@sap/cds 8.5.0 → 8.6.0

package/libx/_runtime/common/utils/cqn2cqn4sql.js

@@ -1,6 +1,6 @@
 const cds = require('../../cds')
 const { SELECT, INSERT, DELETE, UPDATE } = cds.ql
-const Query = require('../../../../lib/ql/Query')
+const Query = require('../../../../lib/ql/cds.ql-Query')
 const { resolveView } = require('./resolveView')
 const { ensureNoDraftsSuffix, getDraftColumnsCQNForDraft, ensureDraftsSuffix } = require('./draft')
 const { flattenStructuredSelect, OPERATIONS_MAP } = require('./structured')

package/libx/_runtime/common/utils/generateOnCond.js

@@ -29,7 +29,7 @@ const _adaptRefs = (onCond, path, { select, join }) => {
   return onCond.map(_adaptEl)
 }
 
-const replace$selfAndAliasOnCOnd = (xpr, csnElement, aliases, path) => {
+const replace$selfAndAliasOnCond = (xpr, csnElement, aliases, path) => {
   const selfIndex = xpr.findIndex(({ ref }) => ref?.[0] === '$self')
   if (selfIndex != -1) {
     let backLinkIndex
@@ -50,7 +50,7 @@ const replace$selfAndAliasOnCOnd = (xpr, csnElement, aliases, path) => {
   for (let i = 0; i < xpr.length; i++) {
     const element = xpr[i]
     if (element.xpr) {
-      replace$selfAndAliasOnCOnd(element.xpr, csnElement, aliases, path)
+      replace$selfAndAliasOnCond(element.xpr, csnElement, aliases, path)
       continue
     }
 
@@ -65,6 +65,10 @@ const replace$selfAndAliasOnCOnd = (xpr, csnElement, aliases, path) => {
         element.ref = _toRef(undefined, element.ref.slice(0)).ref
         continue
       }
+      //no alias for special $now variable
+      if (element.ref[0] === '$now') {
+        continue
+      }
 
       if (element.ref[0] === aliases.join || element.ref[0] === aliases.select) {
         // nothing todo here, as already right alias
@@ -83,7 +87,7 @@ const _args = (csnElement, path, aliases) => {
   if (!csnElement._isSelfManaged) return _adaptRefs(onCond, path, aliases)
 
   const onCondCopy = JSON.parse(JSON.stringify(onCond))
-  replace$selfAndAliasOnCOnd(onCondCopy, csnElement, aliases, path)
+  replace$selfAndAliasOnCond(onCondCopy, csnElement, aliases, path)
 
   return onCondCopy
 }

package/libx/_runtime/common/utils/postProcess.js

@@ -73,7 +73,10 @@ const postProcess = (query, result, service, onlySelectAliases = false) => {
   if (query.DELETE) return result
 
   if (query.SELECT) {
-    if (query.SELECT.columns?.find(col => col.func === 'count' && col.as === '$count')) return [{ $count: result }]
+    if (query.SELECT.columns?.find(col => col.func === 'count' && col.as === '$count')) {
+      if (result[0] && '$count' in result[0]) return result
+      return [{ $count: result }]
+    }
 
     handleAliasInResult(query.SELECT.columns, result)
 

package/libx/_runtime/common/utils/restrictions.js

@@ -3,6 +3,7 @@ const cds = require('../../cds')
 
 const $cache = Symbol('service contains any restrictions cache')
 
+/** @param {import('../../../../lib/srv/cds.Service')} srv */
 const containsAnyRestrictions = srv => {
   let { model } = srv
   if (srv.isExtensible) model = cds.context?.model || srv.model // REVISIT: extensions are not allowed to add or change restrictions, are they?

package/libx/_runtime/fiori/lean-draft.js

@@ -197,13 +197,15 @@ const _lock = {
 
 const _redirectRefToDrafts = (ref, model) => {
   const [root, ...tail] = ref
-  const draft = model.definitions[root.id || root].drafts
+  const target = model.definitions[root.id || root]
+  const draft = target.drafts || target
   return [root.id ? { ...root, id: draft.name } : draft.name, ...tail]
 }
 
 const _redirectRefToActives = (ref, model) => {
   const [root, ...tail] = ref
-  const active = model.definitions[root.id || root].actives
+  const target = model.definitions[root.id || root]
+  const active = target.actives || target
   return [root.id ? { ...root, id: active.name } : active.name, ...tail]
 }
 
@@ -325,6 +327,11 @@ const h = cds.ApplicationService.prototype.handle
 cds.ApplicationService.prototype.handle = async function (req) {
   const handle = h.bind(this)
 
