = 'x-correlation-id'
+const req_id = 'x-request-id'
+const vr_id = 'x-vcap-request-id'
+const { uuid } = cds.utils
+const { EventContext } = cds
 
+module.exports = () => {
   /** @type { import('express').Handler } */
-  async function cds_context_provider (req, res, next) {
-    const ctx = {}
-    ctx.http = { req, res }
-    ctx.id = _id4(req)
+  return function cds_context (req, res, next) {
+    const id = req.headers[corr_id] ??= req.headers[req_id] || req.headers[vr_id] || uuid()
+    const ctx = EventContext.for ({ id, http: { req, res } })
+    res.set ('X-Correlation-ID', id) // Note: we use capitalized style here as that's common standard in HTTP world
     cds._context.run (ctx, next)
   }
-
-  const { uuid } = cds.utils
-  const _id4 = (req) => {
-    let id = req.headers['x-correlation-id'] = (
-      req.headers['x-correlation-id'] ||
-      req.headers['x-correlationid'] ||
-      req.headers['x-request-id'] ||
-      req.headers['x-vcap-request-id'] ||
-      uuid()
-    )
-    req.res.set('x-correlation-id', id)
-    return id
-  }
-
-  return cds_context_provider
 }

package/lib/srv/middlewares/ctx-model.js

@@ -1,6 +1,6 @@
 module.exports = ()=> {
 
-  const cds = require ('../../index')
+  const cds = require ('../../index'), LOG = cds.log()
   const context_model_required = cds.requires.extensibility || cds.requires.toggles
   if (!context_model_required) return []
 
@@ -9,10 +9,9 @@ module.exports = ()=> {
     if (req.baseUrl.startsWith('/-/')) return next() //> our own tech services cannot be extended
     const ctx = cds.context
     if (ctx.tenant || ctx.features?.given) try {
-      // if (req.headers.features) ctx.user.features = req.headers.features //> currently done in basic-auth only
       ctx.model = req.__model = await model4 (ctx.tenant, ctx.features) // REVISIT: req.__model is because of Okra
     } catch (e) {
-      console.error(e)
+      LOG.error(e)
       return res.status(503) .json ({ // REVISIT: we should throw a simple error, nothing else! -> this is overly OData-specific!
         error: { code: '503', message:
           process.env.NODE_ENV === 'production' ? 'Service Unavailable' :

package/lib/srv/middlewares/errors.js

@@ -1,9 +1,42 @@
-module.exports = ()=> function cds_error_handler (err, req, res, next) {
-  // console.error (err)
-  // const n = Number(err.status || err.statusCode)
-  // res.status (n >= 400 && n < 600 ? n : 500)
-  // err.status = 400
-  // res.json ({ ...err, message: err.message, stack: err.stack })
-  // if (err.status === 401 && req._login) return req._login()
-  next (err)
+const production = process.env.NODE_ENV === 'production'
+const cds = require ('../..'), LOG = cds.log('error')
+
+module.exports = () => {
+  return function http_error (error, req, res, _next) { // eslint-disable-line no-unused-vars
+
+    // In case of 401 require login if available by auth strategy
+    if (typeof error === 'number') error = { code: error }
+    if (error.code == 401 && req._login) return req._login()
+
+    // Prepare and log the error object
+    const status = error.statusCode || error.status || Number(error.code) || 500
+    delete error.statusCode
+    delete error.status
+    if (!production && error.stack) error.stack = error.stack.replace(/\n {4}at .*(?:node_modules\/express|node:internal).*/g,'')
+
+    if (400 <= status && status < 500) {
+      LOG.warn (status, '>', error)
+    } else {
+      LOG.error (status, '>', error)
+    }
+
+    // Expose as little information as possible in production, and as much as possible in development
+    if (production) {
+      Object.defineProperties (error, {
+        message: { enumerable: true },
+        user: { enumerable: false },
+      })
+    } else {
+      Object.defineProperties (error, {
+        message: { enumerable: true },
+        stack: { enumerable: true },
+      })
+    }
+
+    // Send the error response
+    return res.status(status).json({error})
+
+    // Note: express returns errors as XML, we prefer JSON
+    // _next (error)
+  }
 }

