@sap/cds 8.6.2 → 8.7.1

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -1,7 +1,7 @@
 const cds = require('../../../index.js')
 const LOG = cds.log('auth')
 
-const xssec = require('./xssec')
+let xssec = require('./xssec')
 
 module.exports = function jwt_auth(config) {
   const { kind, credentials } = config
@@ -42,21 +42,50 @@ module.exports = function jwt_auth(config) {
 
     return new cds.User({ id, roles, attr, tokenInfo })
   }
+  if (xssec.v3 && cds.env.features.xssec_compat !== true) { // no official flag!
+    const { createSecurityContext, XsuaaService, errors: { ValidationError } } = xssec
+    const authService = new XsuaaService(credentials)
 
-  // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
-  return function jwt_auth (req, _, next) {
-    if (!req.headers.authorization) return next()
-    const token = req.headers.authorization.slice(7) // skip /^bearer /
-    xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
-
-      if (err) LOG.warn('User could not be authenticated due to error:', err)
-      if (!securityContext) return next(401)
-      else req.authInfo = securityContext //> compat req.authInfo
-
-      const ctx = cds.context
-      ctx.user = getUser(tokenInfo)
-      ctx.tenant = tokenInfo.getZoneId()
-      next()
-    })
+      return async function jwt_auth(req, _, next) {
+        if (!req.headers.authorization) return next()
+
+        try {
+          const secContext = await createSecurityContext(authService, { req })
+          const tokenInfo = secContext.token
+          const ctx = cds.context
+          ctx.user = getUser(tokenInfo)
+          ctx.tenant = tokenInfo.getZoneId()
+          req.authInfo = secContext //> compat req.authInfo
+        } catch(e) {
+          if(e instanceof ValidationError) {
+            LOG.warn("Unauthenticated request: ", e);
+            return next(401)
+          }
+          LOG.error("Error while authenticating user: ", e);
+          return next(500)
+        }
+
+        next()
+      }
+
+  } else {
+    xssec = xssec.v3 || xssec
+
+    // NOTE: Use named function for better stack traces... for the actual middleware, of course, not that much for the factory!
+      return function jwt_auth (req, _, next) {
+        if (!req.headers.authorization) return next()
+        const token = req.headers.authorization.slice(7) // skip /^bearer /
+          xssec.createSecurityContext(token, credentials, function (err, securityContext, tokenInfo) {
+
+            if (err) LOG.warn('User could not be authenticated due to error:', err)
+            if (!securityContext) return next(401)
+            else req.authInfo = securityContext //> compat req.authInfo
+
+            const ctx = cds.context
+            ctx.user = getUser(tokenInfo)
+            ctx.tenant = tokenInfo.getZoneId()
+            next()
+          })
+      }
   }
 }

package/lib/srv/middlewares/auth/xssec.js

@@ -1,6 +1,6 @@
 try {
   const xssec = require('@sap/xssec')
-  module.exports = xssec.v3 || xssec // use v3 compat api // REVISIT: why ???
+  module.exports = xssec // use v3 compat api // REVISIT: why ???
 } catch (e) {
   if (e.code === 'MODULE_NOT_FOUND') e.message = `Cannot find '@sap/xssec'. Make sure to install it with 'npm i @sap/xssec'\n` + e.message
   throw e

package/lib/srv/middlewares/errors.js

@@ -1,17 +1,17 @@
 const { isStandardError } = require('../../../libx/_runtime/common/error/standardError')
 
 const production = process.env.NODE_ENV === 'production'
-const cds = require ('../..')
+const cds = require('../..')
 const LOG = cds.log('error')
 const { inspect } = cds.utils
 
-
 module.exports = () => {
+  // eslint-disable-next-line no-unused-vars
   return async function http_error(error, req, res, next) {
     if (isStandardError(error) && cds.env.server.shutdown_on_uncaught_errors) {
       cds.log().error('❗️Uncaught', error)
       await cds.shutdown(error)
-      return;
+      return
     }
 
     // In case of 401 require login if available by auth strategy
@@ -26,11 +26,13 @@ module.exports = () => {
       error.stack = error.stack.replace(/\n {4}at .*(?:node_modules\/express|node:internal).*/g, '')
 
     if (400 <= status && status < 500) {
-      LOG.warn (status, '>', inspect(error))
+      LOG.warn(status, '>', inspect(error))
     } else {
-      LOG.error (status, '>', inspect(error))
+      LOG.error(status, '>', inspect(error))
     }
 
+    if (res.headersSent) return
+
     // Expose as little information as possible in production, and as much as possible in development
     if (production) {
       Object.defineProperties(error, {
@@ -44,14 +46,10 @@ module.exports = () => {
       })
     }
 