+  if (req.event === 'DISCARD') req.event = 'CANCEL'
+  if (req.event === 'SAVE') {
+    req.event = 'draftActivate'
+    req.query ??= SELECT.from(req.target, req.data) //> support simple srv.send('SAVE',entity,...)
+  }
   if (
     !req.query ||
     // REVISIT: Currently all requests in an Object Page to nested composition targets, e.g. Incidents(ID)/conversation are also Draft Requests which seems wrong overkill -> is that required?
@@ -492,14 +499,14 @@ cds.ApplicationService.prototype.handle = async function (req) {
 
   // It needs to be redirected to drafts
   if (req.event === 'NEW' || req.event === 'CANCEL' || req.event === 'draftPrepare') {
-    req.target = req.target.drafts
+    if (!req.target.isDraft) req.target = req.target.drafts // COMPAT: also support these events for actives
 
-    if (query.INSERT?.into) {
+    if (query.INSERT) {
       if (typeof query.INSERT.into === 'string') query.INSERT.into = req.target.name
       else if (query.INSERT.into.ref) query.INSERT.into.ref = _redirectRefToDrafts(query.INSERT.into.ref, this.model)
-    } else if (query.DELETE?.from?.ref) {
+    } else if (query.DELETE) {
       query.DELETE.from.ref = _redirectRefToDrafts(query.DELETE.from.ref, this.model)
-    } else if (query.SELECT?.from?.ref) {
+    } else if (query.SELECT) {
       query.SELECT.from.ref = _redirectRefToDrafts(query.SELECT.from.ref, this.model)
     }
 
@@ -564,8 +571,7 @@ cds.ApplicationService.prototype.handle = async function (req) {
       req.reject({ code: 428, statusCode: 428 })
     }
 
-    const targetDraft = req.target.drafts
-    const cols = expandStarStar(targetDraft, true)
+    const cols = expandStarStar(req.target.drafts, true)
 
     // Use `run` (since also etags might need to be checked)
     // REVISIT: Find a better approach (`etag` as part of CQN?)
@@ -1470,7 +1476,7 @@ function expandStarStar(target, draftActivate, recursion = new Map()) {
             'NULL',
             'then',
             { val: null },
-            'else',            
+            'else',
             { val: '' },
             'end'
           ],
@@ -1511,6 +1517,7 @@ async function onNew(req) {
 
   if (req.target.actives['@Capabilities.InsertRestrictions.Insertable'] === false || req.target.actives['@readonly'])
     req.reject({ code: 405, statusCode: 405 })
+  req.query ??= INSERT.into(req.subject).entries(req.data || {}) //> support simple srv.send('NEW',entity,...)
   const isDirectAccess = typeof req.query.INSERT.into === 'string' || req.query.INSERT.into.ref?.length === 1
   // Only allowed for pseudo draft roots (entities with this action)
   if (isDirectAccess && !req.target.actives['@Common.DraftRoot.ActivationAction'])
@@ -1592,8 +1599,10 @@ async function onNew(req) {
 async function onEdit(req) {
   LOG.debug('edit active')
 
+  req.query ??= SELECT.from(req.target, req.data).where({ IsActiveEntity: true }) //> support simple srv.send('EDIT',entity,...)
+
   // use symbol for _draftParams
-  const draftParams = req.query[DRAFT_PARAMS]
+  const draftParams = req.query[DRAFT_PARAMS] || { IsActiveEntity: true } // REVISIT: can draftParams in the edit caser ever be undefined or other than IsActiveEntity=true ?
   if (req.query.SELECT.from.ref.length > 1 || draftParams.IsActiveEntity !== true) {
     req.reject({
       code: 400,
@@ -1692,7 +1701,7 @@ async function onEdit(req) {
     }
 
     const cqns = [
-      cds.env.fiori.read_actives_from_db ? this._datasource.run(selectActiveCQN) : this.run(selectActiveCQN),
+      cds.env.fiori.read_actives_from_db ? cds.db.run(selectActiveCQN) : this.run(selectActiveCQN),
       existingDraft
     ]
 
@@ -1713,7 +1722,7 @@ async function onEdit(req) {
 
     ;[res, draft] = await _promiseAll([
       // REVISIT: inofficial compat flag just in case it breaks something -> do not document
-      cds.env.fiori.read_actives_from_db ? this._datasource.run(selectActiveCQN) : this.run(selectActiveCQN),
+      cds.env.fiori.read_actives_from_db ? cds.db.run(selectActiveCQN) : this.run(selectActiveCQN),
       // no user check must be done here...
       existingDraft
     ])
@@ -1747,13 +1756,12 @@ async function onEdit(req) {
     InProcessByUser: req.user.id
   })
 
