@sap/cds 8.8.0 → 8.8.2

package/CHANGELOG.md

@@ -4,6 +4,30 @@
 - The format is based on [Keep a Changelog](https://keepachangelog.com/).
 - This project adheres to [Semantic Versioning](https://semver.org/).
 
+## Version 8.8.2 - 2025-03-13
+
+### Fixed
+
+- Consuming REST actions returning anonymous structures
+- `i18n.labels/messages` were occasionally missing
+
+## Version 8.8.1 - 2025-03-07
+
+### Fixed
+
+- Requests violating `cds.odata.max_batch_header_size` are terminated with `431 Request Header Fields Too Large` instead of `400 - Bad Request`
+- `cds.parse.<x>` writing directly to `stdout`
+- Instance-based authorization for programmatic action invocations
+- Implicit function parameter calls with Array or Object values
+- OData: Throw an error by `POST` with payload that contains array of entity representation
+- `cds.validate` filters out annotations according to OData V4 spec
+- Crash for requests with invalid time data format
+- Add missing 'and' between conditions in object notation of QL
+- Multiline payloads in `$batch` sub requests
+- Instance-based authorization for modeling like `$user.<property> is null`
+- Respect `cds.odata.contextAbsoluteUrl` in new OData adapter 
+- `cds.odata.context_with_columns` also applies to singletons
+
 ## Version 8.8.0 - 2025-03-03
 
 ### Added

package/lib/compile/parse.js

@@ -29,7 +29,7 @@ exports.path = function path (x,...etc) {
   const [,head,tail] = /^([\w._]+)(?::(\w+))?$/.exec(x)||[]
   if (tail) return {ref:[head,...tail.split('.')]}
   if (head) return {ref:[head]}
-  const {SELECT} = cdsc.parse.cql('SELECT from '+x)
+  const {SELECT} = cdsc.parse.cql('SELECT from '+x, undefined, { messages: [] })
   return SELECT.from
 }
 

package/lib/i18n/bundles.js

@@ -1,5 +1,7 @@
 const cds = require('..'), {i18n} = cds.env
 const I18nFiles = require ('./files')
+const DEFAULTS = i18n.default_language
+const FALLBACK = ''
 
 
 class I18nBundle {
@@ -7,14 +9,14 @@ class I18nBundle {
   constructor (options={}) {
     this.files = new I18nFiles (options)
     this.file = this.files.basename
+    this.fallback = this.#translations[FALLBACK] = Object.assign ({}, ...this.files.content4(FALLBACK))
+    this.defaults = this.#translations[DEFAULTS] = Object.assign (
+      i18n.fatjson ? {...this.fallback} : {__proto__:this.fallback}, ...this.files.content4(DEFAULTS)
+    )
   }
 
   #translations = {}
 
-  /** The default texts to use as fallbacks if a requested translation is not found. */
-  get defaults() { return super.defaults = this.texts4 (i18n.default_language, this.fallback) }
-  get fallback() { return super.fallback = this.texts4 ('',false) }
-
   /** Synonym for {@link at `this.at`} */
   get for() { return this.at }
 
@@ -23,6 +25,7 @@ class I18nBundle {
    * Looks up the entry for the given key and locale.
    * - if `locale` is omitted, the current locale is used.
    * - if `args` are provided, fills in placeholders with them.
+   * @example cds.i18n.labels.at ('CreatedAt','de')
    * @returns {string|undefined}
    */
   at (key, locale, args) {
@@ -62,32 +65,29 @@ class I18nBundle {
 
