@sap/cds 7.9.4 → 8.0.4

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -1,9 +1,7 @@
 const cds = require('../../cds.js')
-// eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
 const express = require('express')
 const getTenantInfo = require('./getTenantInfo.js')
 const isSecured = () => cds.requires.auth && (cds.requires.auth.impl || cds.requires.auth.credentials)
-const _require = require('../../common/utils/require')
 const { ODATA_UNAUTHORIZED } = require('../../common/error/constants')
 
 const _isAll = a => a && a.includes('all')
@@ -15,60 +13,48 @@ class EndpointRegistry {
     this.deployCallbacks = new Map()
     if (isSecured()) {
       if (cds.requires.auth.impl) {
-        if (cds.env.requires.middlewares !== false) {
-          cds.app.use(basePath, cds.middlewares.before) // contains auth, trace, context
-        } else {
-          const impl = _require(cds.resolve(cds.requires.auth.impl))
-          cds.app.use(basePath, impl)
-        }
+        cds.app.use(basePath, cds.middlewares.before) // contains auth, trace, context
       } else {
-        if (cds.env.requires.middlewares !== false) {
-          const jwt_auth = require('../../../../lib/auth/jwt-auth.js')
-          cds.app.use(basePath, jwt_auth(cds.requires.auth))
-        } else {
-          const JWTStrategy = require('../../auth/strategies/JWT.js')
-          // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
-          const passport = _require('passport')
-          // REVISIT: It's unclear if the credentials from cds.requires.auth need to be used here.
-          //          In principle, user-facing endpoints might differ from messaging ones.
-          passport.use(new JWTStrategy(cds.requires.auth.credentials))
-          cds.app.use(basePath, passport.initialize())
-          cds.app.use(basePath, passport.authenticate('JWT', { session: false }))
-        }
+        const jwt_auth = require('../../../../lib/auth/jwt-auth.js')
+        cds.app.use(basePath, cds.middlewares.context())
+        cds.app.use(basePath, jwt_auth(cds.requires.auth))
       }
       // unsuccessful auth doesn't automatically reject!
       cds.app.use(basePath, (req, res, next) => {
         // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-        if (!req.user) res.status(401).json({ error: ODATA_UNAUTHORIZED })
+        if (!cds.context.user._is_anonymous) res.status(401).json({ error: ODATA_UNAUTHORIZED })
         next()
       })
     } else if (process.env.NODE_ENV === 'production') {
       LOG.warn('Messaging endpoints not secured')
+    } else {
+      // auth middlewares set cds.context.user
+      cds.app.use(basePath, cds.middlewares.context())
     }
     cds.app.use(basePath, express.json({ type: 'application/*+json' }))
-    cds.app.use(basePath, express.json())
+    cds.app.use(basePath, express.json()) // REVISIT: Do we need both?
     cds.app.use(basePath, express.urlencoded({ extended: true }))
     LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'OPTIONS' })
 
     // Clear cds.context as it would interfere with subsequent transactions
-    cds.app.use(basePath, (_req, _res, next) => {
-      cds.context = undefined
-      next()
-    })
+    // cds.app.use(basePath, (_req, _res, next) => {
+    //   cds.context = undefined // REVISIT: Why is that necessary?
+    //   next()
+    // })
 
     cds.app.options(basePath, (req, res) => {
       try {
-        if (isSecured() && !req.user.is('emcallback')) return res.sendStatus(403)
+        if (isSecured() && !cds.context.user.is('emcallback')) return res.sendStatus(403)
         res.set('webhook-allowed-origin', req.headers['webhook-request-origin'])
         res.sendStatus(200)
-      } catch (error) {
+      } catch {
         res.sendStatus(500)
       }
     })
     LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'POST' })
     cds.app.post(basePath, (req, res) => {
       try {
-        if (isSecured() && !req.user.is('emcallback')) return res.sendStatus(403)
+        if (isSecured() && !cds.context.user.is('emcallback')) return res.sendStatus(403)
         const queueName = req.query.q
         if (!queueName) {
           LOG.error('Query parameter `q` not found.')
@@ -83,7 +69,7 @@ class EndpointRegistry {
         const payload = req.body
         const cb = this.webhookCallbacks.get(queueName)
         if (!cb) return res.sendStatus(200)
-        const tenant = req.tenant || req.user?.tenant
+        const { tenant } = cds.context
         const other = tenant
           ? {
               _: { req, res }, // For `cds.context.http`
@@ -106,7 +92,7 @@ class EndpointRegistry {
     })
     cds.app.post(deployPath, async (req, res) => {
       try {
-        if (isSecured() && !req.user.is('emmanagement')) return res.sendStatus(403)
+        if (isSecured() && !cds.context.user.is('emmanagement')) return res.sendStatus(403)
         const tenants = req.body && !_isAll(req.body.tenants) && req.body.tenants
         const queues = req.body && !_isAll(req.body.queues) && req.body.queues
         const options = { wipeData: req.body && req.body.wipeData }
@@ -123,7 +109,7 @@ class EndpointRegistry {
         const hasError = results.some(r => r.failed.length)
         if (hasError) return res.status(500).send(results)
         return res.status(201).send(results)
-      } catch (mtxError) {
+      } catch {
         // REVISIT: Still needed with cds-mtxs?
         // If an unknown tenant id is provided, cds-mtx will crash ("Cannot read property 'hanaClient' of undefined")
         return res.sendStatus(500)

