@sap/cds 7.9.4 → 8.0.4

package/lib/linked/validate.js

@@ -0,0 +1,292 @@
+const cds = require('..')
+
+/** Validates given input data against a request target definition.
+ * @param {entity} target the linked definition to check against, usually an entity definition
+ * @returns {Error[]|undefined} an array of errors or undefined if no errors occurred
+ */
+const conf = module.exports = exports = function validate (data, target, options={}) {
+  const vc = new Validation (data, target, options)
+  target.validate (data, null, vc)
+  return vc.errors
+}
+
+
+/** Instances represent single validations and are mainly used to record errors during validation. */
+class Validation {
+
+  constructor (data, target, options={}) {
+    this.data = data
+    this.target = target
+    this.options = options
+    this.insert = options.insert ?? options.mandatories
+    this.cleanse = options.cleanse !== false
+  }
+
+  error (code, path, leaf, val, ...args) {
+    const err = (this.errors ??= new ValidationErrors).add (code)
+    if (this.options.path) path = [ this.options.path, ...path ] // e.g. used to prefic 'in/' for actions
+    if (path) err.target = (!leaf ? path : path.concat(leaf)).reduce?.((p,n)=> (
+      n?.row ? p + this.filter4(n) :     //> some/entity(ID=1)...
+      typeof n === 'number' ? p + `[${n}]` :  //> some/array[1]...
+      p && n ? p+'/'+n : n                    //> some/element/...
+    ),'')
+    if (val) err.args = [ val, ...args ]
+    return err
+  }
+
+  filter4 ({ def, row, index }) {
+    const entity = def._target || def, filter=[]
+    for (let k in entity.keys) {
+      let v = row[k]
+      if (v === undefined) if (k === 'IsActiveEntity') v = false; else continue
+      else if (typeof v === 'string' && !entity.elements[k].isUUID || entity.elements[k]['@odata.Type'] === 'Edm.String') v = `'${v}'`
+      filter.push (`${k}=${v}`)
+    }
+    return filter.length ? `(${filter})` : `[${index}]`
+  }
+
+  unknown(e,d) {
+    d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
+  }
+}
+
+
+/** ValidationErrors avoid expensive creation of stack traces */
+class ValidationErrors extends Array {
+  add (error) {
+    const err = Object.create (ValidationErrors.proto)
+    err.message = err.stack = error
+    this.push (err)
+    return err
+  }
+  static proto = Object.create (Error.prototype, {
+    message: { writable:true, configurable:true },
+    stack: { writable:true, configurable:true, value: '<none>' },
+    code: { value: '400', writable:true }, // REVISIT: should be 'ASSERT_'... (i.e. msg) but we need to adjust all tests, and have a code catalogue
+    statusCode: { value: 400 }, // REVISIT: should go into mappings in adapter's error handlers -> requires a code catalogue // REVISIT: .statusCode vs .status?
+    numericSeverity: { value: 4, enumerable: true }, // REVISIT: that is OData-specific
+  })
+}
+exports.ValidationErrors = ValidationErrors
+
+
+/** Adding basic validation capabilities to linked definitions. */
+const $any = class any {
+
+  /**
+   * Central method for validating input data against CSN definitions.
+   * @param {any} value the input value to validate
+   * @param {Array} path the path prefix to use for error messages
+   * @param {Validation} ctx the request object used to record errors
+   */
+  validate (value, path, ctx) {
+    this.check_asserts (value, path, ctx)
