@sap/cds 8.7.2 → 8.8.1

package/lib/srv/protocols/okra.js

@@ -10,13 +10,11 @@ module.exports = function ODataAdapter(srv) {
   router.use(function odata_log(req, _, next) {
     let url = decodeURI(req.originalUrl)
     LOG && LOG(req.method, url, req.body || '')
-    if (/\$batch/.test(req.url))
-      req.on('dispatch', req => {
-        let path = decodeURI(req._.odataReq?._rawODataPath || '')
-        LOG && LOG('>', req.event, path, req._queryOptions || '')
-        if (LOG._debug && req.query) LOG.debug(req.query) //> why only for batch subrequests?
-      })
-
+    if (/\$batch/.test(req.url)) req._okra_logger = req => {
+      let path = decodeURI(req._.odataReq?._rawODataPath || '')
+      LOG && LOG('>', req.event, path, req._queryOptions || '')
+      if (LOG._debug && req.query) LOG.debug(req.query) //> why only for batch subrequests?
+    }
     next()
   })
   router.use(legacy_adapter4(srv))

package/lib/srv/srv-dispatch.js

@@ -15,11 +15,6 @@ exports.dispatch = async function dispatch (req) { //NOSONAR
   if (!this.context) return this.run (tx => tx.dispatch(req))
   if (!req.tx) req.tx = this // `this` is a tx from now on...
 
-  // REVISIT: remove together with okra
-  // Inform potential listeners
-  let _is_root = req.constructor.name in { ODataRequest:1 }
-  if (_is_root) req._.req.emit ('dispatch',req)
-
   // Handle batches of queries
   if (_is_array(req.query)) return Promise.all (req.query.map (
     q => this.dispatch ({ query:q, context: req.context, __proto__:req })

package/lib/test/cds-test.js

@@ -1,3 +1,12 @@
+module.exports = require_local('@cap-js/cds-test')
+
+// TODO remove the code below with cds 9
+if (!module.exports) {
+
+const { RED, RESET } = require('../utils/colors')
+// eslint-disable-next-line no-console
+console.error(RED+'Test support will move to package @cap-js/cds-test in @sap/cds v9.\nGet ready and add a dependency to it:\n  npm add -D @cap-js/cds-test\n'+RESET)
+
 /**
  * Instances of this class are constructed and returned by cds.test().
  */
@@ -149,15 +158,23 @@ class Test extends require('./axios') {
    * Lazily loads and returns an instance of chai
    */
   get chai() {
-    let chai = require('chai')
+    const chai = require('chai')
     chai.use (require('chai-subset'))
-    chai.use (require('chai-as-promised'))
+    const chaip = require('chai-as-promised')
+    chai.use (chaip.default/*v8 on ESM*/ ?? chaip/*v7*/)
     return chai
     function require (mod) { try { return module.require(mod) } catch(e) {
-      if (e.code === 'MODULE_NOT_FOUND') throw new Error (`
-      Failed to load required package '${mod}'. Please add it thru:
-      npm add -D chai@4 chai-as-promised@7 chai-subset
-    `)}}
+      if (e.code === 'MODULE_NOT_FOUND')
+        throw new Error (`Failed to load required package '${mod}'. Please add it thru:`
+        + `\n  npm add -D chai chai-as-promised chai-subset`, {cause: e})
+      else if (e.name === 'SyntaxError') // Jest stumbling over ESM
+        throw new Error (`Jest failed to load ESM package '${mod}'.`
+        + `\nDowngrade '${mod}' to the major version before, or use a different test runner like 'node --test'.\n`, {cause: e})
+      else if (e.code === 'ERR_REQUIRE_ESM') // node --test on older Node versions
+        throw new Error (`Failed to load ESM package '${mod}'. This only is supported on Node.js >= 23.`
+          + `\nUpgrade your Node.js installation or downgrade '${mod}' to the major version before.\n`, {cause: e})
+      else throw e
+    }}
   }
   set expect(x) { super.expect = x }
   get expect() { return _expect || this.chai.expect }
@@ -235,3 +252,14 @@ let _expect = undefined
     }))
   }
 })()
+
+}
+
+function require_local(id) {
+  const cds = require('..')
+  try {
+    return require(require.resolve(id, { paths: [cds.root, __dirname] }))
+  } catch (e) {
+    if (e.code !== 'MODULE_NOT_FOUND')  throw e
+  }
+}

