@sap/cds 8.1.0 → 8.2.0

package/libx/_runtime/messaging/event-broker.js

@@ -5,6 +5,8 @@ const express = require('express')
 const https = require('https')
 const crypto = require('crypto')
 
+const usedWebhookEndpoints = new Set()
+
 async function request(options, data) {
   return new Promise((resolve, reject) => {
     const req = https.request(options, res => {
@@ -53,29 +55,32 @@ function _validateCertificate(req, res, next) {
   )
   const clientCert = clientCertObj.toLegacyObject()
 
-  if (!this.isMultitenancy && !clientCertObj.checkPrivateKey(this.privateKey))
+  if (!this.isMultitenancy && !clientCertObj.checkPrivateKey(this.auth.privateKey))
     return res.status(401).josn({ message: 'Authentication Failed' })
 
   const cfSubject = Buffer.from(req.headers['x-ssl-client-subject-cn'], 'base64').toString()
-  if (this.validationCert.subject.CN !== clientCert.subject.CN || this.validationCert.subject.CN !== cfSubject) {
+  if (
+    this.auth.validationCert.subject.CN !== clientCert.subject.CN ||
+    this.auth.validationCert.subject.CN !== cfSubject
+  ) {
     this.LOG.info('certificate subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Subject CN is valid.')
 
-  if (this.validationCert.issuer.CN !== clientCert.issuer.CN) {
+  if (this.auth.validationCert.issuer.CN !== clientCert.issuer.CN) {
     this.LOG.info('Certificate issuer subject does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming issuer subject CN is valid.')
 
-  if (this.validationCert.issuer.O !== clientCert.issuer.O) {
+  if (this.auth.validationCert.issuer.O !== clientCert.issuer.O) {
     this.LOG.info('Certificate issuer org does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
   this.LOG.debug('incoming Issuer Org is valid.')
 
-  if (this.validationCert.issuer.OU !== clientCert.issuer.OU) {
+  if (this.auth.validationCert.issuer.OU !== clientCert.issuer.OU) {
     this.LOG.info('certificate issuer OU does not match')
     return res.status(401).json({ message: 'Authentication Failed' })
   }
@@ -93,49 +98,79 @@ function _validateCertificate(req, res, next) {
   }
 }
 