+  }
+
+  /**
+   * Checks the type of provided input values as well as @asserts specified.
+   * On first call, it constructs an optimized instance-specific override of
+   * this method for subsequent usages, with statically determined checks.
+   */
+  check_asserts (val, path, /** @type {Validation} */ ctx) {
+    // if (this['@cds.validate'] === false) return this.set ('check_asserts', ()=>{})
+    const asserts = []
+    const type_check = conf.strict && this.strict_check || this.type_check
+    if (type_check) {
+      asserts.push ((v,p,ctx) => v == null || type_check(v) || ctx.error ('ASSERT_DATA_TYPE', p, this.name, v, this ))
+    }
+    if (this._is_mandatory()) {
+      asserts.push ((v,p,ctx) => v != null && v.trim?.() !== '' || ctx.error ('ASSERT_NOT_NULL', p, this.name, v)) // ASSERT_NOT_NULL is misleading -> should be ASSERT_REQUIRED
+    }
+    if (this['@assert.format']) {
+      const format = new RegExp(this['@assert.format'],'u')
+      asserts.push ((v,p,ctx) => v == null || format.test(v) || ctx.error ('ASSERT_FORMAT', p, this.name, v, format))
+    }
+    if (this['@assert.range'] && !this.enum) {
+      const [ min, max ] = this['@assert.range']
+      asserts.push ((v,p,ctx) => v == null || min <= v && v <= max || ctx.error ('ASSERT_RANGE', p, this.name, v, min, max))
+    }
+    if (this['@assert.enum'] || this['@assert.range'] && this.enum) {
+      const vals = Object.entries(this.enum).map(([k,v]) => 'val' in v ? v.val : k)
+      const enums = vals.reduce((a,v) => (a[v]=true, a),{})
+      asserts.push ((v,p,ctx) => v == null || v in enums || vals.some(x => x == v) || ctx.error ('ASSERT_ENUM', p, this.name, typeof v === 'string' ? `"${v}"` : v, vals.join(', ')))
+    }
+    if (!asserts.length) return this.check_asserts = ()=>{} // nothing to do
+    this.set ('check_asserts', (v,p,ctx) => asserts.forEach (a => a(v,p,ctx)))
+    this.check_asserts (val, path, ctx) // call first time
+  }
+
+  _is_mandatory (d=this) {
+    return d.own('_mandatory', ()=> {
+      if (d['@readonly'])                                   return false // readonly -> not mandatory
+      if (d['@mandatory'])                                  return true
+      if (d['@Common.FieldControl']?.['#'] === 'Mandatory') return true
+      else return false
+    })
+  }
+
+  _is_readonly (d=this) {
+    return d.own('_readonly', ()=> {
+      if (d['@readonly'])                                   return true
+      if (d['@cds.on.insert'])                              return true
+      if (d['@cds.on.update'])                              return true
+      if (d['@Core.Computed'])                              return true
+      if (d['@Common.FieldControl']?.['#'] === 'ReadOnly')  return true
+      if (d['@cds.api.ignore'])                             return true
+      else return false
+    })
+  }
+
+  /**
+   * Checks if a nested row of a deep update is in turn to be inserted or updated.
+   * This is the case if the row date does not contain all primary key elements of the target entity.
+   */
+  _is_insert (row) {
+    const entity = this._target || this
+    const keys = Object.keys (entity.keys||{})
+    if (!keys.length) return this.set('_is_insert', ()=> true), true
+    else this.set('_is_insert', data => typeof data === 'object' && !keys.every(k => k in data))
+    return this._is_insert (row)