package/libx/_runtime/cds-services/adapter/odata-v4/ODataRequest.js

@@ -210,6 +210,7 @@ class ODataRequest extends cds.Request {
     this._.odataRes = odataRes
 
     Object.defineProperty(this, 'protocol', { value: 'odata' })
+    req._okra_logger?.(this)
   }
 }
 

package/libx/_runtime/common/generic/auth/restrict.js

@@ -296,7 +296,7 @@ const isBoundToCollection = action =>
 const restrictBoundActionFunctions = async (req, resolvedApplicables, definition, srv) => {
   if (req.target?.actions?.[req.event] && !isBoundToCollection(req.target.actions[req.event])) {
     // Clone to avoid target modification, which would cause a different query
-    const query = cds.ql.clone(req.query) ?? SELECT.from(req.subject)
+    const query = req.query ? cds.ql.clone(req.query) : SELECT.one.from(req.subject)
     _addRestrictionsToRead({ query: query, target: req.target }, cds.model, resolvedApplicables)
     const result = await (cds.env.features.compat_restrict_bound ? srv : cds.tx(req)).run(query)
     if (!result || result.length === 0) {

package/libx/_runtime/common/generic/auth/service.js

@@ -14,8 +14,8 @@ function handler(req) {
   }
 
   const requires = _getRequiresAsArray(this.definition)
-
-  if (!requires || requires.some(role => req.user.is(role))) return
+  // internal-user is considered as a concept to protect the endpoints, local app service calls are always allowed
+  if (!requires || requires.some(role => req.user.is(role)) || requires.includes('internal-user')) return
   reject(req, getRejectReason(req, '@requires', this.definition))
 }
 

package/libx/_runtime/common/generic/auth/utils.js

@@ -126,7 +126,8 @@ const resolveUserAttrs = (where, req) => {
             } else if (where[i + 2] && operators.has(where[i + 1])) {
               where.splice(i, 3, { val: '1' }, '=', { val: '2' })
             } else if (where[i + 1] === 'is') {
-              where.splice(i, where[i + 2] === 'not' ? 4 : 3, { val: '1' }, '=', { val: '2' })
+              val = null
+              break
             }
           } else val = val?.[attr]
         }

package/libx/_runtime/common/generic/input.js

@@ -260,7 +260,7 @@ async function commonGenericInput(req) {
     const bound = req.target.actions?.[req.event] || req.target.actions?.[req._.event]
     if (bound) assertOptions.path = [bound['@cds.odata.bindingparameter.name'] || 'in']
 
-    if (req.protocol) assertOptions.rejectIgnore = true
+    if (req.protocol && !_is_activate) assertOptions.rejectIgnore = true
 
     const errs = cds.validate(req.data, req.target, assertOptions)
     if (errs) {

package/libx/_runtime/common/utils/binary.js

@@ -1,5 +1,3 @@
-const getTemplate = require('./template')
-
 // convert the standard base64 encoding to the URL-safe variant
 const toBase64url = value => {
   const buffer = Buffer.isBuffer(value) ? value : Buffer.from(value, 'base64')
@@ -29,40 +27,8 @@ const isInvalidBase64string = value => {
   return base64value.length > normalized.length
 }
 