-let instantiated = false
-
 class EventBroker extends cds.MessagingService {
   async init() {
-    // TODO: Only needed if there are subscriptions
-    if (instantiated)
-      throw new Error('Event Broker service must be a singleton service, you cannot have more than one instance.')
-    instantiated = true
     await super.init()
     cds.once('listening', () => {
       this.startListening()
     })
-    this.agent = this.getAgent()
-    this.isMultitenancy = cds.requires.multitenancy || cds.env.profiles.includes('mtx-sidecar')
-    this.validationCert = new crypto.X509Certificate(
-      this.isMultitenancy ? this.options.credentials.certificate : this.agent.options.cert
-    ).toLegacyObject()
-    this.privateKey = !this.isMultitenancy && crypto.createPrivateKey(this.agent.options.key)
-  }
-
-  getAgent() {
-    try {
-      if (this.options.x509.certPath && this.options.x509.pkeyPath) {
-        return new https.Agent({
-          cert: cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
-          key: cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
-        })
+    this.isMultitenancy = cds.env.requires.multitenancy || cds.env.profiles.includes('mtx-sidecar')
+
+    this.auth = {} // { kind: 'cert', validationCert?, privateKey? } or { kind: 'ias', ias }
+
+    // determine auth.kind
+    if (this.options.x509) {
+      if (!this.options.x509.cert && !this.options.x509.certPath)
+        throw new Error(`${this.name}: Event Broker with x509 option requires \`x509.cert\` or \`x509.certPath\`.`)
+      if (!this.options.x509.pkey && !this.options.x509.pkeyPath)
+        throw new Error(`${this.name}: Event Broker with x509 option requires \`x509.pkey\` or \`x509.pkeyPath\`.`)
+      this.auth.kind = 'cert' // byo cert, unofficial
+    } else {
+      let ias
+      for (const k in cds.env.requires) {
+        const r = cds.env.requires[k]
+        if (r.vcap?.label === 'identity' || r.kind === 'ias') ias = r
       }
-    } catch (error) {
-      if (this.LOG) this.LOG.error('GetCredentials', { error: error.message })
-      throw error
+      // multitenant receiver-only services don't need x509, check for ias existence
+      if (!this.isMultitenancy || ias) {
+        this.auth.kind = 'ias'
+        this.auth.ias = ias
+      } else this.auth.kind = 'cert'
+    }
+
+    if (!this.auth.kind || (this.auth.kind === 'ias' && !this.auth.ias))
+      throw new Error(`${this.name}: Event Broker requires your app to be bound to an IAS instance.`) // do not mention byo cert
+
+    if (this.auth.kind === 'cert') {
+      if (this.isMultitenancy && !this.options.credentials?.certificate)
+        throw new Error(
+          `${this.name}: \`certificate\` not found in Event Broker binding information. You need to bind your app to an Event Broker instance.`
+        )
+      this.auth.validationCert = new crypto.X509Certificate(
+        this.isMultitenancy ? this.options.credentials.certificate : this.agent.options.cert
+      ).toLegacyObject()
+      this.auth.privateKey = !this.isMultitenancy && crypto.createPrivateKey(this.agent.options.key)
     }
+
+    this.LOG._debug && this.LOG.debug('using auth: ' + this.auth.kind)
+  }
+
+  get agent() {
+    return (this.__agentCache ??=
+      this.auth.kind === 'ias'
+        ? new https.Agent({ cert: this.auth.ias.credentials.certificate, key: this.auth.ias.credentials.key })
+        : new https.Agent({
+            cert:
+              this.options.x509.cert ??
+              cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
+            key:
+              this.options.x509.pkey ??
+              cds.utils.fs.readFileSync(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
+          }))
   }
 
   async handle(msg) {
     if (msg.inbound) return super.handle(msg)
+    if (!this.options.credentials) throw new Error(`${this.name}: No credentials found for Event Broker service.`)
+    if (!this.options.credentials.ceSource)
+      throw new Error(`${this.name}: Emitting events is not supported by Event Broker plan \`event-connectivity\`.`)
     const _msg = this.message4(msg)
     await this.emitToEventBroker(_msg)
   }
 
-  async startListening() {
+  startListening() {
     if (!this._listenToAll.value && !this.subscribedTopics.size) return
-    await this.registerWebhookEndpoints()
+    this.registerWebhookEndpoints()
   }
 
   async emitToEventBroker(msg) {
@@ -148,7 +183,6 @@ class EventBroker extends cds.MessagingService {
     //     if (definition['@topic'] === topicOrEvent) return definition
     //   }
 
-    // TODO: What if we're in single tenant variant?
     try {
       const hostname = this.options.credentials.eventing.http.x509.url.replace(/^https?:\/\//, '')
 
@@ -185,31 +219,63 @@ class EventBroker extends cds.MessagingService {
         },
         agent: this.agent
       }
-      this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
-      this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
+      if (this.LOG._debug) {
+        this.LOG.debug('HTTP headers:', JSON.stringify(options.headers))
+        this.LOG.debug('HTTP body:', JSON.stringify(msg.data))
+      }
       // what about headers?
       // TODO: Clarify if we should send `{ data, ...headers }` vs.  `data` + HTTP headers (`ce-*`)
+      //       Disadvantage with `data` + HTTP headers is that they're case insensitive -> information loss, but they're 'closer' to the cloudevents standard
       await request(options, { data: msg.data, ...headers }) // TODO: fetch does not work with mTLS as of today, requires another module. see https://github.com/nodejs/node/issues/48977
       if (this.LOG._info) this.LOG.info('Emit', { topic: msg.event })
     } catch (e) {
       this.LOG.error('Emit failed:', e.message)
+      throw e
     }
   }
 
   prepareHeaders(headers, event) {
     if (!('source' in headers)) {
       if (!this.options.credentials.ceSource)
-        throw new Error(
-          'Cannot publish event because of missing source information, currently not part of binding information.'
-        )
+        throw new Error(`${this.name}: Cannot emit event: Parameter \`ceSource\` not found in Event Broker binding.`)
       headers.source = `${this.options.credentials.ceSource[0]}/${cds.context.tenant}`
     }
     super.prepareHeaders(headers, event)
   }
 