+  }
+
+  _required (elements) {
+    const _required = Object.values(elements).filter(this._is_mandatory)
+    this.set('_required', ()=> _required)
+    return _required
+  }
+
+  /** Forward declaration for universal CSN */
+  get $struct() { return this['@odata.foreignKey4'] }
+}
+
+/** Structs iterate over their elements to validate them. */
+class struct extends $any {
+  validate (data, path, /** @type {Validation} */ ctx, elements = this.elements, skip={}) {
+    const path_ = !path ? [] : [...path, this.name]; if (path?.row) path_.push({...path})
+    // check for required elements in case of inserts -- note: null values are handled in the payload loop below
+    if (ctx.insert || data && path_.length && this._is_insert(data)) for (let each of this._required (elements)) {
+      if (each.name in data) continue // got value for required element
+      if (each.name in skip) continue // skip uplinks in deep inserts -> see Composition.validate()
+      if (each.$struct in data) continue // got struct for flattened element/fk, e.g. {author:{ID:1}}
+      if (each.elements || each.foreignKeys) continue // skip struct-likes as we check flat payloads above, and deep payloads via struct.validate()
+      else ctx.error ('ASSERT_NOT_NULL', path_, each.name) // ASSERT_NOT_NULL should be ASSERT_REQUIRED
+    }
+    // check values of given data
+    for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
+      let /** @type {$any} */ d = elements[each]
+      if (!d || typeof d === 'function') ctx.unknown (each, this, data) // `each` might be a method of LinkedDefinitions, like filter, map, some, every, ...
+      else if (ctx.cleanse && d._is_readonly()) delete data[each]
+      else if (d['@cds.validate'] !== false) d.validate (data[each], path_, ctx)
+    }
+  }
+}
+
+/** Array definitions validate the entries of an array against their items definition. */
+class array extends $any {
+  validate (data, path, /** @type {Validation} */ ctx) {
+    if (data == null) return super.validate (data, path, ctx)
+    if (!Array.isArray(data)) return ctx.error ('ASSERT_ARRAY', path, this.name)
+    const path_ = path?.concat(this.name)
+    const /** @type {$any} */ items = { __proto__:this.items, name: undefined }
+    data.forEach ((entry,i) => items.validate (entry, path_.concat(i), ctx))
+  }
+}
+
+/** Entities support both as input: single records as well as arrays of which. */
+class entity extends struct {
+  validate (data, path, ctx, ...more) {
+    const _path4 = !path ? ()=>path : (row,i) => ({__proto__:path, index:i, row, def:this})
+    if (!Array.isArray(data)) return super.validate (data, _path4(data), ctx, ...more)
+    return data.forEach ((row,i) => super.validate (row, _path4(row,i), ctx, ...more))
+  }
+}
+
+/** Actions are struct-like, with their parameters as elements to validate. */
+class action extends struct {
+  validate (data, path, ctx) {
+    if (this.params) super.validate (data, path, ctx, this.params)
+  }
+}
+
+/** Managed associations are struct-like, with foreign keys as elements to validate. */
+class Association extends struct {
+  validate (data, path, ctx) {
+    if (this.foreignKeys) super.validate (data, path, ctx, this.foreignKeys)
+  }
+}
+
+/** Compositions are like nested entities, validating deep input against their target entity definitions. */