-const _picker = element => {
-  const categories = {}
-  if (Array.isArray(element)) return
-  if (element.type !== 'cds.Binary' && element.type !== 'cds.LargeBinary') return
-  categories['convert_binary'] = true
-  return categories
-}
-
-const _processorFn =
-  toBuffer =>
-  ({ row, key, plain: categories }) => {
-    if (categories['convert_binary'] && row[key] != null) {
-      if (toBuffer && typeof row[key] === 'string') row[key] = Buffer.from(row[key], 'base64')
-      if (!toBuffer && Buffer.isBuffer(row[key])) row[key] = row[key].toString('base64')
-    }
-  }
-
-const _processBinaryData = (data, srv, definition, toBuffer) => {
-  const template = getTemplate('rest-payload', srv, definition, { pick: _picker })
-  template.process(data, _processorFn(toBuffer))
-}
-
-const base64ToBuffer = (data, srv, definition) => {
-  _processBinaryData(data, srv, definition, true)
-}
-
-const bufferToBase64 = (data, srv, definition) => {
-  _processBinaryData(data, srv, definition, false)
-}
-
 module.exports = {
   normalizeBase64string,
   isInvalidBase64string,
-  toBase64url,
-  base64ToBuffer,
-  bufferToBase64
+  toBase64url
 }

package/libx/_runtime/common/utils/rewriteAsterisks.js

@@ -24,9 +24,11 @@ const _expandColumn = (column, target, _4db) => {
 
 const _resolveTarget = (ref, target) => {
   if (ref.length > 1) {
-    if (target.elements[ref[0]]) {
+    const element = target.elements[ref[0]]
+    if (element) {
+      if (element.isAssociation) throw cds.error(`Navigation "${ref.join('/')}" in expand is not supported`)
       // structured
-      return _resolveTarget(ref.slice(1), target.elements[ref[0]])
+      return _resolveTarget(ref.slice(1), element)
     } else {
       // in case there is an alias, try with the next entry
       return _resolveTarget(ref.slice(1), target)
@@ -107,12 +109,7 @@ const rewriteAsterisks = (query, model, options) => {
       // REVISIT these are two nasty hacks for UNION and JOIN,
       // which should be implemented generically.
       // Please, do not continue to develop here if possible.
-      if (
-        query.SELECT.from.SET &&
-        query.SELECT.from.SET.args[0] &&
-        query.SELECT.from.SET.args[0].SELECT &&
-        query.SELECT.from.SET.args[0].SELECT.columns
-      ) {
+      if (query.SELECT.from.SET?.args[0]?.SELECT?.columns) {
         // > best-effort derive column list from first join element if given
         query.SELECT.columns = query.SELECT.from.SET.args[0].SELECT.columns.map(c => ({
           ref: [c.as || c.ref[c.ref.length - 1]]

package/libx/_runtime/fiori/lean-draft.js

@@ -384,11 +384,9 @@ cds.ApplicationService.prototype.handle = async function (req) {
       (query.DELETE && 'DELETE') ||
       req.event
     _req.params = req.params
-    _req._ = Object.assign({}, req._ || {})
-    _req._.params = req.params
-    _req._.query = query
     if (req.protocol) _req.protocol = req.protocol
     _req._ = req._
+    if (!_req._.event) _req._.event = req.event
     const cqnData = _req.query.UPDATE?.data || _req.query.INSERT?.entries?.[0]
     if (cqnData) _req.data = cqnData // must point to the same object
     Object.defineProperty(_req, '_messages', {
@@ -922,7 +920,7 @@ const Read = {
     const orderByExpr = query.SELECT.orderBy
     const getOrderByColumns = columns => {
       const selectAll = columns === undefined || columns.includes('*')
-      const queryColumns = !selectAll && columns && columns.map(column => column?.ref?.[0]).filter(c => c)
+      const queryColumns = !selectAll && columns && columns.map(column => column.as || column?.ref?.[0]).filter(c => c)
       const newColumns = []
 
       for (const column of orderByExpr) {

package/libx/common/utils/path.js

@@ -3,7 +3,7 @@ const { getKeysForNavigationFromRefPath } = require('../../_runtime/common/utils
 