   /**
    * Returns translated texts for a specific locale.
+   * @example cds.i18n.labels.texts4 ('de')
    */
-  texts4 (locale='', _defaults) {
+  texts4 (locale='') {
     const $ = this.#translations;             if (locale in $) return $[locale]
     const suffix = locale.replace(/-/g,'_');  if (suffix in $) return $[locale] = $[suffix]
-    // nothing cached yet, load content and create translations ...
-    let all = this.files.content4 (locale, suffix)    // load content from all folders
-    if (all.length === 0 && suffix.includes('_')) {   // nothing found, try w/o region ...
-      const lang = suffix.match(/(\w+)_/)[1]          // i.e. en_UK => en
-      if (lang in $) return $[locale] = $[lang]       // already cached -> leave method
-      else all = this.files.content4 (lang, lang)     // load content for language only
+    const all = this.files.content4 (locale, suffix) // load content from all folders
+    if (!all.length) { // nothing found, try w/o region, or return defaults
+      const _ = suffix.indexOf('_')
+      return $[locale] = $[suffix] = _ < 0 ? this.defaults : this.texts4 (suffix.slice(0,_))
     }
-    const defaults = (_defaults ?? this.defaults) || Object.prototype
-    const texts = i18n.fatjson ? Object.assign ({},defaults) : Object.create (defaults)
-    return $[locale] = $[suffix] = Object.assign (texts, ...all)
+    const texts = i18n.fatjson ? {...this.defaults} : {__proto__:this.defaults}
+    return $[locale] = $[suffix] = Object.assign (texts, ...all )
   }
 
 
   /**
    * Returns all translations for an array of locales or all locales.
-   * @example { de, fr } = cds.i18n.labels.translations('de','fr')
+   * @example { de, fr } = cds.i18n.labels.translations4 ('de','fr')
    * @param { 'all' | string[] } [locale]
    * @returns {{ [locale:string]: Record<string,string> }}
    */
   translations4 (...locales) {
-    let first = locales[0]
-    if (first == null)  locales = cds.env.i18n.languages
+    let first = locales[0] || cds.env.i18n.languages
     if (first == 'all') locales = this.files.locales()
     else if (Array.isArray(first)) locales = first
     return locales.reduce ((all,l) => (all[l] = this.texts4(l),all), {})

package/lib/i18n/files.js

@@ -36,7 +36,7 @@ class I18nFiles {
       const leafs = model?.$sources.map(path.dirname) ?? roots, visited = {}
       ;[...new Set(leafs)].reverse() .forEach (function _visit (dir) {
         if (dir in visited) return; else visited[dir] = true
-        LOG.debug ('searching for i18n files in the neighborhood of', dir)
+        LOG.debug ('fetching', basename, 'bundles in', dir, relative_folders)
         // is there an i18n folder in the currently visited directory?
         for (const each of relative_folders) {
           const f = path.join(dir,each), _exists = _folders[f] ??= exists(f)
@@ -60,6 +60,8 @@ class I18nFiles {
       const matches = (_entries[f] ??= fs.readdirSync(f)) .filter (f => f.match(base))
       if (matches.length) return files[f] = matches
     }
+
+    LOG.debug ('found', basename, 'bundles in these folders', Object.keys(files))
   }
 
 
@@ -68,7 +70,7 @@ class I18nFiles {
    * @returns {entries[]} An array of entries, one for each file found.
    */
   content4 (locale, suffix = locale?.replace(/-/g,'_')) {
-    const content = [], cached = I18nFiles.content ??= {}
+    const content = [], cached = I18nFiles[this.basename] ??= {}
     const _suffix = suffix ? '_'+ suffix : ''
     for (let dir in this) {
       const all = cached[dir] ??= this.load('.json',dir) || this.load('.csv',dir) || false
@@ -87,7 +89,7 @@ class I18nFiles {
       case '.json': return _load_json(file)
       case '.csv': return _load_csv(file)
     }}
-    finally { LOG.debug ('read:', file) }
+    finally { LOG.debug ('loading:', file) }
   }
 
 

package/lib/i18n/index.js

@@ -27,7 +27,7 @@ class I18nFacade {
    * The default bundle for UI labels and texts.
    */
   get labels() {
-    return super.labels = this.bundle4 (cds.context?.model || cds.model)
+    return super.labels = this.bundle4 (cds.model)
   }
 