package/libx/_runtime/messaging/event-broker.js

@@ -1,6 +1,6 @@
 const cds = require('../cds')
 
-// eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
+const normalizeIncomingMessage = require('./common-utils/normalizeIncomingMessage')
 const express = require('express')
 const https = require('https')
 const crypto = require('crypto')
@@ -90,17 +90,6 @@ function _validateCertificate(req, res, next) {
   }
 }
 
-// TODO: seems unused
-function _checkAppDomains() {
-  const pattern = /.*\.cert\.cfapps\..*\.hana\.ondemand\.com/
-  const uris = JSON.parse(process.env.VCAP_APPLICATION).application_uris
-  const matchFound = uris.some(uri => pattern.test(uri))
-  if (matchFound)
-    this.LOG.warn(
-      `*.cert.cfapps.*.hana.ondemand.com domain is in use, this is not recommended in production! Please use 'mesh.cf.<region>.hana.ondemand.com' instead!`
-    )
-}
-
 let instantiated = false
 
 class EventBroker extends cds.MessagingService {
@@ -153,30 +142,57 @@ class EventBroker extends cds.MessagingService {
 
     // TODO: What if we're in single tenant variant?
     try {
-      const ceSource = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
       const hostname = this.options.credentials.eventing.http.x509.url.replace(/^https?:\/\//, '')
-      // TODO Cloud Events Handler CAP
+
+      // take over and cleanse cloudevents headers
+      const headers = { ...(msg.headers ?? {}) }
+
+      const ceId = headers.id
+      delete headers.id
+
+      const ceSource = headers.source
+      delete headers.source
+
+      const ceType = headers.type
+      delete headers.type
+
+      const ceSpecversion = headers.specversion
+      delete headers.specversion
+
+      // const ceDatacontenttype = headers.datacontenttype // not part of the HTTP API
+      delete headers.datacontenttype
+
+      // const ceTime  = headers.time // not part of the HTTP API
+      delete headers.time
+
       const options = {
         hostname: hostname,
         method: 'POST',
         headers: {
-          'ce-id': cds.utils.uuid(),
+          'ce-id': ceId,
           'ce-source': ceSource,
-          'ce-type': msg.event,
-          'ce-specversion': '1.0',
-          'Content-Type': 'application/json'
+          'ce-type': ceType,
+          'ce-specversion': ceSpecversion,
+          'Content-Type': 'application/json' // because of { data, ...headers } format
         },
         agent: this.agent
       }
       this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
       this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
-      await request(options, msg.data) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
+      // what about headers?
+      // TODO: Clarify if we should send `{ data, ...headers }` vs.  `data` + HTTP headers (`ce-*`)
+      await request(options, { data: msg.data, ...headers }) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
       if (this.LOG._info) this.LOG.info('Emit', { topic: msg.event })
     } catch (e) {
       this.LOG.error('Emit failed:', e.message)
     }
   }
 
