@sap/cds 8.6.2 → 8.7.0

package/CHANGELOG.md

@@ -4,6 +4,29 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 8.7.0 - 2025-01-28
+
+### Added
+
+- Allow usage of tar library (https://www.npmjs.com/package/tar) as a workaround to solve remaining issues by extension build on Windows. The tar library should be installed by app developers.
+- `cds.ql` supports limit with an optional offset, e.g. `limit(10, 5)`
+- Basic support for new built-in type `cds.Map`
+- Normalization of DateTime and Timestamp payloads in new OData adapter
+
+### Changed
+
+- Cleanse immutable values in draft modifications
+- Do not use compatibility mode of @sap/xssec 4, can be reverted with `cds.env.features.xssec_compat = true`
+- `cds.Float` is now correctly deprecated in `cds.builtin.types`.
+- Input provided via protocol adapter for elements annotated with `@cds.api.ignore` are rejected. Previously, they were ignored.
+
+### Fixed
+
+- Narrowed down peer dependency version of `express` to `^4`
+- OData, REST: Responses are only written in case that the response object is not already closed, which allows responding to requests directly in custom handlers.
+  + Note: Responses sent directly are not transactionally safe! Further, subsequent errors can no longer be communicated to the client!
+  + Note: Only respond directly in non-`$batch` requests!
+
 ## Version 8.6.2 - 2025-01-27
 
 ### Fixed
@@ -20,6 +43,7 @@
 
 ### Fixed
 
+- find draft root in authorization checks when entity has recursive compositions
 - `default-env.json` was not loaded anymore when in production mode.
 - i18n texts like `1` or `true` were returned as numbers, or booleans instead of strings
 - CSN files produced by `cds build` now again contain information to resolve handler files. That was broken in case of reflected/linked models set by e.g. plugins.

package/_i18n/i18n_en_US_saptrc.properties

@@ -44,7 +44,7 @@ Currency=bNSEwGmQtXNxy/Qh310iSQ_Currency
 CurrencyCode=3cKgP4qz+IsDHtETO3InVQ_Currency Code
 
 #XTIT: Currency Code Description
-CurrencyCode.Description=N1K4iJe5n+tnvMRTgtP24w_A currency code as specified in ISO 4217
+CurrencyCode.Description=pPQIrs2UIayPnWseWvdbuA_Currency code as specified by ISO 4217
 
 #XTIT: Currency Symbol
 CurrencySymbol=ICns/nlRq2+/URxMXV+T8g_Currency Symbol
@@ -59,7 +59,7 @@ Country=AbsSu8Y0n1nvBQMk+UaLfw_Country/Region
 CountryCode=IgAotY/RI8UnAUTEtFNGkw_Country/Region Code
 
 #XTIT: Country/Region Code Description
-CountryCode.Description=dkCbzc6I8aK8glGoJdGKfg_A country/region code as specified in ISO 3166-1
+CountryCode.Description=uSGs3P7TwJlYCpDq83TJNg_Country/region code as specified by ISO 3166-1
 
 #XTIT: Language
 Language=gFWTYTeLWksYL6uD/TAgFA_Language
@@ -68,10 +68,7 @@ Language=gFWTYTeLWksYL6uD/TAgFA_Language
 LanguageCode=NhI8Yd8pNFS7omWQsk5aJw_Language Code
 
 #XTIT: Language Code Description
-LanguageCode.Description=E/M7wAVsS7H/AhkTdqcvtg_A language code as specified in ISO 639-1
-
-#XTIT Time zone code
-TimeZoneCode=Y0KTpmsmzoysYLT6jDQEkQ_Time Zone Code
+LanguageCode.Description=ajmXdjo3lK0nfaMLCpvPMw_Language code as specified by ISO 639-1
 
 #XTIT: User Identifier
 UserID=cjI0FCsEZ2aD8ERc6G/xZw_User ID
@@ -83,7 +80,7 @@ Name=xOqOj8rcOinN3ZBO0WdWjA_Name
 Description=VGpOoz5siT25o1W0WDiHGw_Description
 
 #XTOL: A user's unique Indentifier
-UserID.Description=t9D7CV474t7qx3yqxKwwVw_A user's unique ID
+UserID.Description=yOjW1w1qaIvgZeYb0qAsig_User's unique ID
 