 // REVISIT: do we already have something like this _without using okra api_?
 // REVISIT: should we still support process.env.CDS_FEATURES_PARAMS? probably nobody uses it...
-const getKeysAndParamsFromPath = (from, { model }) => {
+exports.getKeysAndParamsFromPath = (from, { model }) => {
   if (!from.ref || !from.ref.length) return {}
 
   const keys = {}
@@ -44,7 +44,3 @@ const getKeysAndParamsFromPath = (from, { model }) => {
 
   return { keys, params }
 }
-
-module.exports = {
-  getKeysAndParamsFromPath
-}

package/libx/common/utils/streaming.js

@@ -0,0 +1,76 @@
+const { Readable } = require('node:stream')
+
+exports.validateMimetypeIsAcceptedOrThrow = (headers, contentType) => {
+  if (!contentType || !headers?.accept) return
+  if (headers.accept.includes('*/*')) return
+  if (headers.accept.includes(contentType)) return
+  if (headers.accept.includes(contentType.slice(0,contentType.indexOf('/')) + '/*')) return
+  const msg = `Content type "${contentType}" is not listed in accept header "${headers.accept}"`
+  throw Object.assign(new Error(msg), { statusCode: 406 })
+}
+
+// REVISIT: We should use express' res.type(...) instead of res.set('Content-Type', ...)
+const _mimetypes = {
+  '.pdf': 'application/pdf',
+  '.csv': 'text/csv',
+  '.html': 'text/html',
+  '.css': 'text/css',
+  '.png': 'image/png',
+  '.jpeg': 'image/jpeg',
+  '.jpg': 'image/jpeg',
+}
+
+const { extname } = require('path')
+const _mimetype4 = filename => {
+  if (!filename) return
+  const filetype = extname(filename).toLowerCase()
+  return _mimetypes[filetype]
+}
+
+const _annotation = (def,a) => {
+  if (!def) return
+  if (typeof def[a] === 'string') return def[a]
+}
+
+// REVISIT: Such helpers are a pain -> use classes with methods instead, e.g. RestAdapter extends HttpAdapter, ODataAdapter extends RestAdapter, etc.
+exports.collectStreamMetadata = (result, operation, query) => {
+  const element = query?._propertyAccess ? query.target?.elements?.[query._propertyAccess] : undefined
+  const returns = operation?.returns
+
+  const filename =
+    result.$mediaContentDispositionFilename ?? // legacy -> support for odata only?
+    result.filename ??
+    _annotation (returns, '@Core.ContentDisposition.Filename')
+    _annotation (element, '@Core.ContentDisposition.Filename')
+
+  const disposition =
+    result.$mediaContentDispositionType ?? // legacy -> support for odata only?
+    _annotation (returns, '@Core.ContentDisposition.Type') ??
+    _annotation (element, '@Core.ContentDisposition.Type') ??
+    (filename ? 'attachment' : 'inline')
+
+  const mimetype =
+    result['*@odata.mediaContentType'] ??  // compat -> support for odata only?
+    result.$mediaContentType ??           // legacy -> support for odata only?
+    result.mimetype ??
+    _mimetype4 (filename) ??
+    _mimetype4 (result.path) ??         // e.g. for file downloads
+    _annotation (returns, '@Core.MediaType') ??
+    _annotation (element, '@Core.MediaType') ??
+    'application/octet-stream' // REVISIT: or rather default to undefined?
+
+  return { mimetype, filename, disposition }
+}
+
+exports.getReadable = function readable4 (result) {
+  if (result == null) return
+  if (typeof result !== 'object') {
+    const stream = new Readable()
+    stream.push(result)
+    stream.push(null)
+    return stream
+  }
+  if (result instanceof Readable) return result
+  if (result.value) return readable4 (result.value) // REVISIT: for OData legacy only?
+  if (Array.isArray(result)) return readable4 (result[0]) // compat // REVISIT: remove ?
+}

package/libx/odata/middleware/create.js

@@ -8,7 +8,7 @@ const readAfterWrite4 = require('../utils/readAfterWrite')
 const getODataResult = require('../utils/result')
 const normalizeTimeData = require('../utils/normalizeTimeData')
 