package/lib/srv/middlewares/index.js

@@ -8,14 +8,14 @@ const trace     = exports.trace     = require('./trace')
 exports.before = [
   context,    // provides cds.context
   trace,      // provides detailed trace logs when DEBUG=trace
-  auth,       // provides req.user & tenant
+  auth,       // provides cds.context.user & .tenant
   ctx_model,  // fills in cds.context.model, in case of extensibility
 ].map(mw => _instantiate(mw))
 
 // middlewares running after protocol adapters -> usually error middlewares
 exports.after = [
-  errors(),
-]
+  errors,    // provides final error handling
+].map(mw => _instantiate(mw))
 
 /**
  * Convenience method to add custom middlewares like so:

package/lib/srv/middlewares/trace.js

@@ -65,7 +65,6 @@ let sqlite
 function _instrument_sqlite (_get_perf) {
   const me = _instrument_sqlite; if (me.done) return; else me.done = true
   try { require.resolve('sqlite3') } catch { return }
-  // eslint-disable-next-line cds/no-missing-dependencies
   sqlite = require('sqlite3').Database.prototype
   for (let each of ['all', 'get', 'run', 'prepare']) _wrap(each,sqlite)
   function _wrap (op,sqlite) {
@@ -93,7 +92,6 @@ function _instrument_sqlite (_get_perf) {
 function _instrument_better_sqlite (_get_perf) {
   const me = _instrument_better_sqlite; if (me.done) return; else me.done = true
   try { require.resolve('better-sqlite3') } catch { return }
-  // eslint-disable-next-line cds/no-missing-dependencies
   const sqlite = require('better-sqlite3').prototype
   for (let each of ['exec', 'prepare']) _wrap(each,sqlite)
   function _wrap (op,sqlite) {

package/lib/srv/protocols/hcql.js

@@ -1,17 +1,18 @@
-const express = require('express') // eslint-disable-line cds/no-missing-dependencies
+const express = require('express')
 const cds = require('../../index')
+const LOG = cds.log('hcql')
 const { inspect } = require('util')
 
 class HCQLAdapter extends require('./http') {
 
-  schema4 (srv) {
-    return cds.minify (cds.model, { service: srv.name })
-  }
-
-  router4 (srv) { return super.router4 (srv)
+  get router() {
+    const srv = this.service
+    return super.router
 
-    /** Return CSN schema in response to /<srv>/$csn requests */
-    .get('/\\$csn', (_, res) => res.json (this.schema4(srv)))
+    /**
+     * Return CSN schema in response to /<srv>/$csn requests
+     */
+    .get('/\\$csn', (_, res) => res.json(this.schema))
 
     .use(express.json()) //> for application/json -> cqn
     .use(express.text()) //> for text/plain -> cql -> cqn
@@ -35,13 +36,17 @@ class HCQLAdapter extends require('./http') {
      */
     .use((req, res, next) => {
       let q = this.query4(req)
-      this.logger.info (req.method, decodeURIComponent(req.originalUrl), inspect(q,{colors:true,depth:11}))
+      LOG._info && LOG.info(req.method, decodeURIComponent(req.originalUrl), inspect(q, { colors: true, depth: 11 }))
       return srv.run(q).then(r => res.json(r)).catch(next)
     })
   }
 
+  get schema() {
+    return cds.minify (cds.model, { service: this.service.name })
+  }
+
   query4 (req) {
-    if (typeof req.body === 'string') return cds.parse.cql (req.body)
+    if (typeof req.body === 'string') return cds.parse.cql(req.body)
     return req.body //> a plain CQN object
   }
 }

package/lib/srv/protocols/http.js

@@ -1,60 +1,55 @@
-const express = require('express') // eslint-disable-line cds/no-missing-dependencies
-const cds = require('../../index')
+const cds = require('../../index'), { decodeURI } = cds.utils
+const express = require('express')
+const production = process.env.NODE_ENV === 'production'
+const restrict_all = cds.env.requires.auth?.restrict_all_services !== false
+const restricted_by_default = production && restrict_all ? ['authenticated-user'] : false
 