+  prepareHeaders(headers, event) {
+    if (!('source' in headers)) headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
+    super.prepareHeaders(headers, event)
+  }
+
   async registerWebhookEndpoints() {
     const webhookBasePath = this.options.webhookPath || '/-/cds/event-broker/webhook'
     cds.app.post(webhookBasePath, _validateCertificate.bind(this))
@@ -188,15 +204,26 @@ class EventBroker extends cds.MessagingService {
     try {
       const event = req.headers['ce-type'] // TG27: type contains namespace, so there's no collision
       const tenant = req.headers['ce-sapconsumertenant']
-      const msg = {
-        inbound: true,
-        event,
-        tenant,
-        data: req.body ? req.body : undefined,
-        headers: req.headers
+
+      // take over cloudevents headers (`ce-*`) without the prefix
+      const headers = {}
+      for (const header in req.headers) {
+        if (header.startsWith('ce-')) headers[header.slice(3)] = req.headers[header]
       }
-      const context = { user: cds.User.privileged }
-      if (tenant) context.tenant = tenant // TODO: In single tenant case, we don't need a tenant
+
+      const msg = normalizeIncomingMessage(req.body)
+      msg.event = event
+      Object.assign(msg.headers, headers)
+      if (tenant) msg.tenant = tenant
+
+      // for cds.context.http
+      msg._ = {}
+      msg._.req = req
+      msg._.res = res
+
+      const context = { user: cds.User.privileged, _: msg._ }
+      if (msg.tenant) context.tenant = msg.tenant
+
       await this.tx(context, tx => tx.emit(msg))
       this.LOG.debug('Event processed successfully.')
       return res.status(200).json({ message: 'OK' })

package/libx/_runtime/messaging/file-based.js

@@ -10,7 +10,7 @@ class FileBasedMessaging extends MessagingService {
     this.file = resolve(this.options.file || (this.options.credentials && this.options.credentials.file))
     try {
       await fs.lstat(this.file)
-    } catch (e) {
+    } catch {
       await fs.writeFile(this.file, '\n')
     }
     cds.once('listening', () => {
@@ -62,7 +62,7 @@ class FileBasedMessaging extends MessagingService {
                 )
               } else other.push(each + '\n')
             }
-          } catch (e) {
+          } catch {
             // ignore invalid messages
           }
         }
@@ -89,7 +89,7 @@ const lock = async (file, n = 11) => {
   try {
     while (n--) await fs.lstat(lock).then(() => n && sleep(150))
     return false
-  } catch (_) {
+  } catch {
     // lock file does not exist -> create it
     await fs.writeFile(lock, 'locked')
     return true

package/libx/_runtime/messaging/http-utils/token.js

@@ -47,7 +47,7 @@ const requestToken = ({ client, secret, endpoint, mTLS }, tenant, tokenStore) =>
           // store token on tokenStore
           tokenStore.token = json.access_token
           resolve(json.access_token)
-        } catch (e) {
+        } catch {
           reject(_errorObj(result))
         }
       })

package/libx/_runtime/messaging/kafka.js

@@ -151,7 +151,7 @@ const appId = require('./common-utils/appId')
 function _JSONorString(string) {
   try {
     return JSON.parse(string)
-  } catch (e) {
+  } catch {
     return string
   }
 }
@@ -260,7 +260,7 @@ async function _getCaCerts(srv) {
   try {
     const certNext = await fetch(srv.options.credentials.urls.cert_next).then(r => r.text())
     return [certCurrent, certNext]
-  } catch (_e) {
+  } catch {
     return [certCurrent]
   }
 }

package/libx/_runtime/messaging/redis-messaging.js

@@ -1,4 +1,3 @@
-// eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
 const redis = require('redis')
 const cds = require('../../../lib')
 const waitingTime = require('../common/utils/waitingTime')

package/libx/_runtime/remote/Service.js

@@ -7,8 +7,6 @@ const { resolveView, getTransition, findQueryTarget } = require('../common/utils
 const postProcess = require('../common/utils/postProcess')
 const { formatVal } = require('../../odata/utils')
 
-const _isSimpleCqnQuery = q => typeof q === 'object' && q !== null && !Array.isArray(q) && Object.keys(q).length > 0
-
 const _setHeaders = (defaultHeaders, req) => {
   return Object.assign(
     defaultHeaders,
@@ -34,6 +32,8 @@ const _buildPartialUrlFunctions = (url, data, params, kind = 'odata-v4') => {
 