-  async registerWebhookEndpoints() {
+  registerWebhookEndpoints() {
     const webhookBasePath = this.options.webhookPath || '/-/cds/event-broker/webhook'
-    cds.app.post(webhookBasePath, _validateCertificate.bind(this))
+    if (usedWebhookEndpoints.has(webhookBasePath))
+      throw new Error(
+        `${this.name}: Event Broker: Webhook endpoint already registered. Use a different one with \`options.webhookPath\`.`
+      )
+    usedWebhookEndpoints.add(webhookBasePath)
+    // auth
+    if (this.auth.kind === 'ias') {
+      const ias_auth = require('../../../lib/auth/ias-auth')
+      cds.app.use(webhookBasePath, cds.middlewares.context())
+      cds.app.use(webhookBasePath, ias_auth(this.auth.ias))
+      cds.app.use(webhookBasePath, (err, _req, res, next) => {
+        if (err.code === 401) return res.status(401).json({ message: 'Unauthorized' })
+        return next(err)
+      })
+      cds.app.use(webhookBasePath, (_req, res, next) => {
+        if (
+          cds.context.user.is('system-user') &&
+          cds.context.user.tokenInfo.azp === this.options.credentials.ias.clientId
+        ) {
+          // the token was fetched by event broker -> OK
+          return next()
+        }
+        if (cds.context.user.is('internal-user')) {
+          // the token was fetched by own credentials -> OK (for testing)
+          return next()
+        }
+        res.status(401).json({ message: 'Unauthorized' })
+      })
+    } else {
+      cds.app.post(webhookBasePath, _validateCertificate.bind(this))
+    }
     cds.app.post(webhookBasePath, express.json())
     cds.app.post(webhookBasePath, this.onEventReceived.bind(this))
   }
@@ -244,7 +310,6 @@ class EventBroker extends cds.MessagingService {
     } catch (e) {
       this.LOG.error('ERROR during inbound event processing:', e) // TODO: How does Event Broker do error handling?
       res.status(500).json({ message: 'Internal Server Error!' })
-      throw e
     }
   }
 }

package/libx/_runtime/remote/Service.js

@@ -261,7 +261,9 @@ class RemoteService extends cds.Service {
       const returnType = req._returnType
       const additionalOptions = { destination, kind, resolvedTarget, returnType, destinationOptions }
 
-      const jwt = req?.context?.headers?.authorization?.split(/^bearer /i)[1]
+      // REVISIT: i don't believe req.context.headers is an official API
+      let jwt = req?.context?.headers?.authorization?.split(/^bearer /i)[1]
+      if (!jwt) jwt = req?.context?.http?.req?.headers?.authorization?.split(/^bearer /i)[1]
       if (jwt) additionalOptions.jwt = jwt
 
       // hidden compat flag in order to suppress logging response body of failed request

package/libx/_runtime/remote/utils/client.js

@@ -39,7 +39,11 @@ const _executeHttpRequest = async ({ requestConfig, destination, destinationOpti
   if (LOG._debug) {
     const req2log = { headers: _sanitizeHeaders({ ...requestConfig.headers }) }
     if (requestConfig.method !== 'GET' && requestConfig.method !== 'DELETE')
-      req2log.data = requestConfig.data && SANITIZE_VALUES ? deepSanitize(requestConfig.data) : requestConfig.data
+      // In case of auto batch (only done for `GET` requests) no data is part of batch and for debugging URL is crucial
+      req2log.data =
+        requestConfig.data && SANITIZE_VALUES && !requestConfig._autoBatchedGet
+          ? deepSanitize(requestConfig.data)
+          : requestConfig.data
     LOG.debug(
       `${requestConfig.method} ${destination.url || `<${destination.destinationName}>`}${requestConfig.url}`,
       req2log
@@ -256,7 +260,7 @@ const run = async (requestConfig, options) => {
 