+class Composition extends entity {
+  validate (data, path, ctx) { if (!data) return
+    const elements = this._target.elements
+    const uplinks = {} // statically determine the uplinks for this composition
+    if (this.on) for (let {ref} of this.on) if (ref?.[0] === this.name) {
+      const fk = ref[1], fk_ = fk+'_'; uplinks[fk] = true
+      for (let e in elements) if (e.startsWith(fk_)) uplinks[e] = true
+    }
+    this.validate = (data, path, ctx) => super.validate (data, path, ctx, elements, uplinks)
+    this.validate (data, path, ctx) // call first time
+  }
+}
+
+
+// Type checks ---------------------------------------------------------------
+
+$any.prototype.type_check = undefined
+
+/**
+ * This getter constructs and returns a type check function for the declared precision and scale.
+ * Precision is the total number of digits, scale the number of digits after the decimal point.
+ */
+class Decimal extends $any { get type_check() {
+  const { precision:p, scale:s } = this, rx = RegExp (
+    !p ? `^[+-]?\\d+(?:\\.\\d+)?$` :
+    !s ? `^[+-]?\\d{1,${p}}$` :
+    p === s ? `^[+-]?0(?:\\.\\d{1,${s}})?$` :
+    /* p,s */ `^[+-]?\\d{1,${p-s}}(?:\\.\\d{1,${s}})?$`
+  )
+  return v => rx.test(v)
+}}
+
+class string extends $any { get type_check() {
+  const { length:l } = this; return l
+    ? v => typeof v === 'string' && v.length <= l
+    : v => typeof v === 'string'
+}}
+
+const {Readable} = require('stream')
+const _range_check = (range, min=-range) => v => min <= v && v < range
+const _regex_check = (rx) => v => rx.test(v)
+const _date_check  = (...parts) => {
+  const rx = RegExp('^'+parts.map(p => p.source||p).join('')+'$')
+  return v => v instanceof Date || rx.test(v)
+}
+const YYYY = /\d{4}/
+const MM = /-(0[1-9]|1[0-2])/
+const DD = /-(0[1-9]|[12]\d|3[01])/
+const hh = /[0-2]\d/
+const mm = /:[0-5]\d/
+const ss = /(?::[0-5]\d)?/
+const ms = /(?::[0-5]\d(?:\.\d+)?)?/
+const tz = /(?:Z|[+-][0-2]\d:?[0-5]\d)?/
+
+const $ = cds.linked.classes
+$.UUID.prototype        .strict_check = _regex_check (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i)
+$.boolean.prototype     .strict_check = v => typeof v === 'boolean'
+$.boolean.prototype     .type_check = v => typeof v === 'boolean' || v === 0 || v === 1
+$.number.prototype      .type_check = v => !isNaN(v)
+$.Integer.prototype     .type_check = _range_check (2**53)
+$.Int16.prototype       .type_check = _range_check (2**15)
+$.Int32.prototype       .type_check = _range_check (2**31)
+$.Int64.prototype       .type_check = _range_check (2n**63n)
+$.UInt8.prototype       .type_check = _range_check (256+1,0)
+$.Time.prototype        .type_check = _date_check (hh,mm,ss)
+$.Date.prototype        .type_check = _date_check (YYYY,MM,DD)
+$.DateTime.prototype    .type_check = _date_check (YYYY,MM,DD,'(?:T',hh,mm,ss,tz,')?')
+$.Timestamp.prototype   .type_check = _date_check (YYYY,MM,DD,'(?:T',hh,mm,ms,tz,')?')
+$.Binary.prototype      .type_check = v => Buffer.isBuffer(v) || typeof v === 'string'
+$.LargeBinary.prototype .type_check = v => Buffer.isBuffer(v) || typeof v === 'string' || v instanceof Readable
+$.LargeString.prototype .type_check = v => Buffer.isBuffer(v) || typeof v === 'string' || v instanceof Readable
+
+// Mixin above class extensions to cds.linked.classes
+$.mixin ( Decimal, string, $any, action, array, struct, entity, Association, Composition )