-    if (res.headersSent) {
-      return next(error)
-    }
-
     // Send the error response
     return res.status(status).json({ error })
 
     // Note: express returns errors as XML, we prefer JSON
-    // _next (error)
+    // next(error)
   }
 }

package/lib/utils/cds-utils.js

@@ -1,6 +1,10 @@
 const cwd = process.env._original_cwd || process.cwd()
 const cds = require('../index')
 
+/* eslint no-empty: ["error", { "allowEmptyCatch": true }] */
+// eslint-disable-next-line no-unused-vars
+const _tarLib = () => { try { return require('tar') } catch(_) {} }
+
 module.exports = exports = new class {
   get colors() { return super.colors = require('./colors') }
   get inflect() { return super.inflect = require('./inflect') }
@@ -16,7 +20,7 @@ module.exports = exports = new class {
   get uuid() { return super.uuid = require('crypto').randomUUID }
   get yaml() { return super.yaml = require('@sap/cds-foss').yaml }
   get pool() { return super.pool = require('@sap/cds-foss').pool }
-  get tar() { return super.tar = require('./tar') }
+  get tar()  { return super.tar = process.platform === 'win32' && _tarLib() ? require('./tar-lib') : require('./tar') }  
 }
 
 /** @type {import('node:path')} */

package/lib/utils/tar-lib.js

@@ -0,0 +1,58 @@
+const cds = require('../index'), { path, mkdirp } = cds.utils
+const tar = require('tar')
+const { Readable } = require('stream')
+const cons = require('stream/consumers')
+
+const _resolve = (...x) => path.resolve (cds.root,...x)
+
+exports.create = async (root, ...args) => {  
+  if (typeof root === 'string') root = _resolve(root)
+  if (Array.isArray(root)) [ root, ...args ] = [ cds.root, root, ...args ]
+
+  const options = {}
+  if (args.includes('-z')) options.gzip = true
+  const index = args.findIndex(el => el === '-f')
+  if (index>=0) options.file = _resolve(args[index+1])
+  options.cwd = root
+    
+  let dirs = []
+  for (let i=0; i<args.length; i++) {
+    if (args[i] === '-z' || args[i] === '-f') break
+    if (Array.isArray(args[i])) args[i].forEach(a => dirs.push(_resolve(a)))
+    else if (typeof args[i] === 'string') dirs.push(_resolve(args[i]))
+  }
+  if (!dirs.length) dirs.push(root)
+  dirs = dirs.map(d => path.relative(root, d))
+  
+  const stream = await tar.c(options, dirs)
+
+  return stream && await cons.buffer(stream) 
+}
+
+exports.extract = (archive, ...args) => ({
+  async to (dest) {
+    if (typeof dest === 'string') dest = _resolve(dest)
+    const stream = Readable.from(archive)
+    
+    const options = { C: dest }
+    if (args.includes('-z')) options.gzip = true
+
+    return new Promise((resolve, reject) => {
+        const tr = tar.x(options)
+        stream.pipe(tr)
+        tr.on('close', () => resolve())
+        tr.on('error', e => reject(e))
+    })
+  }
+})
+
+const tar_ = exports
+exports.c = tar_.create
+exports.cz = (d,...args) => tar_.c (d, ...args, '-z')
+exports.cf = (t,d,...args) => tar_.c (d, ...args, '-f',t)
+exports.czf = (t,d,...args) => tar_.c (d, ...args, '-z', '-f',t)
+exports.czfd = (t,...args) => mkdirp(path.dirname(t)).then (()=> tar_.czf (t,...args))
+exports.x = tar_.xf = tar_.extract
+exports.xz = tar_.xzf = a => tar_.x (a, '-z')
+exports.xv = tar_.xvf = a => tar_.x (a)
+exports.xvz = tar_.xvzf = a => tar_.x (a, '-z')

package/libx/_runtime/common/Service.js

@@ -62,10 +62,6 @@ class ApplicationService extends cds.Service {
     require('./generic/sorting').call(this)
   }
 
-  static handle_code_ext() {
-    if (cds.env.requires.extensibility?.code) require('./code-ext/handlers').call(this)
-  }
-
   static handle_fiori() {
     require('../fiori/lean-draft').impl.call(this)
   }

package/libx/_runtime/common/generic/input.js

@@ -212,7 +212,7 @@ const _pick = element => {
   //          should be a db feature, as we cannot handle completely on service level (cf. deep update)
   //          -> add to attic env behavior once new dbs handle this
   // also happens in validate but because of draft activate we have to do it twice (where cleansing is suppressed)
-  if (element['@Core.Immutable']) {
+  if (element['@Core.Immutable'] && !element.key) {
     categories.push('immutable')
   }
 

package/libx/_runtime/common/utils/csn.js

@@ -115,19 +115,23 @@ const prefixForStruct = element => {
 function getDraftTreeRoot(entity, model) {
   if (entity.own('__draftTreeRoot')) return entity.__draftTreeRoot
 