   /**

package/lib/i18n/localize.js

@@ -62,7 +62,7 @@ function localize (input,...etc) {
 }
 
 exports.edmx4 = service => new class extends Localize { get input(){
-  const model = this.model || cds.context?.model || cds.model
+  const model = this.model || cds.model
   return super.input = cds.compile.to.edmx (model,{service})
 }}
 
@@ -124,7 +124,7 @@ exports.json = json => {
 }
 
 /** @deprecated */ exports.bundle4 = function (model, locale) {
-  if (typeof model === 'string') [ model, locale ] = [ cds.context?.model || cds.model, model ]
+  if (typeof model === 'string') [ model, locale ] = [ cds.model, model ]
   const b = i18n.bundle4 (model)
   return b.texts4 (locale)
 }

package/lib/ql/cds.ql-predicates.js

@@ -48,6 +48,8 @@ function _qbe (o, xpr=[]) {
   let count = 0
   for (let k in o) { const x = o[k]
 
+    if (k !== 'and' && k !== 'or' && count++) xpr.push('and')      //> add 'and' between conditions
+
     if (k.startsWith('not ')) { xpr.push('not'); k = k.slice(4) }
     switch (k) { // handle special cases like {and:{...}} or {or:{...}}
       case 'between':
@@ -83,7 +85,6 @@ function _qbe (o, xpr=[]) {
     }
 
     const a = cds.parse.ref(k)            //> turn key into a ref for the left side of the expression
-    if (count++) xpr.push('and')      //> add 'and' between conditions
     if (!x || typeof x !== 'object')  xpr.push (a,'=',{val:x})
     else if (is_array(x))             xpr.push (a,'in',{list:x.map(_val)})
     else if (x.SELECT || x.list)      xpr.push (a,'in',x)

package/lib/req/validate.js

@@ -48,7 +48,7 @@ class Validation {
   }
 
   unknown(e,d,input) {
-    if (e.startsWith('@')) return delete input[e] //> skip all annotations, like @odata.Type
+    if (e.match(/@.*\./)) return delete input[e] //> skip all annotations, like @odata.Type (according to OData spec annotations contain an "@" and a ".")
     d['@open'] || cds.error (`Property "${e}" does not exist in ${d.name}`, {status:400})
   }
 }

package/libx/_runtime/common/generic/auth/restrict.js

@@ -296,7 +296,7 @@ const isBoundToCollection = action =>
 const restrictBoundActionFunctions = async (req, resolvedApplicables, definition, srv) => {
   if (req.target?.actions?.[req.event] && !isBoundToCollection(req.target.actions[req.event])) {
     // Clone to avoid target modification, which would cause a different query
-    const query = cds.ql.clone(req.query) ?? SELECT.from(req.subject)
+    const query = req.query ? cds.ql.clone(req.query) : SELECT.one.from(req.subject)
     _addRestrictionsToRead({ query: query, target: req.target }, cds.model, resolvedApplicables)
     const result = await (cds.env.features.compat_restrict_bound ? srv : cds.tx(req)).run(query)
     if (!result || result.length === 0) {

package/libx/_runtime/common/generic/auth/utils.js

@@ -126,7 +126,8 @@ const resolveUserAttrs = (where, req) => {
             } else if (where[i + 2] && operators.has(where[i + 1])) {
               where.splice(i, 3, { val: '1' }, '=', { val: '2' })
             } else if (where[i + 1] === 'is') {
-              where.splice(i, where[i + 2] === 'not' ? 4 : 3, { val: '1' }, '=', { val: '2' })
+              val = null
+              break
             }
           } else val = val?.[attr]
         }

package/libx/_runtime/remote/Service.js

@@ -93,7 +93,7 @@ const _handleUnboundActionFunction = (srv, def, req, event) => {
   if (def.kind === 'action') {
     // REVISIT: only for "rest" unbound actions/functions, we enforce axios to return a buffer
     // required by cds-mt
-    const isBinary = srv.kind === 'rest' && def?.returns?.type.match(/binary/i)
+    const isBinary = srv.kind === 'rest' && def?.returns?.type?.match(/binary/i)
     const { headers, data } = req
 