package/lib/log/cds-error.js

@@ -85,9 +85,3 @@ exports._no_primary_db = new Proxy ({},{ get: function fn(_,p) { error (`Not con
   cds ${process.argv[2]} --in-memory` : ''}`
 
 ,{},fn) }})
-
-
-exports._outdated_dk = () => error `
-  This application uses @sap/cds version >= 7, which is not compatible with the installed @sap/cds-dk version 6.
-  Either update @sap/cds-dk to version 7 or downgrade @sap/cds to version 6 instead.
-`

package/lib/log/cds-log.js

@@ -1,6 +1,7 @@
 const cds = require('../index'), conf = cds.env.log
 const log = module.exports = exports = cds_log
 const path = require('path')
+/* eslint-disable no-console */
 
 
 /**
@@ -88,7 +89,6 @@ exports.debug = function cds_debug (id, options) {
  * @param {string} [label] the module for which a logger is requested
  * @param {number} [level]  the log level to enable -> 0=off, 1=error, 2=warn, 3=info, 4=debug, 5=trace
  */
-/* eslint-disable no-console */
 exports.Logger = (label, level) => {
   const fmt = (level,args) => logger.format (label,level,...args)
   const logger = {
@@ -112,7 +112,7 @@ function Logger (label, level) { return exports.Logger (label, level) }
  * .debug(), .info(), .warn(), .error(), etc.
  */
 exports.winstonLogger = (options) => (label, level) => {
-  const winston = require("winston") // eslint-disable-line cds/no-missing-dependencies
+  const winston = require("winston")
   const logger = winston.createLogger({
     levels: log.levels, level: Object.keys(log.levels)[level],
     transports: [new winston.transports.Console()],
@@ -175,7 +175,7 @@ const { ERROR, WARN, INFO, DEBUG, TRACE } = exports.levels = {
   const conf = cds.env.log
   if (conf.Logger) {
     let resolvedPath
-    try { resolvedPath = require.resolve(conf.Logger) } catch { 
+    try { resolvedPath = require.resolve(conf.Logger) } catch {
       try { resolvedPath = require.resolve(path.join(cds.root, conf.Logger)) } catch {
         throw new Error(`Cannot find logger at "${conf.Logger}"`)
       }

package/lib/log/format/json.js

@@ -100,7 +100,7 @@ module.exports = function format(module, level, ...args) {
   // return array with the stringified toLog (to avoid multiple log lines) as the sole element
   try {
     return [JSON.stringify(toLog)]
-  } catch (e) {
+  } catch {
     // try again with removed circular references
     return [JSON.stringify(toLog, _getCircularReplacer())]
   }

package/lib/log/service/index.js

@@ -23,7 +23,6 @@ module.exports = class LogService extends cds.Service {
     }
 
     // serve embedded UI
-    // eslint-disable-next-line cds/no-missing-dependencies
     const express = require('express')
     app.use (path+'/ui', express.static(__dirname+'/vue.html'))
 

package/lib/plugins.js

@@ -29,7 +29,7 @@ exports.fetch = function (DEV = process.env.NODE_ENV !== 'production') {
  */
 exports.activate = async function () {
   const DEBUG = cds.debug ('plugins', {label:'cds'})
-  DEBUG && console.time ('[cds] - loaded plugins in')
+  DEBUG?.time ('[cds] - loaded plugins in')
   const { plugins } = cds.env, { local } = cds.utils
   await Promise.all (Object.entries(plugins) .map (async ([ plugin, conf ]) => {
     DEBUG?.(`loading plugin ${plugin}:`, { impl: local(conf.impl) })
@@ -44,6 +44,6 @@ exports.activate = async function () {
     }
     return p
   }))
-  DEBUG && console.timeEnd ('[cds] - loaded plugins in')
+  DEBUG?.timeEnd ('[cds] - loaded plugins in')
   return plugins
 }

package/lib/ql/Query.js

@@ -36,9 +36,8 @@ class Query {
   /** Turns all queries into Thenables which execute with primary db by default */
   get then() {
     const srv = this._srv || cds.db || cds.error `Can't execute query as no primary database is connected.`
-    const q = new AsyncResource('await cds.query')
-    // Temporary solution for cds.stream in .then. Remove with the next major release.
-    return (r,e) => q.runInAsyncScope (srv.run, srv, this) .then(rt => { rt = this._stream && rt ? Object.values(rt)[0] : rt; return r(rt) }, e)
+    const q = new AsyncResource('await cds.query')    
+    return (r,e) => q.runInAsyncScope (srv.run, srv, this).then (r,e)
   }
 
   _target4 (...args) {
@@ -120,11 +119,4 @@ class Query {
 
 const _name = cds.env.sql.names === 'quoted' ? n =>`"${n}"` : n => n.replace(/[.:]/g,'_')
 