+  const previous = new Set() // track visited entities to identify hierarchies
   let parent
   let current = entity
   while (current && !current['@Common.DraftRoot.ActivationAction']) {
+    previous.add(current.name)
     const parents = []
     for (const k in model.definitions) {
+      if (previous.has(k)) continue
       const e = model.definitions[k]
       if (e.kind !== 'entity' || !e.compositions) continue
       for (const c in e.compositions)
         if (
           e.compositions[c].target === current.name ||
           e.compositions[c].target === current.name.replace(/\.drafts/, '')
-        )
+        ) {
           parents.push(e)
+        }
     }
     if (parents.length > 1 && parents.some(p => p !== parents[0])) {
       // > unable to determine single parent

package/libx/_runtime/fiori/lean-draft.js

@@ -407,10 +407,6 @@ cds.ApplicationService.prototype.handle = async function (req) {
   }
 
   if (req.event === 'READ') {
-    // apply paging and sorting on original query for protocol adapters relying on it
-    commonGenericPaging(req)
-    commonGenericSorting(req)
-
     if (
       !Object.keys(draftParams).length &&
       !req.query._target.name?.endsWith('DraftAdministrativeData') &&
@@ -419,6 +415,11 @@ cds.ApplicationService.prototype.handle = async function (req) {
       req.query = query
       return handle(req)
     }
+
+    // apply paging and sorting on original query for protocol adapters relying on it
+    commonGenericPaging(req)
+    commonGenericSorting(req)
+
     const read =
       draftParams.IsActiveEntity === false &&
       _hasStreaming(query.SELECT.columns, query._target) &&
@@ -1509,7 +1510,7 @@ function expandStarStar(target, draftActivate, recursion = new Map()) {
 }
 
 async function onNewCleanse(req) {
-  cds.validate(req.data, req.target, {})
+  cds.validate(req.data, req.target, { insert: true })
 }
 onNewCleanse._initial = true
 async function onNew(req) {

package/libx/_runtime/messaging/enterprise-messaging-shared.js

@@ -14,13 +14,17 @@ class EnterpriseMessagingShared extends AMQPWebhookMessaging {
 
   getClient() {
     if (this.client) return this.client
+    this.client = new AMQPClient(this.getClientOptions())
+    return this.client
+  }
+
+  getClientOptions() {
     const optionsAMQP = optionsMessagingAMQP(this.options)
-    this.client = new AMQPClient({
+    return {
       optionsAMQP,
       prefix: { topic: 'topic:', queue: 'queue:' },
       service: this
-    })
-    return this.client
+    }
   }
 
   getManagement() {

package/libx/common/utils/path.js

@@ -25,6 +25,8 @@ const getKeysAndParamsFromPath = (from, { model }) => {
         const seg_keys = where2obj(ref.where)
         Object.assign(keys, seg_keys)
         params[i] = seg_keys.ID && Object.keys(seg_keys).length === 1 ? seg_keys.ID : seg_keys
+      } else if (ref.args) {
+        params[i] = Object.fromEntries(Object.entries(ref.args).map(([k, v]) => [k, 'val' in v ? v.val : v]))
       }
       if (lastElement.isAssociation && from.ref.length > 1) {
         // add keys for navigation from path

package/libx/odata/middleware/create.js

@@ -6,6 +6,7 @@ const getODataMetadata = require('../utils/metadata')
 const postProcess = require('../utils/postProcess')
 const readAfterWrite4 = require('../utils/readAfterWrite')
 const getODataResult = require('../utils/result')
+const normalizeTimeData = require('../utils/normalizeTimeData')
 
 const { getKeysAndParamsFromPath } = require('../../common/utils')
 
@@ -32,6 +33,7 @@ module.exports = (adapter, isUpsert) => {
 
     // payload & params
     const data = req.body
+    normalizeTimeData(data, model, target)
     const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)
     Object.assign(data, keys)
@@ -66,16 +68,18 @@ module.exports = (adapter, isUpsert) => {
         })
       })
       .then(result => {
-        handleSapMessages(cdsReq, req, res)
+        if (res.headersSent) return
 