 
-module.exports = class HttpAdapter {
+class HttpAdapter {
 
-  constructor (srv) {
-    this.kind = this.constructor.name.replace(/Adapter$/,'').toLowerCase()
-    this.logger = cds.log (this.kind)
-    return this.router4 (srv)
+  /** Constructs and returns a new express.Router */
+  constructor (srv,o={}) {
+    this.kind = o.kind || this.constructor.name.replace(/Adapter$/,'').toLowerCase()
+    this.service = srv
+    this.options = o
+    return this.router //> constructed by getter
   }
 
-  router4 (srv) {
-    return express.Router()
-    .use(function req_logger(req,res,next) {
-      // this.log expected to be implemented by subclass
-      this?.log?.(req)
-      next()
-    }.bind(this))
-    .use(this.early_access_check4(srv))
+  /** The actual Router factory. Subclasses override this to add specific handlers. */
+  get router() {
+    let router = super.router = (new express.Router) .use (this.http_log.bind(this))
+    let assert_roles = this.requires_check()
+    if (assert_roles) router.use (assert_roles)
+    return router
   }
 
-  /** Does early checks on required roles to reject early */
-  early_access_check4 (srv) {
-
-    // Resolve required roles statically once....
-    const d = srv.definition
-    const roles = d['@requires'] || d['@restrict']?.map(r => r.to).flat()
-    || cds.env.requires.auth?.restrict_all_services !== false && process.env.NODE_ENV === 'production' && ['authenticated-user']
-
-    // ... and return a handler function accordingly -> PROBLEM: Extensibility
-    if (!roles) return (req, res, next) => next() //> no handlers required
-
-    const required_roles = Array.isArray(roles) ? roles : [roles]
-    return function early_access_check (req, res, next) {
-      let u = req.user; if (!u?.is) u = new cds.User(u) // revisit
-      if (required_roles.some(r => u.is(r))) return next()
-      // Following demonstrates how to directly send responses from here...
-      // However, in order to allow others to plug in error handlers throwing errors is better.
-      // For example, also for ourselves to obfucscate error details in production mode.
-      // throw cds.error ({ status: 403, code: 'REQUIRES_AUTH_USER', details: `Requires any of [ ${roles} ]` })
-      if (!u._is_anonymous) return res.status(403).send(`User '${u.id}' is lacking required roles: [ ${roles} ]`)
-      else if (!req._login) return res.status(401).send('Requires authenticated user')
-      else return req._login()
-    }
+  /** Handler to log all incoming requests */
+  http_log (r,_,next) {
+    this.logger = cds.log(this.kind)
+    this.log(r)
+    next()
   }
-}
 
-/*
-function MTXRouter (srv) {
-  this.routers = {
-    t1_fta: 'new HCQLAdapter(srv.for(t1))',
-    t1_fta_ftb: 'new HCQLAdapter(srv.for(t1))',
-    t2: 'new HCQLAdapter(srv.for(t2))',
+  /** Subclasses may override this method to log incoming requests. */
+  log (req, LOG = this.logger) { LOG._info && LOG.info (
+    req.method,
+    decodeURI (req.baseUrl + req.path),
+    Object.keys (req.query).length ? { ...req.query } : ''
+  )}
+
+  /** Returns a handler to check required roles, or null if no check required. */
+  requires_check() {
+    const d = this.service.definition
+    const roles = d['@requires'] || d['@restrict']?.map(r => r.to).flat().filter(r => r)
+    const required = !roles?.length ? restricted_by_default : Array.isArray(roles) ? roles : [roles]
+    if (required) return function requires_check (req, res, next) {
+      const user = cds.context.user
+      if (required.some(role => user.has(role))) return next()
+      else if (user._is_anonymous) return next(401) // request login
+      else throw Object.assign(new Error, { code: 403, reason: `User '${user.id}' is lacking required roles: [${required}]`, user, required })
+    }
   }
-  return express.Router().use((req,res,next) => {
-    return this.routers[req.tenant].handle(req,res,next)
-  })
 }
-*/
+
+
+module.exports = HttpAdapter