   // get result of $batch
   // does only support read requests as of now
-  if (requestConfig._autoBatch) {
+  if (requestConfig._autoBatchedGet) {
     // response data splitted by empty lines
     // 1. entry contains batch id and batch headers
     // 2. entry contains request status code and request headers
@@ -409,7 +413,11 @@ const getReqOptions = (req, query, service) => {
   // batch envelope if needed
   const maxGetUrlLength = service.options.max_get_url_length ?? cds.env.remote?.max_get_url_length ?? 1028
   if (KINDS_SUPPORTING_BATCH[service.kind] && reqOptions.method === 'GET' && reqOptions.url.length > maxGetUrlLength) {
-    reqOptions._autoBatch = true
+    LOG._debug &&
+      LOG.debug(
+        `URL of remote request exceeds the configured max length of ${maxGetUrlLength}. Converting it to a $batch request.`
+      )
+    reqOptions._autoBatchedGet = true
     reqOptions.data = [
       '--batch1',
       'Content-Type: application/http',
@@ -430,7 +438,7 @@ const getReqOptions = (req, query, service) => {
 
   // mount resilience and csrf middlewares for SAP Cloud SDK
   reqOptions.middleware = [service.middlewares.timeout]
-  const fetchCsrfToken = !!(reqOptions._autoBatch ? service.csrfInBatch : service.csrf)
+  const fetchCsrfToken = !!(reqOptions._autoBatchedGet ? service.csrfInBatch : service.csrf)
   if (fetchCsrfToken) reqOptions.middleware.push(service.middlewares.csrf)
 
   if (service.path) reqOptions.url = `${encodeURI(service.path)}${reqOptions.url}`

package/libx/_runtime/ucl/Service.js

@@ -22,17 +22,22 @@ class UCLService extends cds.Service {
     if (!this.options.credentials)
       throw new Error('No credentials found for the UCL service, please bind the service to your app.')
 
-    if (!this.options.x509.certPath || !this.options.x509.pkeyPath)
-      throw new Error('The UCL service requires the options `x509.certPath` and `x509.pkeyPath`.')
+    if (!this.options.x509.cert && !this.options.x509.certPath)
+      throw new Error('UCL requires `x509.cert` or `x509.certPath`.')
+    if (!this.options.x509.pkey && !this.options.x509.pkeyPath)
+      throw new Error('UCL requires `x509.pkey` or `x509.pkeyPath`.')
+
     const [cert, key] = await Promise.all([
-      fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
-      fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
+      this.options.x509.cert ?? fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.certPath)),
+      this.options.x509.pkey ?? fs.readFile(cds.utils.path.resolve(cds.root, this.options.x509.pkeyPath))
     ])
     this.agent = new https.Agent({ cert, key })
 
     const existingTemplate = await this.readTemplate()
     const template = existingTemplate ? await this.updateTemplate(existingTemplate) : await this.createTemplate() // TODO: Make sure return value is correct
 
+    if (!template) throw new Error('The UCL service could not create an application template.')
+
     cds.once('listening', async () => {
       const provisioning = await cds.connect.to('cds.xt.SaasProvisioningService')
       provisioning.prepend(() => {
@@ -68,7 +73,8 @@ class UCLService extends cds.Service {
       }
     `
     const variables = { key: 'xsappname', value: `"${xsappname}"` }
-    return (await this._request(query, variables)).applicationTemplates.data[0]
+    const res = await this._request(query, variables)
+    if (res) return res.applicationTemplates.data[0]
   }
 
   async createTemplate() {
@@ -162,7 +168,10 @@ class UCLService extends cds.Service {
             headers: res.headers,
             body: Buffer.concat(chunks).toString()
           }
-          resolve(JSON.parse(response.body).data)
+          const body = JSON.parse(response.body)
+          if (body.errors)
+            throw new Error('Request to UCL service failed with:\n' + JSON.stringify(body.errors, null, 2))
+          resolve(body.data)
         })
       })
 