-        // case: read after write returns no results, e.g., due to auth (academic but possible)
-        if (result == null) return res.sendStatus(204)
+        handleSapMessages(cdsReq, req, res)
 
         if (!target._isSingleton) {
           // determine calculation based on result with req.data as fallback
           res.set('location', calculateLocationHeader(cdsReq.target, service, result || cdsReq.data))
         }
 
+        // case: read after write returns no results, e.g., due to auth (academic but possible)
+        if (result == null) return res.sendStatus(204)
+
         const preference = getPreferReturnHeader(req)
         postProcess(cdsReq.target, model, result, preference === 'minimal')
         if (result?.$etag) res.set('ETag', result.$etag) //> must be done after post processing

package/libx/odata/middleware/delete.js

@@ -57,6 +57,8 @@ module.exports = adapter => {
         })
       })
       .then(() => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         res.sendStatus(204)

package/libx/odata/middleware/operation.js

@@ -101,6 +101,8 @@ module.exports = adapter => {
     return service
       .run(() => service.dispatch(cdsReq))
       .then(result => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         if (operation.returns?.items && result == null) result = []

package/libx/odata/middleware/read.js

@@ -128,6 +128,8 @@ const _handleArrayOfQueriesFactory = adapter => {
         })
       })
       .then(result => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         if (req.url.match(/\/\$count/)) return res.set('Content-Type', 'text/plain').send(_count(result).toString())
@@ -238,6 +240,8 @@ module.exports = adapter => {
         })
       })
       .then(result => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         // 204

package/libx/odata/middleware/stream.js

@@ -218,6 +218,8 @@ module.exports = adapter => {
     return service
       .run(() => {
         return service.dispatch(cdsReq).then(async result => {
+          if (res.headersSent) return
+
           _validateStream(req, result)
 
           if (validateIfNoneMatch(cdsReq.target, req.headers?.['if-none-match'], result)) return res.sendStatus(304)
@@ -241,6 +243,8 @@ module.exports = adapter => {
         })
       })
       .then(() => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         res.end()

package/libx/odata/middleware/update.js

@@ -6,6 +6,7 @@ const getODataMetadata = require('../utils/metadata')
 const postProcess = require('../utils/postProcess')
 const readAfterWrite4 = require('../utils/readAfterWrite')
 const getODataResult = require('../utils/result')
+const normalizeTimeData = require('../utils/normalizeTimeData')
 
 const { getKeysAndParamsFromPath } = require('../../common/utils')
 
@@ -69,6 +70,7 @@ module.exports = adapter => {
 
     // payload & params
     const data = _propertyAccess ? { [_propertyAccess]: req.body.value } : req.body
+    normalizeTimeData(data, model, target)
     const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)
     if (!_propertyAccess) Object.assign(data, keys)
@@ -112,6 +114,8 @@ module.exports = adapter => {
         })
       })
       .then(result => {
+        if (res.headersSent) return
+
         handleSapMessages(cdsReq, req, res)
 
         // case: read after write returns no results, e.g., due to auth (academic but possible)

package/libx/odata/parse/afterburner.js

@@ -447,7 +447,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
           _resolveAliasesInXpr(ref[i].where, current)
           _processWhere(ref[i].where, current)
         }
-      } else if (current.kind === 'element' && current.elements && i < ref.length - 1) {
+      } else if (current.kind === 'element' && current.type !== 'cds.Map' && current.elements && i < ref.length - 1) {
         // > structured
         continue
       } else {
@@ -474,7 +474,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
           Object.defineProperty(cqn, '_propertyAccess', { value: current.name, enumerable: false })
 
           // if we end up with structured, keep path as is, if we end up with property in structured, cut off property
-          if (!current.elements) from.ref.splice(-1)
+          if (!current.elements || current.type === 'cds.Map') from.ref.splice(-1)
           break
         } else if (Object.keys(target.elements).includes(current.name)) {
           if (!cqn.SELECT.columns) cqn.SELECT.columns = []

package/libx/odata/parse/multipartToJson.js

@@ -138,7 +138,6 @@ const _parseStream = async function* (body, boundary) {
 
       if (typeof ret !== 'number') {
         if (ret.message === 'Parse Error') {
-          // console.trace(ret, ret.bytesParsed ? `\n\nin:\n${changed.substr(0, ret.bytesParsed + 1)}\n\n` : '')
           ret.statusCode = 400
           ret.message = `Error while parsing batch body at position ${ret.bytesParsed}: ${ret.reason}`
         }