-  const targetDraft = req.target.drafts
   // is set to `null` on srv layer
   res.DraftAdministrativeData_DraftUUID = DraftUUID
   res.HasActiveEntity = true
   delete res.DraftAdministrativeData
   // change to db run
-  await INSERT.into(targetDraft).entries(res)
+  await INSERT.into(req.target.drafts).entries(res)
 
   // REVISIT: we need to use okra API here because it must be set in the batched request
   //          status code must be set in handler to allow overriding for FE V2
@@ -1783,8 +1791,9 @@ async function onEdit(req) {
 async function onCancel(req) {
   LOG.debug('delete draft')
 
+  req.query ??= DELETE(req.target, req.data) //> support simple srv.send('CANCEL',entity,...)
   const activeRef = _redirectRefToActives(req.query.DELETE.from.ref, this.model)
-  const draftParams = req.query[DRAFT_PARAMS]
+  const draftParams = req.query[DRAFT_PARAMS] || { IsActiveEntity: false } // REVISIT: can draftParams in the cancel case ever be undefined or other than IsActiveEntity=false ?
 
   const draftQuery = SELECT.one
     .from({ ref: req.query.DELETE.from.ref })
@@ -1801,7 +1810,7 @@ async function onCancel(req) {
     if (!cds.context.user._is_privileged && processByUser && processByUser !== cds.context.user.id)
       req.reject({ code: 403, statusCode: 403, message: 'DRAFT_LOCKED_BY_ANOTHER_USER', args: [processByUser] })
   }
-  const draftDeleteQuery = DELETE.from({ ref: req.query.DELETE.from.ref })
+  const draftDeleteQuery = DELETE.from({ ref: req.query.DELETE.from.ref }) // REVISIT: Isn't that == req.query ?
   const queries = !draft
     ? []
     : [draftParams.IsActiveEntity === false ? this.run(draftDeleteQuery, req.data) : draftDeleteQuery]
@@ -1900,38 +1909,40 @@ const _readAfterDraftAction = async function ({ req, payload, action }) {
   }
 }
 
-module.exports = {
-  impl() {
-    if (!this.new)
-      this.new = function (entity, data) {
-        return this.send({ event: 'NEW', query: INSERT.into(entity).entries(data ?? {}) })
-      }
-    if (!this.cancel)
-      this.cancel = function (entity, data) {
-        return this.send({ event: 'CANCEL', query: DELETE(entity, data) })
-      }
-    if (!this.edit)
-      this.edit = function (entity, data) {
-        if ((typeof entity === 'string' && entity.endsWith('.drafts')) || entity.isDraft)
-          throw new Error('Action `edit` must be called on the active entity')
-        return this.send({ event: 'EDIT', query: SELECT.from(entity, data).where({ IsActiveEntity: true }) })
-        //                                                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ makes sure draftParams are set
-      }
-    if (!this.save)
-      this.save = function (entity, data) {
-        // a bit fishy to demand registering it on drafts since `SAVE` is usually just a shortcut for `['CREATE', 'UPDATE']`
-        // and is typically registered for active entities. Hence, we allow to register it on both and redirect to drafts
-        const _entity =
-          typeof entity === 'string' ? (entity.endsWith('.drafts') ? entity : entity + '.drafts') : entity?.drafts
-        return this.send({ event: 'draftActivate', query: SELECT.from(_entity, data) })
+// REVISIT: Looking at the simplified impls, I wonder if there's really much added convenience.
+// Even more as these events are very rarely sent from programmatic clients, if at all, but rather from Fiori clients only.
+cds.extend(cds.ApplicationService).with(
+  class {
+    new(draft, key) {
+      return {
+        then: (r, e) => this.send('NEW', draft, key).then(r, e),
+        for: key => this.send('EDIT', typeof draft === 'string' ? draft.replace(/\.drafts$/, '') : draft.actives, key)
       }
+    }
+    edit(active, key) {
+      return this.send('EDIT', active, key)
+    }
+    save(draft, key) {
+      return this.send('SAVE', draft, key)
+    }
+    cancel(draft, key) {
+      return this.send('CANCEL', draft, key)
+    }
+    discard(draft, key) {
+      return this.send('DISCARD', draft, key)
+    }
+  }
+)
 