@@ -201,6 +210,7 @@ class UCLService extends cds.Service {
     ) {
       id
       name
+      labels
       description
       applicationInput
     }

package/libx/odata/middleware/batch.js

@@ -397,7 +397,7 @@ const _processBatch = async (srv, router, req, res, next, body, ct, boundary) =>
               const { target } = cqn
               const keyString =
                 '(' +
-                target.keys
+                [...target.keys]
                   .filter(k => !k.isAssociation)
                   .map(k => {
                     let v = dependentOnResult[k.name]
@@ -483,7 +483,7 @@ const _formatResponseMultipart = request => {
   // REVISIT: tests require specific sequence
   const headers = {
     ...response.getHeaders(),
-    'content-type': 'application/json;odata.metadata=minimal' //> REVISIT: expected by tests
+    ...(response.statusCode !== 204 && { 'content-type': 'application/json;odata.metadata=minimal' })
   }
   delete headers['content-length'] //> REVISIT: expected by tests
 

package/libx/odata/middleware/create.js

@@ -85,6 +85,11 @@ module.exports = (adapter, isUpsert) => {
       .catch(err => {
         handleSapMessages(cdsReq, req, res)
 
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         next(err)
       })
   }

package/libx/odata/middleware/delete.js

@@ -62,6 +62,11 @@ module.exports = adapter => {
       .catch(err => {
         handleSapMessages(cdsReq, req, res)
 
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         next(err)
       })
   }

package/libx/odata/middleware/error.js

@@ -7,6 +7,7 @@ const { normalizeError, unwrapMultipleErrors } = require('../../_runtime/common/
 module.exports = () => {
   return function odata_error(err, req, res, next) {
     if (err == 401 || err.code == 401) return next(err) // speed up logins, at least temporary until we reviewed and eliminated overhead that may be involved below
+
     // REVISIT: keep?
     // log the error (4xx -> warn)
     _log(err)

package/libx/odata/middleware/operation.js

@@ -134,6 +134,12 @@ module.exports = adapter => {
       })
       .catch(err => {
         handleSapMessages(cdsReq, req, res)
+
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         next(err)
       })
   }

package/libx/odata/middleware/read.js

@@ -19,16 +19,12 @@ const _getCount = result =>
       }, 0)
     : result.$count || result._counted_ || 0
 
-const _calculateNextLink = (req, result) => {
+const _setNextLink = (req, result) => {
   const $skiptoken = result.$nextLink ?? _calculateSkiptoken(req, result)
-  if ($skiptoken) {
-    const queryParamsWithSkipToken = { ...req.req.query, $skiptoken }
-    // REVISIT: slice replaces leading '/'. Always starts with '/'?
-    result.$nextLink =
-      req.req.path.slice(1) +
-      '?' +
-      querystring.stringify(queryParamsWithSkipToken, '&', '=', { encodeURIComponent: e => e })
-  }
+  if (!$skiptoken) return
+
+  const queryParamsWithSkipToken = { ...req.req.query, $skiptoken }
+  result.$nextLink = req.req.path.slice(1) + '?' + querystring.stringify(queryParamsWithSkipToken)
 }
 
 const _calculateSkiptoken = (req, result) => {
@@ -164,6 +160,11 @@ const _handleArrayOfQueriesFactory = adapter => {
       .catch(err => {
         handleSapMessages(cdsReq, req, res)
 
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         next(err)
       })
   }
@@ -247,7 +248,7 @@ module.exports = adapter => {
           if (req.query.$count) result.$count = 0
         }
 