package/libx/odata/utils/normalizeTimeData.js

@@ -0,0 +1,43 @@
+const normalizeTimestamp = require('../../_runtime/common/utils/normalizeTimestamp')
+const getTemplate = require('../../_runtime/common/utils/template')
+
+const _processorFn = elementInfo => {
+  const { row, plain } = elementInfo
+  if (typeof row !== 'object') return
+  for (const category of plain.categories) {
+    const { row, key } = elementInfo
+    if (!(row[key] == null) && row[key] !== '$now') {
+      switch (category) {
+        case 'cds.DateTime':
+          row[key] = new Date(row[key]).toISOString().replace(/\.\d\d\d/, '')
+          break
+        case 'cds.Timestamp':
+          row[key] = normalizeTimestamp(row[key])
+          break
+        // no default
+      }
+    }
+  }
+}
+
+const _pick = element => {
+  const categories = []
+  if (element.type === 'cds.DateTime') categories.push('cds.DateTime')
+  if (element.type === 'cds.Timestamp') categories.push('cds.Timestamp')
+  if (categories.length) return { categories }
+}
+
+module.exports = function normalizeTimeData(data, model, target) {
+  if (
+    !data ||
+    (Array.isArray(data) && data.length === 0) ||
+    (typeof data === 'object' && Object.keys(data).length === 0)
+  ) {
+    return
+  }
+  const template = getTemplate('normalize-datetime', { model }, target, { pick: _pick })
+
+  if (template.elements.size === 0) return
+
+  template.process(data, _processorFn)
+}

package/libx/odata/utils/readAfterWrite.js

@@ -88,7 +88,7 @@ const _getColumns = (target, data, prefix = []) => {
     if (each in DRAFT_COLUMNS_MAP) continue
     if (!cds.env.features.stream_compat && target.elements[each].type === 'cds.LargeBinary') continue
     const element = target.elements[each]
-    if (element.elements && data[each]) {
+    if (element.elements && data[each] && element.type !== 'cds.Map') {
       prefix.push(element.name)
       columns.push(..._getColumns(element, data[each], prefix))
       prefix.pop()

package/libx/outbox/index.js

@@ -188,7 +188,7 @@ const processMessages = async (service, tenant, _opts = {}) => {
       if (toBeDeleted.length === opts.chunkSize) {
         processMessages(service, tenant, opts) // We only processed max. opts.chunkSize, so there might be more
       } else {
-        LOG._trace && LOG.trace(`${name}: All messages processed`)
+        LOG._debug && LOG.debug(`${name}: All messages processed`)
       }
     }, config)
     spawn.on('done', () => {

package/libx/rest/RestAdapter.js

@@ -115,11 +115,11 @@ class RestAdapter extends HttpAdapter {
 
     // handle result
     router.use((req, res) => {
-      const { result, status, location } = req._result // REVISIT: Ugly voodoo _req._result channel -> eliminate
-
       // if authentication or something else within the processing of a cds.Request terminates the request, no need to continue
       if (res.headersSent) return
 
+      const { result, status, location } = req._result // REVISIT: Ugly voodoo _req._result channel -> eliminate
+
       // post process
       let definition = req._operation || req._query.__target
       if (typeof definition === 'string')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "8.6.2",
+  "version": "8.7.1",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [
@@ -39,11 +39,15 @@
     "@sap/cds-foss": "^5.0.0"
   },
   "peerDependencies": {
-    "express": ">=4"
+    "express": "^4",
+    "tar": "^7"
   },
   "peerDependenciesMeta": {
     "express": {
       "optional": true
+    },
+    "tar": {
+      "optional": true
     }
   }
 }

package/lib/srv/protocols/odata-v2.js

@@ -1,26 +0,0 @@
-const cds = require('../../index'), { decodeURIComponent } = cds.utils
-const LOG = cds.log('odata-v2')
-const logger = function cap_legacy_req_logger (req,_,next) {
-  if (/\$batch$/.test(req.url)) {
-    const prefix = decodeURIComponent(req.originalUrl).replace('$batch','')
-    req.on ('dispatch', (req) => {
-      LOG && LOG (req.event, prefix+decodeURIComponent(req._path), req._query||'')
-      if (LOG._debug && req.query) LOG.debug (req.query)
-    })
-  } else {
-    LOG && LOG (req.method, decodeURIComponent(req.originalUrl), req.body||'')
-  }
-  next()
-}
-
-const ODataV2Proxy = require('./odata-v2-proxy') // ('@sap/cds-odata-v2-adapter-proxy')
-module.exports = function ODataV2Adapter (srv) {
-  const proxy = new ODataV2Proxy ({
-    sourcePath: srv.path,
-    targetPath: '/odata/v4',
-    target: 'auto', // to detect server url + port dynamically
-    logLevel: 'warn',
-    ...srv.options, path:""
-  })
-  return [ logger, proxy ]
-}