   // REVISIT: take params from params after importer fix (the keys should not be part of params)
   for (const param in _extractParamsFromData(data, params)) {
+    if (data[param] === undefined) continue
+
     if (kind === 'odata-v2') {
       funcParams.push(`${param}=${_setCorrectValue(param, data, params, kind)}`)
     } else {
@@ -142,9 +142,9 @@ const _addHandlerActionFunction = (srv, def, target) => {
 
   if (target) {
     srv.on(event, target, async function (req) {
-      const shortEntityName = req.target.name.replace(`${this.namespace}.`, '')
+      const shortEntityName = req.target.name.replace(`${this.definition.name}.`, '')
       if (this.kind === 'odata-v2') return _handleV2BoundActionFunction(srv, def, req, event, this.kind)
-      const url = `/${shortEntityName}(${_buildKeys(req, this.kind).join(',')})/${this.namespace}.${event}`
+      const url = `/${shortEntityName}(${_buildKeys(req, this.kind).join(',')})/${this.definition.name}.${event}`
       return _handleBoundActionFunction(srv, def, req, url)
     })
   } else {
@@ -155,7 +155,8 @@ const _addHandlerActionFunction = (srv, def, target) => {
   }
 }
 
-const _selectOnlyWithAlias = q => q?.SELECT && !q.SELECT._transitions && q.SELECT?.columns?.some(hasAliasedColumns)
+const _isSelectWithAliasedColumns = q =>
+  q?.SELECT && !q.SELECT._transitions && q.SELECT.columns?.some(hasAliasedColumns)
 
 const resolvedTargetOfQuery = q => {
   const transitions = (typeof q === 'object' && (q.SELECT || q.INSERT || q.UPDATE || q.DELETE)._transitions) || []
@@ -200,6 +201,12 @@ class RemoteService extends cds.Service {
     if (this.options.credentials) {
       this.datasource = this.options.datasource
       this.destinationOptions = this.options.destinationOptions
+      // set useCache by default
+      if (!this.destinationOptions) {
+        this.destinationOptions = { useCache: true }
+      } else if (typeof this.destinationOptions.useCache === 'undefined') {
+        this.destinationOptions.useCache = true
+      }
       _resolveSelectionStrategy(this.destinationOptions)
       this.destination =
         this.options.credentials.destination ??
@@ -271,29 +278,22 @@ class RemoteService extends cds.Service {
   // Overload .handle in order to resolve projections up to a definition that is known by the remote service instance.
   // Result is post processed according to the inverse projection in order to reflect the correct result of the original query.
   async handle(req) {
-    if (req._resolved) return super.handle(req)
+    let result
 
-    if (req.target?.name?.startsWith(this.definition?.name + '.')) {
-      let result = await super.handle(req)
-      // only post process if alias was explicitly set in query
-      if (_selectOnlyWithAlias(req.query)) result = postProcess(req.query, result, this, true)
-      return result
-    }
-
-    // req.query can be:
-    // - empty object in case of unbound action/function
-    // - undefined/null in case of plain string queries
-    if (this.model && _isSimpleCqnQuery(req.query)) {
-      const q = resolveView(req.query, this.model, this)
-      const t = findQueryTarget(q) || req.target
-
-      // REVISIT: We need to provide target explicitly because it's cached already within ensure_target
-      const _req = new cds.Request({ query: q, target: t, _resolved: true, headers: req.headers, method: req.method })
-      const result = await super.dispatch(_req)
-      return postProcess(q, result, this, true)
+    if (!this._requires_resolving(req)) {
+      result = await super.handle(req)
+      // we need to post process if alias was explicitly set in query
+      if (_isSelectWithAliasedColumns(req.query)) result = postProcess(req.query, result, this, true)
+    } else {
+      const query = resolveView(req.query, this.model, this)
+      const target = findQueryTarget(query) || req.target
+      // we need to provide target explicitly because it's cached within ensure_target
+      const _req = new cds.Request({ query, target, _resolved: true, headers: req.headers, method: req.method })
+      result = await super.dispatch(_req)
+      result = postProcess(query, result, this, true)
     }
 
-    return super.handle(req)
+    return result
   }
 }
 

package/libx/_runtime/remote/utils/client.js

@@ -33,6 +33,8 @@ const _executeHttpRequest = async ({ requestConfig, destination, destinationOpti
     if (jwt) destination.headers.authorization = `Bearer ${jwt}`
     else LOG._warn && LOG.warn('Missing JWT token for forwardAuthToken')
   }
+  // Cloud SDK throws error if useCache is activated and jwt is undefined
+  if (destination.jwt === undefined) delete destination.useCache
 