-if (cds.env.ql.quirks_mode) Object.defineProperty (Query.prototype, '_target4', {
-  value: function (...args) {
-    const { ref, as } = this._target_ref4 (...args)
-    return ref.length === 1 && typeof ref[0] === 'string' && !as ? ref[0] : as ? {ref, as} : {ref}
-  }
-})
-
 module.exports = Query

package/lib/ql/SELECT.js

@@ -48,7 +48,7 @@ module.exports = class Query extends Whereable {
       if (c) return this._add('columns',c)
       if (typeof cols === 'string') {
         try { parse.path(cols) }
-        catch(e) { //> it can't be a from
+        catch { //> it can't be a from
           try { return this.columns(...arguments) }
           catch(e) {
             if (!e.message.startsWith('CDS compilation failed')) throw e

package/lib/ql/Whereable.js

@@ -44,9 +44,9 @@ class Query extends require('./Query') {
     if (typeof key !== 'object' || key === null) key = { [Object.keys(this._target.keys||{ID:1})[0]]: key }
     if (this.SELECT) this.SELECT.one = true
     if (cds.env.features.keys_into_where) return this.where(key)
-    if (this.UPDATE) { this.UPDATE.entity = { ref: [{ id: cds.env.ql.quirks_mode ? this.UPDATE.entity : this.UPDATE.entity.ref.at(-1), where: predicate4([key]) }] }; return this }
+    if (this.UPDATE) { this.UPDATE.entity = { ref: [{ id: this.UPDATE.entity.ref.at(-1), where: predicate4([key]) }] }; return this }
     if (this.SELECT) { this.SELECT.from.ref[this.SELECT.from.ref.length-1] = { id: this.SELECT.from.ref.at(-1), where: predicate4([key]) }; return this }
-    if (this.DELETE) { this.DELETE.from = { ref: [{ id: cds.env.ql.quirks_mode ? this.DELETE.from : this.DELETE.from.ref.at(-1), where: predicate4([key]) }] }; return this }
+    if (this.DELETE) { this.DELETE.from = { ref: [{ id: this.DELETE.from.ref.at(-1), where: predicate4([key]) }] }; return this }
     return this.where(key)
   }
 }
@@ -97,6 +97,7 @@ const _object_predicate = ([arg], _clause) => { // e.g. .where ({ID:4711, stock:
     else if (is_cqn(x)) pred.push('=', x)
     else if (x instanceof Buffer) pred.push('=', {val:x})
     else if (x instanceof RegExp) pred.push('like', {val:x})
+    else if (x instanceof Date) pred.push('=', {val:x})
     else if (typeof x === 'object') for (let op in x) pred.push(op, val(x[op]))
     else if (_clause === 'on' && typeof x === 'string') pred.push('=', { ref: x.split('.') })
     else pred.push('=', {val:x})

package/lib/req/cds-context.js

@@ -1,26 +1,15 @@
 const { AsyncLocalStorage } = require ('async_hooks')
 const { EventEmitter } = require('events')
-const EventContext = require('./context')
+const EventContext = require('./context'), ec4 = v => {
+  if (v instanceof EventContext || typeof v !== 'object') return v
+  if (v.context) return v.context
+  else return EventContext.for(v)
+}
 
 module.exports = new class extends AsyncLocalStorage {
 
-  run(v,fn,...args) { return super.run (this._context4(v),fn,...args) }
-  enterWith(v) { return super.enterWith (this._context4(v)) }
-
-  _context4(v) {
-    if (v instanceof EventContext || typeof v !== 'object') return v
-    if (v.context) return v.context
-    return EventContext.for(v)
-  }
-
-  /** @returns {EventContext} */
-  _for (cds,v) {
-    Reflect.defineProperty (cds,'context', { enumerable:1, ... {
-      set:(v) => this.enterWith(v),
-      get:()=> this.getStore(),
-    }})
-    return cds.context = v // IMPORTANT: we need to set it initially, to get it all wired up correctly
-  }
+  run(v,fn,...args) { return super.run (ec4(v),fn,...args) }
+  enterWith(v) { return super.enterWith (ec4(v)) }
 