package/lib/srv/protocols/index.js

@@ -80,20 +80,6 @@ class Protocols {
         // to lots of "UriSemanticError: 'webapp' is not an entity set, ..." errors, if the
         // service path and static app root path are the same, e.g. /browse in bookshop.
         if (!path.match(/^\/.+\/.+/)) app.use (`${path}/webapp/`, (_,res) => res.sendStatus(404))
-
-        // Add a reject-all handler for access to /old/$metadata if new scheme is used
-        if (!cds.env.features.serve_on_root && path.startsWith(this[kind].path)) {
-          let LOG = cds.log(kind), msg = `PLEASE NOTE:\n
-            With @sap/cds version 7, default service paths have changed to '${this[kind].path}/<srv>'.
-            If you use SAP Fiori Elements, make sure to adapt the 'dataSources.uri' paths
-            in 'manifest.json' files accordingly. For more information see release notes at
-            https://cap.cloud.sap/docs/releases/jun23#changed-default-service-path.
-          `.replace(/ {9}/g,'')
-          app.use(`${path.slice(this[kind].path.length)}/\\$metadata`, (_,res) => {
-            res.status(404).send(`<pre>${msg}</pre>`)
-            LOG?.warn(msg); LOG = undefined
-          })
-        }
       }
 
       // mount adapter to express app
@@ -129,21 +115,14 @@ class Protocols {
     if (!annos.length) annos.push ({ kind: this.default })
 
     // canonicalize to { kind, path } objects
-    const no_mws = cds.requires.middlewares === false
     const endpoints = annos.map (each => {
       let { kind = each['='] || each, path } = each
       let { path: prefix } = this[kind] || cds.error `Unknown protocol: ${kind}`
       if (typeof path !== 'string') path = o?.at || o?.path || def['@path'] || _slugified(srv.name)
-      if (path[0] !== '/') path = no_mws ? '/'+path : prefix+'/'+path
+      if (path[0] !== '/') path = prefix+'/'+path
       return { kind, path }
     })
 
-    // add serve-on-root endpoint if enabled
-    if (!no_mws && endpoints.length === 1 && cds.env.features.serve_on_root) {
-      let [{ kind, path }] = endpoints, prefix = this[kind].path
-      if (prefix && path.startsWith(prefix)) endpoints.unshift ({ kind, path: path.slice(prefix.length) })
-    }
-
     return endpoints.length && endpoints
   }
 
@@ -204,4 +183,3 @@ const _slugified = name => (
 
 
 module.exports = new Protocols
-if (!cds.requires.middlewares) require('./_legacy')

package/lib/srv/protocols/odata-v4.js

@@ -1,93 +1,31 @@
-const cds = require('../../index'),
-  { User } = cds,
-  { decodeURI } = cds.utils
-const express = require('express') // eslint-disable-line cds/no-missing-dependencies
+const cds = require('../../index'), { decodeURI } = cds.utils
 
 if (cds.env.features.odata_new_adapter) {
   cds.log().info('using new OData adapter')
 