 #XTIT: Admin data for a draft document
 Draft_DraftAdministrativeData=LsxY+0o1fWbFeMrxNNIRvg_Draft Administrative Data

package/bin/serve.js

@@ -270,7 +270,9 @@ async function _local_server_js() {
 function _prepare_logging () { // NOSONAR
 
   const LOG = cds.log('cds.serve|server',{label:'cds'}); if (!LOG._info) return; else log = LOG.info
-  const _timer = `[cds] - launched at ${new Date().toLocaleString()}, version: ${cds.version}, in`
+  const _timer = process.env.NODE_ENV === 'production'
+    ? `[cds] - server launched at ${new Date().toLocaleString()}, version: ${cds.version}, in`
+    : '[cds] - server launched in'
   console.time (_timer)
 
   // print information when model is loaded

package/lib/compile/for/lean_drafts.js

@@ -148,7 +148,7 @@ module.exports = function cds_compile_for_lean_drafts(csn) {
         if (
           key === '@mandatory' ||
           key === '@Common.FieldControl' && newEl[key]?.['#'] === 'Mandatory' ||
-          key === '@Core.Immutable' ||
+          // key === '@Core.Immutable': Not allowed via UI anyway -> okay to cleanse them in PATCH
           key.startsWith('@assert') ||
           key.startsWith('@PersonalData')
         )

package/lib/compile/for/nodejs.js

@@ -11,6 +11,7 @@ function _compile_for_nodejs (csn, o) {
   cds.compile.for.lean_drafts(dsn, o)
   Object.defineProperty(csn, '_4nodejs', { value: dsn })
   Object.defineProperty(dsn, '_4nodejs', { value: dsn })
+  Object.assign (dsn.meta, csn.meta, dsn.meta) // merge meta data, as it may have been enhanced
   return dsn
 }
 

package/lib/compile/to/sql.js

@@ -33,14 +33,18 @@ function cds_compile_to_hana(csn, o, beforeCsn) {
 }
 
 function cds_compile_to_deltaSql (csn, o, beforeCsn) {
-  const options = cdsc._options.for.sql(o)
-  if (typeof beforeCsn === 'string') beforeCsn = JSON.parse(beforeCsn)
-  const { afterImage, drops, createsAndAlters } = cdsc.to.deltaSql (csn, options, beforeCsn || {definitions: {}, $version: '2.0'} ); // FIXME: As default value in compiler API?
-  return {
-    afterImage,
-    drops: unfold_ddl(drops, csn, options),
-    createsAndAlters: unfold_ddl(createsAndAlters, csn, options)
-  };
+  let result, next = ()=> result ??= function (){
+    const options = cdsc._options.for.sql(o)
+    if (typeof beforeCsn === 'string') beforeCsn = JSON.parse(beforeCsn)
+    const { afterImage, drops, createsAndAlters } = cdsc.to.deltaSql (csn, options, beforeCsn || {definitions: {}, $version: '2.0'} ); // FIXME: As default value in compiler API?
+    return {
+      afterImage,
+      drops: unfold_ddl(drops, csn, options),
+      createsAndAlters: unfold_ddl(createsAndAlters, csn, options)
+    };
+  }()
+  cds.emit ('compile.to.dbx', csn, o, next)
+  return result ??= next() //> in case no handler called next
 }
 
 function cds_compile_to_hdbcds (csn,o) {

package/lib/core/classes.js

@@ -59,9 +59,8 @@ class type extends any { is(kind) { return kind === 'type' || super.is(kind) }
         class Int16 extends Integer {}
         class Int32 extends Integer {}
         class Int64 extends Integer {}
-      class Float extends number {}
-        class Double extends Float {}
-        class Decimal extends Float {
+        class Double extends number {}
+        class Decimal extends number {
           toString(){
             return this.precision ? this.scale ? `Decimal(${this.precision},${this.scale})` : `Decimal(${this.precision})` : 'Decimal'
           }
@@ -202,7 +201,7 @@ module.exports = {
   UUID, Boolean, String,
   Integer, UInt8, Int16, Int32, Int64,
 
-  Float, Double, Decimal,
+  Double, Decimal,
   Date, Time, DateTime, Timestamp,
   Binary, Vector, LargeBinary, LargeString,
 

package/lib/core/types.js

@@ -15,6 +15,7 @@ for (let k in classes) if (k !== 'LinkedDefinitions' && k !== 'mixins') {
 