-const { getKeysAndParamsFromPath } = require('../../common/utils')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
 
 module.exports = (adapter, isUpsert) => {
   // REVISIT: adapter should be this
@@ -33,6 +33,10 @@ module.exports = (adapter, isUpsert) => {
 
     // payload & params
     const data = req.body
+    if (Array.isArray(data)) {
+      const msg = 'Only single entity representations are allowed'
+      throw Object.assign(new Error(msg), { statusCode: 400 })
+    }
     normalizeTimeData(data, model, target)
     const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)

package/libx/odata/middleware/delete.js

@@ -3,7 +3,7 @@ const { UPDATE, DELETE } = cds.ql
 
 const { handleSapMessages, getPreferReturnHeader } = require('../utils')
 
-const { getKeysAndParamsFromPath } = require('../../common/utils')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
 
 module.exports = adapter => {
   const { service } = adapter

package/libx/odata/middleware/operation.js

@@ -1,11 +1,16 @@
 const cds = require('../../../')
 
-const { cds2edm, handleSapMessages, calculateLocationHeader } = require('../utils')
 const getODataMetadata = require('../utils/metadata')
 const postProcess = require('../utils/postProcess')
 const getODataResult = require('../utils/result')
 
-const { getKeysAndParamsFromPath } = require('../../common/utils')
+const { cds2edm, handleSapMessages, calculateLocationHeader } = require('../utils')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
+const {
+  collectStreamMetadata,
+  getReadable,
+  validateMimetypeIsAcceptedOrThrow
+} = require('../../common/utils/streaming')
 
 const _findEdmNameFor = (definition, namespace, fullyQualified = false) => {
   let name
@@ -93,20 +98,59 @@ module.exports = adapter => {
     // we need a cds.Request for multiple reasons, incl. params, headers, sap-messages, read after write, ...
     const cdsReq = adapter.request4({ query, event, data, params, headers, target: query?.target, req, res })
 
+    const _isStream = operation.returns?._type === 'cds.LargeBinary' && !!operation.returns['@Core.MediaType']
+
     // NOTES:
     // - only via srv.run in combination with srv.dispatch inside,
     //   we automatically either use a single auto-managed tx for the req (i.e., insert and read after write in same tx)
     //   or the auto-managed tx opened for the respective atomicity group, if exists
     // - in the then block of .run(), the transaction is committed (i.e., before sending the response) if a single auto-managed tx is used
     return service
-      .run(() => service.dispatch(cdsReq))
+      .run(() =>
+        service.dispatch(cdsReq).then(result => {
+          if (res.headersSent) return result
+          if (!_isStream) return result
+          handleSapMessages(cdsReq, req, res)
+
+          const stream = getReadable(result)
+          if (!stream) return res.sendStatus(204)
+
+          const { mimetype, filename, disposition } = collectStreamMetadata(result, operation, query)
+          validateMimetypeIsAcceptedOrThrow(req.headers, mimetype)
+          if (!res.get('content-type')) res.set('content-type', mimetype)
+          if (filename && !res.get('content-disposition'))
+            res.set('content-disposition', `${disposition}; filename="${encodeURIComponent(filename)}"`)
+
+          return new Promise((resolve, reject) => {
+            if (res.destroyed)
+              return reject(
+                new cds.error({ code: 'ERR_STREAM_PREMATURE_CLOSE', message: 'Response was closed while streaming' })
+              )
+            stream.pipe(res)
+            stream.on('end', () => resolve(result))
+            stream.once('error', reject)
+            let finished = false
+            res.on('finish', () => (finished = true))
+            res.on(
+              'close',
+              () =>
+                !finished &&
+                reject(
+                  new cds.error({
+                    code: 'ERR_STREAM_PREMATURE_CLOSE',
+                    message: 'Response was closed while streaming'
+                  })
+                )
+            )
+          }).then(() => res.end())
+        })
+      )
       .then(result => {
         if (res.headersSent) return
 