   if (LOG._debug) {
     const req2log = { headers: _sanitizeHeaders({ ...requestConfig.headers }) }
@@ -128,7 +130,6 @@ function _normalizeMetadata(prefix, data, results) {
 const _getPurgedRespActionFunc = (data, returnType) => {
   // return type is primitive value or inline/complex type
   if (returnType.kind === 'type' && !returnType.items && Object.values(data).length === 1) {
-    // eslint-disable-next-line no-unreachable-loop
     for (const key in data) {
       return data[key]
     }
@@ -207,14 +208,13 @@ const _getSanitizedError = (e, reqOptions, options = { suppressRemoteResponseBod
   // AxiosError's toJSON() method doesn't include the request and response objects
   if (e.__proto__.toJSON) {
     e.toJSON = function () {
-      return { ...this.__proto__.toJSON(), request: this.request, response: this.response }
+      return { ...e.__proto__.toJSON(), request: this.request, response: this.response }
     }
   }
 
   return e
 }
 
-// eslint-disable-next-line complexity
 const run = async (requestConfig, options) => {
   let response
 
@@ -360,14 +360,13 @@ const _hasHeader = (headers, header) =>
     .map(k => k.toLowerCase())
     .includes(header)
 
-// eslint-disable-next-line complexity
 const getReqOptions = (req, query, service) => {
   const reqOptions =
     typeof query === 'object'
       ? _cqnToReqOptions(query, service, req)
       : typeof query === 'string'
         ? _stringToReqOptions(query, req.data, req.target)
-        : _pathToReqOptions(req.method, req.path, req.data, req.target, service.name)
+        : _pathToReqOptions(req.method, req.path, req.data, req.target, service.definition?.name || service.namespace) //> no model, no service.definition
 
   if (service.kind === 'odata-v2' && req.event === 'READ' && reqOptions.url?.match(/(\/any\()|(\/all\()/)) {
     req.reject(501, 'Lambda expressions are not supported in OData v2')

package/libx/_runtime/remote/utils/cloudSdkProvider.js

@@ -1,7 +1,6 @@
 let _cloudSdkConnectivity
 const getCloudSdkConnectivity = () => {
   if (_cloudSdkConnectivity) return _cloudSdkConnectivity
-  // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
   _cloudSdkConnectivity = require('@sap-cloud-sdk/connectivity')
   return _cloudSdkConnectivity
 }
@@ -9,7 +8,6 @@ const getCloudSdkConnectivity = () => {
 let _cloudSdkResilience
 const getCloudSdkResilience = () => {
   if (_cloudSdkResilience) return _cloudSdkResilience
-  // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
   _cloudSdkResilience = require('@sap-cloud-sdk/resilience')
   return _cloudSdkResilience
 }
@@ -18,7 +16,6 @@ let _cloudSdk
 const getCloudSdk = () => {
   if (_cloudSdk) return _cloudSdk
 
-  // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
   _cloudSdk = require('@sap-cloud-sdk/http-client')
   return _cloudSdk
 }

package/libx/_runtime/remote/utils/data.js

@@ -64,7 +64,6 @@ const _convertActionFuncResponse = (returnType, convertValueFn) => data => {
   return convertValueFn(data, returnType.items || returnType)
 }
 
-// eslint-disable-next-line complexity
 const _convertValue = (ieee754Compatible, exponentialDecimals) => (value, element) => {
   if (value == null) return value
 

package/libx/_runtime/sqlite/Service.js

@@ -18,7 +18,6 @@ const execute = require('./execute')
 
 const _new = url => {
   if (url && url !== ':memory:') url = cds.utils.path.resolve(cds.root, url)
-  // eslint-disable-next-line cds/no-missing-dependencies -- needs to be added by app dev
   if (!_sqlite) _sqlite = require('sqlite3')
   return new Promise((resolve, reject) => {
     const dbc = new _sqlite.Database(url, err => {
@@ -75,7 +74,7 @@ module.exports = class SQLiteDatabase extends DatabaseService {
     this.before(['CREATE', 'UPDATE', 'UPSERT'], '*', this._input) // > has to run before rewrite
     this.before(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', this._rewrite)
 
-    if (cds.env.fiori.lean_draft && !cds.db?.cqn2sql) this.before('READ', '*', convertDraftAdminPathExpression)
+    if (!cds.db?.cqn2sql) this.before('READ', '*', convertDraftAdminPathExpression)
     this.before('READ', '*', convertAssocToOneManaged)
     this.before('READ', '*', localized) // > has to run after rewrite
     this.before('READ', '*', this._virtual)