     return srv.send({ method: 'POST', path: `/${event}`, headers, data, _binary: isBinary })

package/libx/odata/middleware/create.js

@@ -33,6 +33,10 @@ module.exports = (adapter, isUpsert) => {
 
     // payload & params
     const data = req.body
+    if (Array.isArray(data)) {
+      const msg = 'Only single entity representations are allowed'
+      throw Object.assign(new Error(msg), { statusCode: 400 })
+    }
     normalizeTimeData(data, model, target)
     const { keys, params } = getKeysAndParamsFromPath(from, { model })
     // add keys from url into payload (overwriting if already present)

package/libx/odata/parse/afterburner.js

@@ -415,6 +415,7 @@ function _processSegments(from, model, namespace, cqn, protocol) {
                   if (current.params && param in current.params) acc[param] = from._params[cur]
                   return acc
                 }, {})
+            ref[i].args = _getDataFromParams(ref[i].args, current) //resolve parameter if Object or Array
             _resolveImplicitFunctionParameters(ref[i].args)
           }
         }

package/libx/odata/parse/multipartToJson.js

@@ -116,28 +116,35 @@ const _parseStream = async function* (body, boundary) {
         .toString()
         .replace(/^--(.*)$/gm, (_, g) => `HEAD /${g} HTTP/1.1${g.slice(-2) === '--' ? CRLF : ''}`)
         // correct content-length for non-HEAD requests is inserted below
-        .replace(/content-length: \d+\r\n/gim, '')
+        .replace(/content-length: \d+\r\n/gim, '') // if content-length is given it should be taken
         .replace(/ \$/g, ' /$')
 
       // HACKS!!!
       // ensure URLs start with slashes
       changed = changed.replaceAll(/\r\n(GET|PUT|POST|PATCH|DELETE) (\w)/g, `\r\n$1 /$2`)
       // add content-length headers
-      let lastIndex = 0
-      changed = changed.replaceAll(/(\r\n){2,}(.+)[\r\n]+HEAD/g, (match, _, p1, index, original) => {
-        const part = original.substring(lastIndex, index)
-        lastIndex = index
-        return part.match(/(PUT|POST|PATCH)\s\//g) && !part.match(/content-length/i) && !p1.startsWith('HEAD /')
-          ? `${CRLF}content-length: ${Buffer.byteLength(p1)}${match}`
-          : match
-      })
+      changed = changed
+        .split(CRLF + CRLF)
+        .map((line, i, arr) => {
+          if (/^(PUT|POST|PATCH) /.test(line) && !/content-length/i.test(line)) {
+            const body = arr[i + 1].split('\r\nHEAD')[0]
+            if (body) return `${line}${CRLF}content-length: ${Buffer.byteLength(body)}`
+          }
+          return line
+        })
+        .join(CRLF + CRLF)
       // remove strange "Group ID" appendix
       changed = changed.split(`${CRLF}Group ID`)[0] + CRLF
 
       let ret = parser.execute(Buffer.from(changed))
 
       if (typeof ret !== 'number') {
-        if (ret.message === 'Parse Error') {
+        if (ret.code === 'HPE_HEADER_OVERFLOW') {
+          // same error conversion as node http server
+          ret.status = 431
+          ret.code = '431'
+          ret.message = 'Request Header Fields Too Large'
+        } else if (ret.message === 'Parse Error') {
           ret.statusCode = 400
           ret.message = `Error while parsing batch body at position ${ret.bytesParsed}: ${ret.reason}`
         }

package/libx/odata/utils/metadata.js

@@ -1,7 +1,28 @@
-const { cds2edm } = require('./index')
 const cds = require('../../../lib')
+const LOG = cds.log('odata')
+const { appURL } = require('../../_runtime/common/utils/vcap')
+const { cds2edm } = require('./index')
 const { where2obj } = require('../../_runtime/common/utils/cqn')
 