         handleSapMessages(cdsReq, req, res)
 
         if (operation.returns?.items && result == null) result = []
-
         if (!operation.returns || result == null) return res.sendStatus(204)
 
         if (operation.returns._type?.match?.(/^cds\./)) {

package/libx/odata/middleware/read.js

@@ -7,7 +7,7 @@ const getODataMetadata = require('../utils/metadata')
 const postProcess = require('../utils/postProcess')
 const getODataResult = require('../utils/result')
 
-const { getKeysAndParamsFromPath } = require('../../common/utils')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
 
 const { getPageSize } = require('../../_runtime/common/generic/paging')
 const { handleStreamProperties } = require('../../_runtime/common/utils/streamProp')

package/libx/odata/middleware/stream.js

@@ -1,13 +1,14 @@
 const cds = require('../../../')
 const LOG = cds.log('odata')
-
-const { Readable } = require('node:stream')
+const getError = require('../../_runtime/common/error')
 
 const { handleSapMessages, validateIfNoneMatch, isStream, isRedirect } = require('../utils')
-
-const { getKeysAndParamsFromPath } = require('../../common/utils')
-
-const getError = require('../../_runtime/common/error')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
+const {
+  collectStreamMetadata,
+  validateMimetypeIsAcceptedOrThrow,
+  getReadable
+} = require('../../common/utils/streaming')
 const { getTransition } = require('../../_runtime/common/utils/resolveView')
 
 const _resolveContentProperty = (target, annotName, resolvedProp) => {
@@ -71,94 +72,6 @@ const _addStreamMetadata = query => {
   }
 }
 
-const _validateStream = (req, result) => {
-  // REVISIT: compat, should actually be treated as object
-  if (!Array.isArray(result)) result = [result]
-
-  // Reading one entity or a property of it should yield only a result length of one.
-  if (result.length === 0 || result[0] === undefined) throw getError(404)
-
-  if (result.length > 1) throw getError(400)
-
-  if (result[0] === null) return
-
-  result = result[0]
-
-  const headers = req.headers
-  const contentType = result.$mediaContentType
-
-  if (!headers?.accept || !contentType) return
-
-  if (
-    !headers.accept.includes('*/*') &&
-    !headers.accept.includes(contentType) &&
-    !headers.accept.includes(contentType.split('/')[0] + '/*')
-  ) {
-    const msg = `Content type "${contentType}" is not listed in accept header "${headers.accept}"`
-    throw Object.assign(new Error(msg), { statusCode: 406 })
-  }
-}
-
-const _ensureStream = stream => {
-  if (stream === null) return null
-  // temp workaround for url streaming
-  const stream_ = new Readable()
-  stream_.push(stream)
-  stream_.push(null)
-  return stream_
-}
-
-const _normalizeStream = (result, propertyName, lastPathElement, target) => {
-  if (!result) return null
-
-  let readable = result
-  if (typeof result === 'object') {
-    if (propertyName && result[propertyName] !== undefined) {
-      readable = result[propertyName]
-    }
-    // implicit streaming
-    else if (lastPathElement === '$value') {
-      const property = Object.values(target.elements).find(
-        el => el.type === 'cds.LargeBinary' && result[el.name] !== undefined
-      )
-      readable = property && result[property.name]
-    }
-    // result.value can be obtained from custom handlers
-    else if (result.value !== undefined) {
-      readable = result.value
-    }
-  }
-
-  if (!(readable instanceof Readable)) {
-    readable = _ensureStream(readable)
-  }
-
-  if (readable) {
-    readable.on('error', () => {
-      readable.removeAllListeners('error')
-      // readable.destroy() does not end stream in node 10 and 12
-      readable.push(null)
-    })
-  }
-
-  return readable
-}
-
-const _setStreamingHeaders = (result, res) => {
-  // backwards compatibility for Content-Type in stream
-  if (result['$mediaContentType']) res.setHeader('Content-Type', result.$mediaContentType)
-  else if (result['*@odata.mediaContentType']) res.setHeader('Content-Type', result['*@odata.mediaContentType'])
-  else res.setHeader('Content-Type', 'application/octet-stream')
-
-  if ('$mediaContentDispositionFilename' in result) {
-    const cdt = result.$mediaContentDispositionType || 'attachment'
-    res.setHeader(
-      'content-disposition',
-      `${cdt}; filename="${encodeURIComponent(result.$mediaContentDispositionFilename)}"`
-    )
-  }
-}
-
 module.exports = adapter => {
   const { service } = adapter
 