 Object.assign (protos, types.deprecated = {
 	'cds.DecimalFloat': Object.defineProperty (new classes.Decimal, '_type', { value:'cds.DecimalFloat' }),
+	'cds.Float':        Object.defineProperty (new classes.number,  '_type', { value:'cds.Float' }),
 	'cds.Integer16': 		new classes.Int16,
 	'cds.Integer32': 		new classes.Int32,
 	'cds.Integer64': 		new classes.Int64,

package/lib/env/cds-requires.js

@@ -1,3 +1,4 @@
+const { deprecated: cds_utils_deprecated } = require('../utils/cds-utils')
 const _runtime = '@sap/cds/libx/_runtime'
 
 exports = module.exports = {
@@ -80,8 +81,7 @@ const _authentication_strategies = {
 
 for (let each of Object.values(_authentication_strategies)) {
   Object.defineProperty (each, 'strategy', {get() {
-    // eslint-disable-next-line no-console
-    if (process.env.NODE_ENV !== 'production') console.trace('WARNING: auth.strategy is deprecated, use auth.kind instead')
+    if (process.env.NODE_ENV !== 'production') cds_utils_deprecated({ old: 'auth.strategy', use: 'auth.kind' })
     return { jwt: 'JWT', mocked: 'mock' }[this.kind] || this.kind
   }})
 }

package/lib/ql/cds-ql.js

@@ -169,7 +169,7 @@ exports.nested = (ref, ...args) => {
   if (ref.raw) return ql.nested (ql.ref(ref,...args))
   else if (!ref.ref) ref = ql.ref(ref)
   for (let each of args) {
-    if (each.as || each.where || each.orderBy) ref = {...ref, ...each}
+    if (each.as || each.where || each.orderBy || each.limit) ref = {...ref, ...each}
     else ref.columns = ql.columns(each)
   }
   ref.columns ??= ['*']
@@ -208,6 +208,13 @@ exports.orders = (...args) => {
   }
 }
 
+/** @returns {{ limit: { rows: { val: any; }; offset?: { val: any; }; }; }} */
+exports.limit = (...args) => {
+  const [ limit, offset ] = args; if (limit?.raw) return {limit: cds.parse._select('from X limit',args).limit }
+  if (!offset) return { limit: { rows: { val: limit } } }
+  else return { limit: { rows: { val: +limit }, offset: { val: +offset } } }
+};
+
 const _cqn_or_val = x => typeof x === 'object' ? x : {val:x}
 const is_object = x => typeof x === 'object'
 const is_array = Array.isArray

package/lib/ql/cds.ql-Query.js

@@ -71,20 +71,27 @@ class Query {
   /** @private */ get _target_ref() { return this._.from } // overridden in subclasses
   /** @private */ set _target(t) { this._set('_target', t.ref ? {name:t.ref[0]} : t) }
 
-  /** @private */ _target4 (t,...etc) {
+  /**
+   * @param {string | Function | object} t - the target
+   * @param {unknown[]} etc - additional arguments
+   * @returns {typeof this._target | import('@sap/cds').ref}
+   * @private
+  **/
+  _target4 (t,...etc) {
     switch (typeof t) {
       case 'string': {
         // NOTE: even though this._target will be {name:ref[0]} this returns the parsed {ref}
         // NOTE: we need to clone cached refs, as they might get modified afterwards
         return this._target = cloned (cached[t] ??= cds.parse.path(t))
       }
+      case 'function':  // fallthrough for classes generated by cds-typer. Will end up in t.name subcase
       case 'object': {
         if (t.raw) return this._target = !etc.length ? this._target4(t[0]) : cds.parse.path(t,...etc)
         if (t.name) return {ref:[ (this._target = t).name ]}
         if (t.ref || t.SELECT || t.SET) return this._target = t
       }
     }
-    throw this._expected `${{target:t}} to be an entity path string, a CSN definition, a {ref}, a {SELECT}, or a {SET}`
+    throw this._expected `${{target:t}} to be an entity path string, a CSN definition, a {ref}, a {SELECT}, a {SET}, or a class representing an entity definition`
   }
 