   spawn (o,fn, /** @type {import('../index')} cds */ cds=this) {
     if (typeof o === 'function') [fn,o] = [o,fn] //> for compatibility
@@ -37,22 +26,22 @@ module.exports = new class extends AsyncLocalStorage {
           tx.model = cds.context.model
         }
         return Promise.resolve(fn(tx))
-        .then (tx.commit, e => tx.rollback(_error(e, cds)))
+        .then (tx.commit, e => {
+          cds.log().error(`ERROR occurred in background job:`, e)
+          return tx.rollback(e)
+        })
         .then (res => Promise.all(em.listeners('succeeded').map(each => each(res))))
         .catch (err => Promise.all(em.listeners('failed').map(each => each(err))))
         .finally (() => Promise.all(em.listeners('done').map(each => each())))
       })
     }
     const em = new EventEmitter
-    const { every, after } = o || {}
-    if (every) {
-      em.timer = setInterval(fx, every)
+    if (o?.every) {
+      em.timer = setInterval(fx, o.every)
       cds.on('shutdown', () => clearInterval(em.timer))
     } else {
-      em.timer = (after ? setTimeout(fx, after) : setImmediate(fx)).unref()
+      em.timer = (o?.after ? setTimeout(fx, o.after) : setImmediate(fx)).unref()
     }
     return em
   }
 }
-
-const _error = (err, cds) => { cds.log().error(`ERROR occurred in background job:`, err); return err }

package/lib/req/context.js

@@ -3,10 +3,6 @@ const async_events = { succeeded:1, failed:1, done:1, commit:1 }
 const req_locale = require('./locale')
 const { EventEmitter } = require('events')
 
-// getter functions extracted to show deprecation warning only once
-const _getTenant = req => req.tenant
-const _getLocale = req => req.locale
-
 /**
  * This is the base class for `cds.Events` and `cds.Requests`,
  * providing the transaction context nature to all instances.
@@ -20,7 +16,6 @@ class EventContext {
     const ctx = new this (_)
     const base = cds.context
     if (base) {
-      // we inherit from former cds.currents (except for the timestamp if new root ctx)
       if (_as_root) ctx._set('_propagated', Object.create(base, { timestamp: { value: undefined } }))
       else {
         ctx._set('_propagated', base)
@@ -90,26 +85,14 @@ class EventContext {
     if (t) super.tenant = t
   }
   get tenant() {
-    return super.tenant = this._propagated.tenant
+    return super.tenant = this._propagated.tenant || this._.req?.tenant
   }
 
   set user(u) {
-    if (u && typeof u === 'object') for (let p of ['tenant','locale']) {
-      let pd = Reflect.getOwnPropertyDescriptor(u,p)
-      if (pd?.value) this[p] = pd.value
-    }
-    let user = u instanceof cds.User ? Object.create(u,{
-      tenant: {get:()=> cds.utils.deprecated (_getTenant, {kind: 'Property', old: 'req.user.tenant', use: 'req.tenant'})(this)},
-      locale: {get:()=> cds.utils.deprecated (_getLocale, {kind: 'Property', old: 'req.user.locale', use: 'req.locale'})(this)},
-    }) : Object.defineProperties (new cds.User(u), {
-      tenant: {get:()=> cds.utils.deprecated (_getTenant, {kind: 'Property', old: 'req.user.tenant', use: 'req.tenant'})(this)},
-      locale: {get:()=> cds.utils.deprecated (_getLocale, {kind: 'Property', old: 'req.user.locale', use: 'req.locale'})(this)},
-    })
-    super.user = user
+    super.user = cds.User(u)
   }
   get user() {
-    this.user = this._propagated.user || _anonymous
-    return this.user // IMPORTANT: first set this.user then return it separately to ensure we return the compat-wrapped objects
+    return super.user = this._propagated.user || cds.User (this._.req?.user)
   }
 
   set locale(l) {
@@ -124,13 +107,13 @@ class EventContext {
   }
 
   get _features() {
-    return super._features = this._propagated._features || Features.for (this.http?.req?.features || this.user?.features || this.http?.req?.user?.features)
+    return super._features = this._propagated._features || Features.for (this._.req?.features || this.user.features)
   }
   get features() {
     return super.features = this._features || Features.none
   }
   set features(v) {
-    super.features = Features.for(v)
+    super.features = Features.for(v) || Features.none
   }
 
   get model() {
@@ -184,11 +167,26 @@ class EventContext {
   get _tx() { return this.tx } // REVISIT: for compatibility to bade usages of req._tx
 }
 