-  const { isStream, stream } = require('../../../libx/odata/middleware/stream')
-  const BaseProtocolAdapter = require('./http')
-
-  module.exports = class ODataAdapter extends BaseProtocolAdapter {
-    log(req) {
-      let u = req.user
-      req.user = u instanceof User ? u : new User(u)
-
-      // REVISIT: how to handle logging of batch subrequests? (note: service is missing from path)
-      let url = decodeURI(req.originalUrl)
-      this.logger.info(req.method, url, req.body || '')
-      if (/\$batch/.test(req.url))
-        req.on('dispatch', req => {
-          let path = decodeURI(req._path)
-          this.logger.info('>', req.event, path, req._query || '')
-          if (this.logger._debug && req.query) this.logger.debug(req.query)
-        })
-    }
-
-    router4(srv) {
-      const router = super.router4(srv)
-      const jsonBodyParser = express.json()
-
-      return (
-        router
-          // REVISIT: add middleware for negative cases?
-          // service root
-          .use(/^\/$/, require('../../../libx/odata/middleware/service-document')(srv))
-          .use('/\\$metadata', require('../../../libx/odata/middleware/metadata')(srv))
-          // parse
-          .use(require('../../../libx/odata/middleware/parse')(srv))
-          // REVISIT do we want to build our own body parser logic?
-          .use((req, res, next) => {
-            // REVISIT: body of batch subrequests are already deserialized
-            if (typeof req.body === 'object') return next()
-            if (req.method === 'PUT' && isStream(req._query)) {
-              req.body = { value: req }
-              return next()
-            }
-            // TODO: check if the raw body still exists, then we can remove deepCopy() in the handlers
-            return jsonBodyParser(req, res, next)
-          })
-          // batch
-          .post('/\\$batch', require('../../../libx/odata/middleware/batch')(srv, router))
-          // handle
-          // REVISIT: with old adapter, we return 405 for HEAD requests -> check OData spec
-          .head('*', (_, res) => res.sendStatus(405))
-          .post('*', require('../../../libx/odata/middleware/operation')(srv)) //> action
-          .get('*', require('../../../libx/odata/middleware/operation')(srv)) //> function
-          .post('*', require('../../../libx/odata/middleware/create')(srv))
-          .get('*', stream(srv))
-          .get('*', require('../../../libx/odata/middleware/read')(srv))
-          .put('*', require('../../../libx/odata/middleware/update')(srv, router))
-          .patch('*', require('../../../libx/odata/middleware/update')(srv, router))
-          .delete('*', require('../../../libx/odata/middleware/delete')(srv))
-          // error
-          .use(require('../../../libx/odata/middleware/error')(srv))
-      )
-    }
-  }
+  module.exports = require('../../../libx/odata/ODataAdapter')
 } else {
-  const libx = require('../../../libx/_runtime')
+  cds.log().info('using legacy OData adapter')
+
+  const legacy_adapter_factory = require('../../../libx/_runtime/cds-services/adapter/odata-v4/to')
   const LOG = cds.log('odata')
-  module.exports = function ODataAdapter(srv) {
-    const router = express.Router()
 
-    router.use((req, _, next) => {
-      let u = req.user
-      req.user = u instanceof User ? u : new User(u)
+  module.exports = function ODataAdapter(srv) {
+    const router = require('express').Router()
 
+    router.use(function odata_log(req, _, next) {
       let url = decodeURI(req.originalUrl)
       LOG && LOG(req.method, url, req.body || '')
       if (/\$batch/.test(req.url))
         req.on('dispatch', req => {
-          let path = decodeURI(req._path)
-          LOG && LOG('>', req.event, path, req._query || '')
-          if (LOG._debug && req.query) LOG.debug(req.query)
+          let path = decodeURI(req._.odataReq?._rawODataPath || '')
+          LOG && LOG('>', req.event, path, req._queryOptions || '')
+          if (LOG._debug && req.query) LOG.debug(req.query) //> why only for batch subrequests?
         })
 
       next()
     })
-    router.use(libx.to.odata_v4(srv))
+    router.use(legacy_adapter_factory(srv))
     return router
   }
 }

package/lib/srv/protocols/rest.js

@@ -1,13 +1 @@
-const cds = require('../../index'), { User } = cds, { decodeURIComponent } = cds.utils
-const libx = require('../../../libx/_runtime')
-const LOG = cds.log('rest')
-
-module.exports = function RestAdapter (srv) { return [
-  (req, _, next) => {
-    let u = req.user
-    req.user = u instanceof User ? u : new User(u)
-    LOG (req.method, decodeURIComponent(req.originalUrl), req.body||'')
-    next()
-  },
-  libx.to.rest (srv)
-]}
+module.exports = require('../../../libx/rest/RestAdapter')