   /** @private */ _expected (...args) {

package/lib/req/validate.js

@@ -158,7 +158,6 @@ const $any = class any {
       if (d['@cds.on.update'])                              return true
       if (d['@Core.Computed'])                              return true
       if (d['@Common.FieldControl']?.['#'] === 'ReadOnly')  return true
-      if (d['@cds.api.ignore'] && !cds.env.features.reject_ignored) return true
       else return false
     })
   }
@@ -206,7 +205,7 @@ class struct extends $any {
     // check values of given data
     for (let each in data) { // will work for structured payloads as well as flattened ones with universal CSN
       let /** @type {$any} */ d = elements[each]
-      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore && cds.env.features.reject_ignored)) ctx.unknown (each, this, data)
+      if (!d || (d['@cds.api.ignore'] && ctx.rejectIgnore)) ctx.unknown (each, this, data)
       else if (ctx.cleanse && d._is_readonly() && !d.key) delete data[each]
       // @Core.Immutable processed only for root, children are handled when knowing db state
       else if (ctx.cleanse && d['@Core.Immutable'] && !ctx.insert && !path) delete data[each]

package/lib/srv/cds-connect.js

@@ -34,7 +34,7 @@ connect.to = (datasource, options) => {
   }
   const promise = (async()=>{
     TRACE?.time(`cds.connect.to ${datasource}`.padEnd(22).slice(0,22))
-    const o = Service.is_factory ? options4 (datasource, options) : {}
+    const o = Service._is_service_class ? {} : options4 (datasource, options)
     const m = await model4 (o)
     // check if required service definition exists
     const required = cds.requires[datasource]

package/lib/srv/cds-serve.js

@@ -13,7 +13,6 @@ module.exports = function cds_serve (som, _options) { // NOSONAR
 
   if (som && typeof som === 'object' && !is_csn(som) && !is_files(som)) {
     [som,_options] = [undefined,
-      som._is_service_instance ? { service:som, from:'*' } :
       som._is_service_class    ? { service:som, from:'*' } :
       som
     ]
@@ -43,13 +42,8 @@ module.exports = function cds_serve (som, _options) { // NOSONAR
   // Pass 1: Construct service provider instances...
   const all=[], provided = loaded.then (async csn => { // NOSONAR
 
-    // Shortcut for directly passed service instances
-    if (o.service && o.service._is_service_instance) {
-      return all.push (o.service)
-    }
-
     // Shortcut for directly passed service classes
-    if (o.service && o.service._is_service_class) {
+    if (o.service?._is_service_class) {
       const Service = o.service, d = { name: o.service.name }
       const srv = await _new (Service, d,csn,o)
       return all.push (srv)
@@ -83,10 +77,9 @@ module.exports = function cds_serve (som, _options) { // NOSONAR
   // Note: doing that in a second pass guarantees all own services are in
   // cds.services, so they'll be found when they cds.connect to each others.
   let ready = provided.then (()=> Promise.all (all.map (async srv => {
-    if (o.service && o.service._is_service_instance) return srv
     cds.services[srv.name] = await Service.init (srv)
     cds.service.providers.push (srv)
-    if (srv[_ready]) srv[_ready](srv)
+    srv[_ready]?.(srv)
     return srv
   })))
 

package/lib/srv/cds.Service.js

@@ -116,7 +116,6 @@ class Service extends ModeledService {
 /** @deprecated */ Service.prototype.transaction = function(...args) { return this.tx(...args) }
 /** @deprecated */ Service.prototype._implicit_next = cds.env.features.implicit_next
 
-Service.prototype._is_service_instance = true  //> for factory
 Service._is_service_class = true              //> for factory
 
 //--------------------------------------------------------------------------

package/lib/srv/factory.js

@@ -1,90 +1,75 @@
-const cds = require('..'), { path, isfile, redacted } = cds.utils
-const paths = Array.from (new Set ([ cds.root, ...require.resolve.paths('x') ]))
-const DEBUG = cds.debug('cds.service.factory'); DEBUG?.({ 'cds.root':cds.root, paths })
-
-/** @typedef {import('./cds.Service')} Service @type { (()=>Service) & (new()=>Service) } */
-const ServiceFactory = function (name, model, options) { //NOSONAR
+const exts = process.env.CDS_TYPESCRIPT ? ['ts','js','mjs'] : ['js','mjs']
+const cds = require('..'), { path, isfile } = cds.utils
+/**
+ * NOTE: Need this typed helper variable to be able to use IntelliSense for calls with new keyword.
+ * @import Service from './cds.Service'
+ * @type new() => Service
+ */
+const factory = ServiceFactory
+module.exports = exports = factory
 