-    if (!this._datasource) this._datasource = cds.db
+module.exports = {
+  impl() {
+    // REVISIT: don't pollute services... -> do we really need this?
+    Object.defineProperty(this, '_datasource', { value: cds.db })
 
     function _wrapped(handler, isActiveEntity) {
       const fn = function (req, next) {
         if (!req.target?.drafts || (isActiveEntity && req.target.isDraft) || (!isActiveEntity && !req.target.isDraft))
-          return next.call(this)
+          return next?.()
         return handler.call(this, req, next)
       }
       if (handler._initial) fn._initial = true

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -19,7 +19,7 @@ class EndpointRegistry {
         cds.app.use(basePath, cds.middlewares.context())
         cds.app.use(basePath, jwt_auth(cds.requires.auth))
         cds.app.use(basePath, (err, req, res, next) => {
-          if (err === 401) res.send(401)
+          if (err === 401) res.sendStatus(401)
           else next(err)
         })
       }

package/libx/_runtime/remote/Service.js

@@ -275,6 +275,8 @@ class RemoteService extends cds.Service {
       result = typeof query === 'object' && query.SELECT?.one && Array.isArray(result) ? result[0] : result
       return result
     })
+
+    return super.init()
   }
 
   // Overload .handle in order to resolve projections up to a definition that is known by the remote service instance.

package/libx/_runtime/remote/utils/client.js

@@ -33,9 +33,21 @@ const _executeHttpRequest = async ({ requestConfig, destination, destinationOpti
     if (jwt) destination.headers.authorization = `Bearer ${jwt}`
     else LOG._warn && LOG.warn('Missing JWT token for forwardAuthToken')
   }
+
   // Cloud SDK throws error if useCache is activated and jwt is undefined
   if (destination.jwt === undefined) delete destination.useCache
 
+  // prevent token exchange if ias token for technical user (unofficial!!!)
+  if (cds.env.features.remote_prevent_token_exchange) {
+    try {
+      const jsonwebtoken = require('jsonwebtoken')
+      const decoded = jsonwebtoken.decode(jwt)
+      if (decoded.app_tid && decoded.azp && decoded.azp === decoded.sub) destination.iasToXsuaaTokenExchange = false
+    } catch (error) {
+      LOG._debug && LOG.debug('Preventing token exchange failed:', error)
+    }
+  }
+
   if (LOG._debug) {
     const req2log = { headers: _sanitizeHeaders({ ...requestConfig.headers }) }
     if (requestConfig.method !== 'GET' && requestConfig.method !== 'DELETE')

package/libx/odata/ODataAdapter.js

@@ -96,7 +96,8 @@ class ODataAdapter extends HttpAdapter {
           return jsonBodyParser(req, res, next)
         })
         // batch
-        .post('/\\$batch', require('./middleware/batch')(this))
+        // .all is used deliberately instead of .use so that the matched path is not stripped from req properties
+        .all('/\\$batch', require('./middleware/batch')(this))
         // handle
         // REVISIT: with old adapter, we return 405 for HEAD requests -> check OData spec
         .head('*', (_, res) => res.sendStatus(405))

package/libx/odata/index.js

@@ -1,3 +1,5 @@
+/** @typedef {import('../../lib/srv/cds.Service')} Service */
+
 const cds = require('../../')
 const { SELECT } = cds.ql
 const { decodeURIComponent } = cds.utils
@@ -79,10 +81,10 @@ const _2query = cqn => {
 
 const enhanceCqn = (cqn, options) => {
   if (options.afterburner) {
-    const { service, protocol } = options
-    let { model, definition: { name: namespace } } = service // prettier-ignore
+    /** @type Service */ const service = options.service
+    let { model, namespace } = service // prettier-ignore
     if (service.isExtensible) model = cds.context?.model || model
-    cqn = options.afterburner(cqn, model, namespace, protocol)
+    cqn = options.afterburner(cqn, model, namespace, options.protocol)
   }
 
   const query = _2query(cqn)

package/libx/odata/middleware/batch.js

@@ -561,6 +561,10 @@ module.exports = adapter => {
   })
 
   return function odata_batch(req, res, next) {
+    if (req.method !== 'POST') {
+      throw cds.error(`Method ${req.method} is not allowed for calls to $batch endpoint`, { code: 405 })
+    }
+
     if (req.headers['content-type'].includes('application/json')) {
       return _processBatch(service, router, req, res, next)
     }

package/libx/odata/middleware/create.js

@@ -90,8 +90,8 @@ module.exports = (adapter, isUpsert) => {
         handleSapMessages(cdsReq, req, res)
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         next(err)