@@ -171,7 +84,7 @@ module.exports = adapter => {
     if (isRedirect(query)) {
       const cdsReq = adapter.request4({ query, req, res })
 
-      service.dispatch(cdsReq).then(result => {
+      return service.dispatch(cdsReq).then(result => {
         if (result[query._propertyAccess]) res.set('Location', result[query._propertyAccess])
         return res.sendStatus(307)
       })
@@ -219,17 +132,32 @@ module.exports = adapter => {
       .run(() => {
         return service.dispatch(cdsReq).then(async result => {
           if (res.headersSent) return
-
-          _validateStream(req, result)
+          if (result === undefined) throw getError(404) // entity is not existing
+          if (result === null) return res.sendStatus(204) // custom handler returns null
 
           if (validateIfNoneMatch(cdsReq.target, req.headers?.['if-none-match'], result)) return res.sendStatus(304)
 
-          const stream = _normalizeStream(result, query._propertyAccess, lastPathElement, query.target)
-          if (stream === null) return res.sendStatus(204)
+          const { mimetype, filename, disposition } = collectStreamMetadata(result, undefined, query)
+          if (pdfMimeType && !mimetype) result.mimetype = 'application/pdf' // REVISIT: Is compat still needed?
+
+          // REVISIT: If accessed property is undefined - why prevent 404?
+          if (query._propertyAccess && result[query._propertyAccess] !== undefined) {
+            result = result[query._propertyAccess]
+          } else if (lastPathElement === '$value') {
+            // Implicit streaming
+            const property = Object.values(query.target.elements).find(
+              el => el.type === 'cds.LargeBinary' && result[el.name] !== undefined
+            )
+            result = property && result[property.name]
+          }
 
-          if (pdfMimeType && !result.$mediaContentType) result.$mediaContentType = 'application/pdf'
+          const stream = getReadable(result)
+          if (!stream) return res.sendStatus(204)
 
-          _setStreamingHeaders(result, res)
+          validateMimetypeIsAcceptedOrThrow(req.headers, mimetype)
+          if (!res.get('content-type')) res.set('content-type', mimetype)
+          if (filename && !res.get('content-disposition'))
+            res.set('content-disposition', `${disposition}; filename="${encodeURIComponent(filename)}"`)
 
           return new Promise((resolve, reject) => {
             if (res.destroyed)

package/libx/odata/middleware/update.js

@@ -8,7 +8,7 @@ const readAfterWrite4 = require('../utils/readAfterWrite')
 const getODataResult = require('../utils/result')
 const normalizeTimeData = require('../utils/normalizeTimeData')
 
-const { getKeysAndParamsFromPath } = require('../../common/utils')
+const { getKeysAndParamsFromPath } = require('../../common/utils/path')
 
 const _isUpsertAllowed = ({ target, data, event }) => {
   return (