-  const o = { ...options } // avoid changing shared options
-  const conf = cds.requires[name]
-  const serve = !conf?.external || o.mocked && !conf.credentials
-  const defs = !model ? {[name]:{}} : model.definitions || cds.error `Invalid argument for 'model': ${model}`
-  const def = !name || name === 'db' ? {} : defs[name] || {}
-  DEBUG?.({ name, definition:def, options:redacted(o) })
 
-  let it /* eslint-disable no-cond-assign */
-  if (it = o.with)                 return _use (it) // from cds.serve (<options>)
-  if (it = serve && def['@impl'])  return _use (it) // from service definition
-  if (it = serve && sibling(def))  return _use (it) // next to <service>.cds
-  if (it = o.impl)                 return _use (it) // from cds.connect (<options>)
-  return _use (_required())
+function ServiceFactory (name, model, options) {
 
-  async function _use (it) {
-    if (it._is_service_class)     return new it (name,model,o)
-    if (it._is_service_instance)  return it
-    if (typeof it === 'function') return _use (await _required(), /*with:*/ o.impl = _function(it)) // NOSONAR
-    if (typeof it === 'object')   return _use (it[name] || it.default || await _required())
-    if (typeof it === 'string')   return Object.assign (await _use (await _require(it,def)), {_source:it})
-    throw cds.error `Invalid service implementation for ${name}: ${it}`
-  }
+  const o = { ...options } // avoid changing shared options
+  const def = model?.definitions[name] || {}
+  const remote = o.external && (o.credentials || !o.mocked)
 
-  function _required() {
-    const kind = o.kind = serve && def['@kind'] || o.kind || 'app-service'
-    if (_require[kind]) return _require[kind]
-    const {impl} = cds.requires[kind] || cds.requires.kinds[kind] || cds.error `No configuration found for 'cds.requires.${kind}'`
-    DEBUG?.('requires',{kind,impl})
-    return _require[kind] = _require (impl || cds.error `No 'impl' configured for 'cds.requires.${kind}'`)
-  }
-}
+  return _use (remote ? o.impl : o.with || def['@impl'] || _sibling(def) || o.impl || _kind())
+  async function _use (impl) { switch (typeof impl) {
+    case 'function':
+      if (impl._is_service_class) return new impl (name, model, o)
+      return _use (_kind(), /*with:*/ o.impl = _legacy(impl) || impl)
+    case 'object':
+      return _use (impl[name] || impl.default || _kind())
+    case 'string':
+      if (impl.startsWith('@sap/cds/')) impl = cds.home + impl.slice(8)  //> for local tests in @sap/cds dev
+      if (impl.startsWith('./')) impl = path.resolve (cds.root, _source4(def) || '.', '..', impl.slice(2))
+      try { var resolved = require.resolve(impl, {paths:[ cds.root, cds.home ]}) } catch {
+        try { resolved = require.resolve(path.join(cds.root, impl)) } catch (e) { // compatibility
+          throw cds.error(`Failed loading service implementation from ` + impl, { cause: e })
+        }
+      }
+      impl = await cds.utils._import (resolved)
+      impl = await _use (impl)
+      impl._source = resolved
+      return impl
+    default: throw cds.error`Invalid service implementation for ${name}: ${impl}`
+  }}
 
-const _require = (it,d) => {
-  d && DEBUG?.('requires',{ service: d.name, source:_source(d), impl:it })
-  if (it.startsWith('@sap/cds/')) it = cds.home + it.slice(8)  //> for local tests in @sap/cds dev
-  if (it.startsWith('./')) it = _relative (d,it.slice(2))     //> relative to <service>.cds
-  try { var resolved = require.resolve(it,{paths}) } catch {
-    try { resolved = require.resolve(path.join(cds.root,it)) } catch(e) { // compatibility
-      throw cds.error `Failed loading service implementation from '${it}' ${{ Reason:e, paths, 'cds.root':cds.root }}`
-    }
+  function _kind (kind = o.kind ??= def['@kind'] || 'app-service') {
+    const {impl} = cds.env.requires.kinds[kind] || cds.error `No configuration found for 'cds.requires.kinds.${kind}'`
+    return impl || cds.error `No 'impl' configured for 'cds.requires.kinds.${kind}'`
   }
-  DEBUG?.({resolved})
-  return cds.utils._import(resolved)
 }
 