package/libx/odata/middleware/delete.js

@@ -65,8 +65,8 @@ module.exports = adapter => {
         handleSapMessages(cdsReq, req, res)
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         next(err)

package/libx/odata/middleware/operation.js

@@ -146,8 +146,8 @@ module.exports = adapter => {
         handleSapMessages(cdsReq, req, res)
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         next(err)

package/libx/odata/middleware/read.js

@@ -101,11 +101,11 @@ const _isToOneAssoc = query =>
   query.SELECT.from.ref.length > 1 && typeof query.SELECT.from.ref.slice(-1)[0] === 'string'
 
 const _count = result => {
-  return Array.isArray(result)
-    ? result.reduce((acc, val) => {
-        return acc + (val?.$count ?? val?._counted_ ?? (Array.isArray(val) && _count(val))) || 0
-      }, 0)
-    : (result.$count ?? result._counted_ ?? 0)
+  if (Array.isArray(result))
+    return result.reduce((acc, val) => {
+      return acc + (val?.$count ?? val?._counted_ ?? (Array.isArray(val) && _count(val))) || 0
+    }, 0)
+  else return result.$count ?? result._counted_ ?? 0
 }
 
 // REVISIT: integrate with default handler
@@ -136,14 +136,16 @@ const _handleArrayOfQueriesFactory = adapter => {
           result: result[0],
           isCollection: !req._query[0].SELECT.one
         })
-        for (let i = 0; i < result.length; i++) {
+        // Skip first query, as its context is represented in the main context
+        for (let i = 1; i < result.length; i++) {
           const { context: subOdataContext } = getODataMetadata(req._query[i], {
             result: result[i],
             isCollection: !req._query[i].SELECT.one
           })
           // Add OData context, if it deviates from main context
-          if (i !== 0 && mainOdataContext !== subOdataContext) {
-            result[i].forEach(entry => (entry['@odata.context'] = subOdataContext))
+          if (mainOdataContext !== subOdataContext) {
+            // OData spec: "If present, the context control information MUST be the first property in the JSON object."
+            result[i] = result[i].map(entry => ({ '@odata.context': subOdataContext, ...entry }))
           }
         }
 
@@ -161,8 +163,8 @@ const _handleArrayOfQueriesFactory = adapter => {
         handleSapMessages(cdsReq, req, res)
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         next(err)
@@ -277,8 +279,8 @@ module.exports = adapter => {
         handleSapMessages(cdsReq, req, res)
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         next(err)

package/libx/odata/middleware/service-document.js

@@ -44,10 +44,21 @@ module.exports = adapter => {
 
     const srvEntities = model.entities(service.definition.name)
 
-    // REVISIT: How to identify the exposed entities? api.ignore, autoexposed, ...
-    const exposedEntities = Object.keys(srvEntities).filter(
-      entityName => !srvEntities[entityName]['@cds.api.ignore'] && entityName !== 'DraftAdministrativeData'
-    )
+    const exposedEntities = []
+    for (const e in srvEntities) {
+      if (e === 'DraftAdministrativeData') continue
+
+      const entity = srvEntities[e]
+      if (entity['@cds.api.ignore']) continue
+      if (cds.env.effective.odata.containment && csnService._containedEntities.has(entity.name)) continue
+
+      const odataName = e.replace(/\./g, '_')
+      const obj = { name: odataName, url: odataName }
+
+      if (entity['@odata.singleton'] || entity['@odata.singleton.nullable']) obj.kind = 'Singleton'
+
+      exposedEntities.push(obj)
+    }
 
     csnService.srvDocEtag = generateEtag(JSON.stringify(exposedEntities))
     res.set('ETag', csnService.srvDocEtag)
@@ -60,10 +71,7 @@ module.exports = adapter => {
     return res.json({
       '@odata.context': odataContext,
       '@odata.metadataEtag': csnService.srvDocEtag,
-      value: exposedEntities.map(e => {
-        const e_ = e.replace(/\./g, '_')
-        return { name: e_, url: e_ }
-      })
+      value: exposedEntities
     })
   }
 }

package/libx/odata/middleware/update.js

@@ -153,8 +153,8 @@ module.exports = adapter => {
         }
 
         // REVISIT: invoke service.on('error') for failed batch subrequests
-        if (cdsReq.http.req.path.startsWith('/$batch') && service._handlers._error.length) {
-          for (const each of service._handlers._error) each.handler.call(service, err, cdsReq)
+        if (cdsReq.http.req.path.startsWith('/$batch') && service.handlers._error.length) {
+          for (const each of service.handlers._error) each.handler.call(service, err, cdsReq)
         }
 
         // continue with caught error