-const _anonymous = new cds.User.default
-
 
 class Features {
-  static for (x) { // normalizes features to an object
+  /**
+   * Returns an instance of this class for different supported input variants to specify features:
+   *
+   * - an `array` of feature names of features to be enabled
+   * - a `string` with a comma-separated list of feature names
+   * - the string `'*'` to generically enable _all_ features
+   * - an `object` with feature names as keys and boolean values true/false
+   * - `null` or `undefined` or an _empty_ `string` or `array` or `object` to indicate no features
+   *
+   * Note that the returned instance is effectively an object that has all enabled feature
+   * names as keys with the value true. In particualar, that means if the input is an object,
+   * with some flags set to false, the returned instance will not have these keys at all.
+   *
+   * Hence, users of cds.context.features can simply check for the presence of a feature
+   * with the like of `if ('foo' in cds.context.features)`...
+   * @returns {Features}
+   */
+  static for (x) {
     if (x == null) return
     if (x === '*') return this.all
     if (Array.isArray(x)) ; //> go on below

package/lib/req/request.js

@@ -90,33 +90,7 @@ class Request extends require('./event') {
 
     const ref = subject.ref || [ subject ]
 
-    if(!target.drafts || cds.env.fiori.lean_draft) return super.subject = { ref }
-
-    // special handling for old draft logic
-    let subjectRef = []
-    ref.forEach ((item, i) => {
-      // to one assoc & comp
-      if (typeof item === 'string') {
-        subjectRef.push(item)
-        return
-      }
-
-      // create key value pair without IsActiveEntity & adjust root target
-      const keys = {}
-      let id = item.id
-      if (!id) return
-      for (let j = 0; j < item?.where?.length; j = j + 4) {
-        const key = item.where[j].ref[0]
-        const value = item.where[j + 2].val
-        if (key !== 'IsActiveEntity') keys[key] = value
-        else if (i === 0 && key === 'IsActiveEntity' && value === false) id = item.id + '_drafts'
-      }
-
-      // create copy
-      const {SELECT:{from:{ref}}} = SELECT.from(id,keys)
-      subjectRef.push(...ref)
-    })
-    return super.subject = {ref: subjectRef}
+    return super.subject = { ref }
   }
 
   reply  (results) { return this.results = results }
@@ -135,7 +109,6 @@ class Request extends require('./event') {
       ).join('')
       throw me
     }
-    if (args[0] === 401 && this._.req?._login) this._.req._login()
     let e = this.error(...args)
     if (!e.stack) Error.captureStackTrace (e = Object.assign(new Error,e), this.reject)
     throw e
@@ -144,12 +117,6 @@ class Request extends require('./event') {
   // Lazily create message collectors for .errors and .messages
   /** @private */ get _messages() { return this.messages = this._set ('_messages', new Responses) }
   /** @private */ get _errors() { return this.errors = this._set ('_errors', new Errors) }
-
-  // REVISIT: Used for request logging in cds.server
-  // REVISIT: _.odataReq stuff should go into subclass ODataRequest
-  get _path() { return this._set ('_path', this._.odataReq ? this._.odataReq._url.pathname : this._.req && this._.req.path) }
-  get _query() { return this._set ('_query', this._.odataReq ? this._.odataReq._queryOptions : this._.req && this._.req.query) }
-
 }
 
 module.exports = Request