-const _function = (impl) => !_is_class(impl) ? impl : (srv) => {
-  const instance = new impl, skip = {constructor:1,prototype:1}
-  for (let each of Reflect.ownKeys (impl.prototype)) {
-    each in skip || srv.on (each, (...args) => instance[each](...args))
-  }
-}
 
-const sibling = (d) => {
-  const { dir, name } = path.parse(_source(d)), TS = process.env.CDS_TYPESCRIPT
+const _source4 = d => d['@source'] || d.$location?.file
+const _sibling = d => {
+  let file = _source4(d); if (!file) return
+  let { dir, name } = path.parse (file)
   for (let subdir of ['', './lib', './handlers']) {
-    let found = TS && _resolve(dir,subdir,name+'.ts') || _resolve(dir,subdir,name+'.js') || _resolve(dir,subdir,name+'.mjs')
-    if (found)  return found //> equiv to '.'+found.slice(home.length)
+    for (let ext of exts) {
+      if (file = isfile (dir, subdir, name + '.' + ext)) return file // eslint-disable-line no-cond-assign
+    }
   }
 }
-
-// Note: @source has precedence over $location for csn.json cases
-const _source = (d) => d['@source'] || (d['@source'] = d.$location && d.$location.file.replace(/\\/g, '/') || '.')
-const _relative = (d,x,cwd=cds.root) => typeof x !== 'string' ? x : path.resolve (cwd, _source(d),'..',x)
-const _resolve = (...args) => {
-  const f = path.join(...args)
-  try { return require.resolve(f) }
-  catch(e) { if (e.code === 'MODULE_NOT_FOUND') return isfile(path.resolve(cds.root,f)); else throw e }
+const _legacy = impl => { // legacy hello-world style class
+  if (impl.prototype && /^class\b/.test(impl)) return function() {
+    const legacy = new impl
+    for (let k of Reflect.ownKeys(impl.prototype))
+      k === 'constructor' || k === 'prototype' || this.on(k, legacy[k].bind(legacy))
+  }
 }
-const _is_class = (impl) => typeof impl === 'function' && impl.prototype && /^class\b/.test(impl)
 
-module.exports = Object.assign (ServiceFactory, { init, is_factory:true })
 
 /**
- * Used internally by cds.connect() and cds.serve() to add handlers
- * from cds.service.impl-style implementations.
+ * Called by cds.connect() and cds.serve() for cds.service.impl-style implementations.
  * @protected
  */
-async function init (srv) {
-  const { impl } = srv.options
-  if (typeof impl === 'function' && !/^class\b/.test(impl))
-    await impl.call (srv,srv)
-  return await srv.init?.() ?? srv
+exports.init = async function (srv) {
+  const {impl} = srv.options; if (typeof impl === 'function' && !impl._is_service_class)
+    await impl.call(srv, srv)
+  await srv.init()
+  return srv
 }

package/lib/srv/middlewares/auth/ias-auth.js

@@ -1,7 +1,8 @@
 const cds = require('../../../index.js')
 const LOG = cds.log('auth')
 
-const xssec = require('./xssec')
+let xssec = require('./xssec')
+
 
 // REVISIT: Why do we need to know and do that?
 const KNOWN_CLAIMS = Object.values({
@@ -78,19 +79,48 @@ module.exports = function ias_auth(config) {
   }
 
   // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
-  return function ias_auth (req, _, next) {
-    if (!req.headers.authorization) return next()
-    const token = req.headers.authorization.slice(7) // skip /^bearer /
-    xssec.createSecurityContext(token, credentials, 'IAS', function (err, securityContext, tokenInfo) {
-
-      if (err) LOG.warn('User could not be authenticated due to error:', err)
-      if (!securityContext) return next(401)
-      else req.authInfo = securityContext //> compat req.authInfo
-
-      const ctx = cds.context
-      ctx.user = getUser(tokenInfo)
-      ctx.tenant = tokenInfo.getZoneId()
+
+  if (xssec.v3 && cds.env.features.xssec_compat !== true) { // no official flag!
+    let { createSecurityContext, IdentityService, errors: { ValidationError } } = xssec
+    const authService = new IdentityService(credentials)
+
+    return async function ias_auth (req, _, next) {
+      if (!req.headers.authorization) return next()
+      try {
+        const secContext = await createSecurityContext(authService, { req })
+        const tokenInfo = secContext.token
+        const ctx = cds.context
+        ctx.user = getUser(tokenInfo)
+        ctx.tenant = tokenInfo.getZoneId()
+        req.authInfo = secContext //> compat req.authInfo
+      } catch(e) {
+        if (e instanceof ValidationError) {
+          LOG.warn("Unauthenticated request: ", e);
+          return next(401)
+        }
+        LOG.error("Error while authenticating user: ", e);
+        return next(500)
+      }
       next()
-    })
+    }
+  } else { // TODO: Remove with cds 9
+    xssec = xssec.v3 || xssec
+    return function ias_auth (req, _, next) {
+      if (!req.headers.authorization) return next()
+      const token = req.headers.authorization.slice(7) // skip /^bearer /
+        xssec.createSecurityContext(token, credentials, 'IAS', function (err, securityContext, tokenInfo) {
+
+          if (err) LOG.warn('User could not be authenticated due to error:', err)
+          if (!securityContext) {
+            return next(401)
+          }
+          else req.authInfo = securityContext //> compat req.authInfo
+
+          const ctx = cds.context
+          ctx.user = getUser(tokenInfo)
+          ctx.tenant = tokenInfo.getZoneId()
+          next()
+        })
+    }
   }
 }

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -1,7 +1,7 @@
 const cds = require('../../../index.js')
 const LOG = cds.log('auth')
 
-const xssec = require('./xssec')
+let xssec = require('./xssec')
 
 module.exports = function jwt_auth(config) {
   const { kind, credentials } = config
@@ -42,21 +42,50 @@ module.exports = function jwt_auth(config) {
 
     return new cds.User({ id, roles, attr, tokenInfo })
   }
+  if (xssec.v3 && cds.env.features.xssec_compat !== true) { // no official flag!
+    const { createSecurityContext, XsuaaService, errors: { ValidationError } } = xssec
+    const authService = new XsuaaService(credentials)
 
-  // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
-  return function jwt_auth (req, _, next) {
-    if (!req.headers.authorization) return next()
-    const token = req.headers.authorization.slice(7) // skip /^bearer /
-    xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
-
-      if (err) LOG.warn('User could not be authenticated due to error:', err)
-      if (!securityContext) return next(401)
-      else req.authInfo = securityContext //> compat req.authInfo
-
-      const ctx = cds.context
-      ctx.user = getUser(tokenInfo)
-      ctx.tenant = tokenInfo.getZoneId()
-      next()
-    })
+      return async function jwt_auth(req, _, next) {
+        if (!req.headers.authorization) return next()
+
+        try {
+          const secContext = await createSecurityContext(authService, { req })
+          const tokenInfo = secContext.token
+          const ctx = cds.context
+          ctx.user = getUser(tokenInfo)
+          ctx.tenant = tokenInfo.getZoneId()
+          req.authInfo = secContext //> compat req.authInfo
+        } catch(e) {
+          if(e instanceof ValidationError) {
+            LOG.warn("Unauthenticated request: ", e);
+            return next(401)
+          }
+          LOG.error("Error while authenticating user: ", e);
+          return next(500)
+        }
+
+        next()
+      }
+
+  } else {
+    xssec = xssec.v3 || xssec
+
+    // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
+      return function jwt_auth (req, _, next) {
+        if (!req.headers.authorization) return next()
+        const token = req.headers.authorization.slice(7) // skip /^bearer /
+          xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
+
+            if (err) LOG.warn('User could not be authenticated due to error:', err)
+            if (!securityContext) return next(401)
+            else req.authInfo = securityContext //> compat req.authInfo
+
+            const ctx = cds.context
+            ctx.user = getUser(tokenInfo)
+            ctx.tenant = tokenInfo.getZoneId()
+            next()
+          })
+      }
   }
 }

package/lib/srv/middlewares/auth/xssec.js

@@ -1,6 +1,6 @@
 try {
   const xssec = require('@sap/xssec')
-  module.exports = xssec.v3 || xssec // use v3 compat api // REVISIT: why ???
+  module.exports = xssec // use v3 compat api // REVISIT: why ???
 } catch (e) {
   if (e.code === 'MODULE_NOT_FOUND') e.message = `Cannot find '@sap/xssec'. Make sure to install it with 'npm i @sap/xssec'\n` + e.message
   throw e