-        if (!one) _calculateNextLink(cdsReq, result)
+        if (!one) _setNextLink(cdsReq, result)
         postProcess(cdsReq.target, service, result)
         if (result?.$etag) res.set('ETag', result.$etag) //> must be done after post processing
 
@@ -264,9 +265,13 @@ module.exports = adapter => {
         res.send(result)
       })
       .catch(err => {
-        // REVISIT: move error middleware -> applies to all these anti patterns
         handleSapMessages(cdsReq, req, res)
 
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         next(err)
       })
   }

package/libx/odata/middleware/stream.js

@@ -199,13 +199,12 @@ module.exports = adapter => {
       _addStreamMetadata(query)
     }
 
-    // we need the cds request, so we can access the modified query, which is cloned due to lean-draft, so we need to use dispatch here and pass a cds req
-    const cdsReq = adapter.request4({ query, req, res })
-
     // for read and delete, we provide keys in req.data
     // payload & params
-    const { keys } = getKeysAndParamsFromPath(query.SELECT.from, service)
-    cdsReq.data = keys
+    const { keys, params } = getKeysAndParamsFromPath(query.SELECT.from, service)
+
+    // we need the cds request, so we can access the modified query, which is cloned due to lean-draft, so we need to use dispatch here and pass a cds req
+    const cdsReq = adapter.request4({ query, data: keys, params, req, res })
 
     // REVISIT: what is this for? some tests fail without it... we should find a better solution!
     Object.defineProperty(query.SELECT, '_4odata', { value: true })

package/libx/odata/middleware/update.js

@@ -127,13 +127,13 @@ module.exports = adapter => {
         result = getODataResult(result, metadata, { property: _propertyAccess })
         res.send(result)
       })
-      .catch(e => {
+      .catch(err => {
         handleSapMessages(cdsReq, req, res)
 
         // if UPSERT is allowed, redirect to POST
-        const is404 = e.code === 404 || e.status === 404 || e.statusCode === 404
+        const is404 = err.code === 404 || err.status === 404 || err.statusCode === 404
         const isForcedInsert =
-          (e.code === 412 || e.status === 412 || e.statusCode === 412) &&
+          (err.code === 412 || err.status === 412 || err.statusCode === 412) &&
           extractIfNoneMatch(req.headers?.['if-none-match']) === '*'
         if (!_propertyAccess && (is404 || isForcedInsert) && _isUpsertAllowed({ target, data, event: req.method })) {
           // PUT / PATCH with if-match header means "only if already exists" -> no insert if it does not
@@ -147,8 +147,13 @@ module.exports = adapter => {
           return next()
         }
 
+        // REVISIT: invoke service.on('error') for failed batch subrequests
+        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
+          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        }
+
         // continue with caught error
-        next(e)
+        next(err)
       })
   }
 }

package/libx/odata/parse/afterburner.js

@@ -245,7 +245,8 @@ function _handleCollectionBoundActions(current, ref, i, namespace, one) {
   if (!action) return incompleteKeys
 
   const onCollection = !!(
-    action['@cds.odata.bindingparameter.collection'] || action?.params?.some(p => p?.items?.type === '$self')
+    action['@cds.odata.bindingparameter.collection'] ||
+    (action?.params && [...action.params].some(p => p?.items?.type === '$self'))
   )
 
   if (onCollection && one) {
@@ -399,7 +400,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
         incompleteKeys = _handleCollectionBoundActions(current, ref, i, namespace, one)
 
         if (ref[i].where) {
-          keyCount += addRefToWhereIfNecessary(ref[i].where, current)
+          keyCount += addRefToWhereIfNecessary(ref[i].where, current, true)
           _resolveAliasesInXpr(ref[i].where, current)
           _processWhere(ref[i].where, current)
         }