+const _getContextAbsoluteUrl = _req => {
+  const { contextAbsoluteUrl } = cds.env.odata
+  if (!contextAbsoluteUrl) return ''
+
+  if (typeof contextAbsoluteUrl === 'string') {
+    try {
+      const userDefinedURL = new URL(contextAbsoluteUrl, contextAbsoluteUrl).toString()
+      return (!userDefinedURL.endsWith('/') && `${userDefinedURL}/`) || userDefinedURL
+    } catch (e) {
+      e.message = `cds.odata.contextAbsoluteUrl could not be parsed as URL: ${contextAbsoluteUrl}`
+      LOG._warn && LOG.warn(e)
+    }
+  }
+  const reqURL = _req && _req.get && _req.get('host') && `${_req.protocol || 'https'}://${_req.get('host')}`
+  const baseAppURL = appURL || reqURL || ''
+  const serviceUrl = `${(_req && _req.baseUrl) || ''}/`
+  return baseAppURL && new URL(serviceUrl, baseAppURL).toString()
+}
+
 const _isNavToDraftAdmin = path => path.length > 1 && path[path.length - 1] === 'DraftAdministrativeData'
 
 const _lastValidRef = ref => {
@@ -14,7 +35,9 @@ const _lastValidRef = ref => {
 const _toBinaryKeyValue = value => `binary'${value.toString('base64')}'`
 
 const _odataContext = (query, options) => {
-  let path = '$metadata'
+  const { contextAbsoluteUrl, context_with_columns } = cds.env.odata
+
+  let path = _getContextAbsoluteUrl(query._req) + '$metadata'
   if (query._target.kind === 'service') return path
 
   const {
@@ -45,14 +68,14 @@ const _odataContext = (query, options) => {
   if (serviceName && !isType) edmName = edmName.replace(serviceName + '.', '').replace(/\./g, '_')
 
   // prepend "../" parent segments for relative path
-  if (ref.length > 1) path = '../'.repeat(ref.length - 1) + path
+  if (!contextAbsoluteUrl && ref.length > 1) path = '../'.repeat(ref.length - 1) + path
 
   path += edmName
 
   const lastRef = ref.at(-1)
 
   if (propertyAccess || isNavToDraftAdmin) {
-    if (propertyAccess) path = '../' + path
+    if (!contextAbsoluteUrl && propertyAccess) path = '../' + path
 
     const keyValuePairs = []
 
@@ -92,7 +115,7 @@ const _odataContext = (query, options) => {
     if (propertyAccess) path += '/' + propertyAccess
   }
 
-  if (cds.env.odata.context_with_columns && query.SELECT && !isSingleton && !propertyAccess) {
+  if (context_with_columns && query.SELECT && !propertyAccess) {
     const _calculateStringFromColumn = column => {
       if (column === '*') return
 

package/libx/odata/utils/normalizeTimeData.js

@@ -7,14 +7,17 @@ const _processorFn = elementInfo => {
   for (const category of plain.categories) {
     const { row, key } = elementInfo
     if (!(row[key] == null) && row[key] !== '$now') {
-      switch (category) {
-        case 'cds.DateTime':
-          row[key] = new Date(row[key]).toISOString().replace(/\.\d\d\d/, '')
-          break
-        case 'cds.Timestamp':
-          row[key] = normalizeTimestamp(row[key])
-          break
-        // no default
+      const dt = typeof row[key] === 'string' && new Date(row[key])
+      if (!isNaN(dt)) {
+        switch (category) {
+          case 'cds.DateTime':
+            row[key] = new Date(row[key]).toISOString().replace(/\.\d\d\d/, '')
+            break
+          case 'cds.Timestamp':
+            row[key] = normalizeTimestamp(row[key])
+            break
+          // no default
+        }
       }
     }
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sap/cds",
-  "version": "8.8.0",
+  "version": "8.8.2",
   "description": "SAP Cloud Application Programming Model - CDS for Node.js",
   "homepage": "https://cap.cloud.sap/",
   "keywords": [