package/libx/odata/parse/multipartToJson.js

@@ -105,7 +105,7 @@ const parseStream = async function* (body, boundary) {
       chunk = `${leftover}${chunk}`
       const lastBoundary = chunk.lastIndexOf('--')
       const lastCRLF = chunk.lastIndexOf(CRLF)
-      if (lastBoundary > lastCRLF) {
+      if (lastBoundary > lastCRLF && lastBoundary + 2 < chunk.length) {
         leftover = chunk.slice(lastBoundary)
         chunk = chunk.slice(0, lastBoundary)
       } else {

package/libx/odata/utils/index.js

@@ -277,7 +277,7 @@ const skipToken = (token, cqn) => {
 
 const calculateLocationHeader = (target, srv, result) => {
   const targetName = target.name.replace(`${srv.definition.name}.`, '')
-  const filteredKeys = target.keys.filter(k => !k.isAssociation).map(k => k.name)
+  const filteredKeys = [...target.keys].filter(k => !k.isAssociation).map(k => k.name)
   const keyValuePairs = filteredKeys.reduce((acc, key) => {
     const value = result[key]
     if (value === undefined) return
@@ -358,11 +358,11 @@ function keysOf(entity, ignoreManagedBackLinks) {
 }
 
 // case: single key without name, e.g., Foo(1)
-function addRefToWhereIfNecessary(where, entity) {
+function addRefToWhereIfNecessary(where, entity, ignoreManagedBackLinks = false) {
   if (!where || where.length !== 1) return 0
 
   const isView = !!entity.params
-  const keys = isView ? Object.keys(entity.params) : keysOf(entity)
+  const keys = isView ? Object.keys(entity.params) : keysOf(entity, ignoreManagedBackLinks)
 
   if (keys.length !== 1) return 0
   where.unshift(...[{ ref: [keys[0]] }, '='])

package/libx/odata/utils/postProcess.js

@@ -1,27 +1,13 @@
 const cds = require('../../_runtime/cds')
 
 const getTemplate = require('../../_runtime/common/utils/template')
-const templateProcessor = require('../../_runtime/common/utils/templateProcessor')
-
-const _getParent = (model, name) => {
-  const target = model.definitions[name]
-
-  if (target && target.elements) {
-    for (const elementName in target.elements) {
-      const element = target.elements[elementName]
-      if (element._anchor && element._anchor._isContained) return element._anchor
-    }
-  }
-
-  return null
-}
 
 const _addEtags = (row, key) => {
   if (!row[key]) return
   row.$etag = row[key].startsWith('W/') ? row[key] : `W/"${row[key]}"`
 }
 
-const _processorFn = () => elementInfo => {
+const _processorFn = elementInfo => {
   const { row, plain } = elementInfo
   if (typeof row !== 'object') return
   for (const category of plain.categories) {
@@ -70,20 +56,12 @@ module.exports = function postProcess(target, service, result, isMinimal) {
   }
 
   const cacheKey = isMinimal ? 'postProcessMinimal' : 'postProcess'
-  const parent = _getParent(model, target.name)
   const options = { pick: _pick, ignore: isMinimal ? el => el.isAssociation : undefined }
-  const template = getTemplate(cacheKey, service, target, options, parent)
+  const template = getTemplate(cacheKey, service, target, options)
 
   if (template.elements.size === 0) return
 
   // normalize result to rows
   result = result.value != null && Object.keys(result).filter(k => !k.match(/^\W/)).length === 1 ? result.value : result
-
-  if (typeof result === 'object' && result != null) {
-    const rows = Array.isArray(result) ? result : [result]
-
-    // process each row
-    const processFn = _processorFn()
-    for (const row of rows) templateProcessor({ processFn, row, template })
-  }
+  template.process(result, _processorFn)
 }

package/libx/rest/middleware/error.js

@@ -54,6 +54,7 @@ module.exports = () => {
 
   return function rest_error(err, req, res, next) {
     if (err == 401 || err.code == 401) return next(err) // speed up logins, at least temporary until we reviewed and eliminated overhead that may be involved below
+
     // REVISIT: keep?
     // log the error (4xx -> warn)
     _log(err)