@sap/cds 9.0.4 → 9.2.0

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -29,9 +29,10 @@ class EndpointRegistry {
         if (cds.context.user._is_anonymous) return res.status(401).end()
         next()
       })
-    } else if (process.env.NODE_ENV === 'production') {
-      LOG.warn('Messaging endpoints not secured')
     } else {
+      if (process.env.NODE_ENV === 'production') {
+        LOG.warn('Messaging endpoints not secured')
+      }
       // auth middlewares set cds.context.user
       cds.app.use(basePath, cds.middlewares.context())
     }

package/libx/_runtime/messaging/service.js

@@ -48,7 +48,7 @@ module.exports = class MessagingService extends cds.Service {
           srv.on(event, async msg => {
             const { data, headers } = msg
             const messaging = await cds.connect.to('messaging') // needed for potential outbox
-            return messaging.tx(msg).emit({ event: topic, data, headers })
+            return messaging.emit({ event: topic, data, headers })
           })
         }
       })

package/libx/_runtime/remote/utils/client.js

@@ -231,7 +231,7 @@ const run = async (requestConfig, options) => {
     e.message = msg ? 'Error during request to remote service: ' + msg : 'Request to remote service failed.'
     const sanitizedError = _getSanitizedError(e, requestConfig, { suppressRemoteResponseBody })
     const err = Object.assign(new Error(e.message), { statusCode: 502, reason: sanitizedError })
-    LOG._warn && LOG.warn(err)
+    cds.repl || LOG.warn(err)
     throw err
   }
 
@@ -306,6 +306,7 @@ const _cqnToReqOptions = (query, service, req) => {
   const reqOptions = {
     method: queryObject.method,
     url: queryObject.path
+      // REVISIT: remove when we can assume that number of remote services running Okra is negligible
       // ugly workaround for Okra not allowing spaces in ( x eq 1 )
       .replace(/\( /g, '(')
       .replace(/ \)/g, ')')

package/libx/common/assert/utils.js

@@ -50,21 +50,11 @@ function isBase64String(string, strict = false) {
   return true
 }
 
-const resolveCDSType = ele => {
-  // REVISIT: when is ele._type not set and sufficient?
-  if (ele._type?.match(/^cds\./)) return ele._type
-  if (ele.type) {
-    if (ele.type.match(/^cds\./)) return ele.type
-    return resolveCDSType(ele.__proto__)
-  }
-  if (ele.items) return resolveCDSType(ele.items)
-  return ele
-}
+
 
 
 module.exports = {
   getNormalizedDecimal,
   getTarget,
-  isBase64String,
-  resolveCDSType
+  isBase64String
 }

package/libx/common/utils/streaming.js

@@ -64,14 +64,9 @@ exports.collectStreamMetadata = (result, operation, query) => {
 }
 
 exports.getReadable = function readable4 (result) {
-  if (result == null) return
-  if (typeof result !== 'object') {
-    const stream = new Readable()
-    stream.push(result)
-    stream.push(null)
-    return stream
-  }
+  if (result == null) return null
   if (result instanceof Readable) return result
-  if (result.value) return readable4 (result.value) // REVISIT: for OData legacy only?
-  if (Array.isArray(result)) return readable4 (result[0]) // compat // REVISIT: remove ?
+  if (Array.isArray(result)) return readable4 (result[0]) // compat
+  if (typeof result === 'object' && 'value' in result) return readable4 (result.value)
+  cds.error(500, `Unexpected result type for streaming: Expected stream.Readable or null but got ${typeof result}`)
 }

package/libx/http/location.js

@@ -1,4 +1,5 @@
 module.exports = (target, srv, result, keys_as_segments) => {
+  if (typeof result !== 'object' || result == null || Array.isArray(result)) return
   const targetName = target.name.replace(`${srv.definition.name}.`, '')
   if (!target.keys) return targetName
 

package/libx/odata/ODataAdapter.js

@@ -30,62 +30,66 @@ module.exports = class ODataAdapter extends HttpAdapter {
   }
 
   get router() {
+    function set_odata_version(_, res, next) {
+      res.set('OData-Version', '4.0')
+      next()
+    }
+
+    function validate_representation_headers(req, res, next) {
+      if (req.method === 'PUT' && isStream(req._query)) {
+        req.body = { value: req }
+        return next()
+      }
+      if (req.method === 'POST' && req.headers['content-type']?.match(/multipart\/mixed/)) {
+        return next()
+      }
+
+      const contentLength = req.headers['content-length']
+      const [type = '', suffix] = (req.headers['content-type'] || '').split(';')
+      // header ending with semicolon is not allowed
+      const isJson = type.match(/^application\/json$/) && suffix !== ''
+
+      // POST with empty body is allowed if no content-type header is set
+      if (req.method === 'POST' && (!contentLength || isJson)) return jsonBodyParser(req, res, next)
+
+      if (req.method in { POST: 1, PUT: 1, PATCH: 1 }) {
+        if (!isJson) {
+          res.status(415).json({ error: { message: 'Unsupported Media Type', statusCode: 415, code: '415' } })
+          return
+        }
+        if (contentLength === '0') {
+          res.status(400).json({ error: { message: 'Expected non-empty body', statusCode: 400, code: '400' } })
+          return
+        }
+      }
+
+      return jsonBodyParser(req, res, next)
+    }
+
+    function validate_operation_http_method(req, _, next) {
+      // operations must have been handled above (POST or GET)
+      const { operation } = req._query.SELECT?.from.ref?.slice(-1)[0] || {}
+      next(operation ? { code: 405 } : undefined)
+    }
+
     const jsonBodyParser = bodyParser4(this)
     return (
       super.router
-        .use(function odata_version(req, res, next) {
-          res.set('OData-Version', '4.0')
-          next()
-        })
-        // REVISIT: add middleware for negative cases?
+        .use(set_odata_version)
         // service root
-        .use(/^\/$/, require('./middleware/service-document')(this))
-        .use('/\\$metadata', require('./middleware/metadata')(this))
+        .all('/', require('./middleware/service-document')(this))
+        .all('/\\$metadata', require('./middleware/metadata')(this))
         // parse
         .use(require('./middleware/parse')(this))
-        .use(function odata_streams(req, res, next) {
-          if (req.method === 'PUT' && isStream(req._query)) {
-            req.body = { value: req }
-            return next()
-          }
-          if (req.method === 'POST' && req.headers['content-type']?.match(/multipart\/mixed/)) {
-            return next()
-          }
-          // POST with empty body is allowed by actions
-          if (req.method in { PUT: 1, PATCH: 1 }) {
-            if (req.headers['content-length'] === '0') {
-              res.status(400).json({ error: { message: 'Expected non-empty body', statusCode: 400, code: '400' } })
-              return
-            }
-          }
-          if (req.method in { POST: 1, PUT: 1, PATCH: 1 }) {
-            const contentType = req.headers['content-type'] ?? ''
-            let contentLength = req.headers['content-length']
-            contentLength = contentLength ? parseInt(contentLength) : 0
-
-            const parts = contentType.split(';')
-            // header ending with semicolon is not allowed
-            if ((contentLength && !parts[0].match(/^application\/json$/)) || parts[1] === '') {
-              res.status(415).json({ error: { message: 'Unsupported Media Type', statusCode: 415, code: '415' } })
-              return
-            }
-          }
-
-          return jsonBodyParser(req, res, next)
-        })
+        .use(validate_representation_headers)
         // batch
         // .all is used deliberately instead of .use so that the matched path is not stripped from req properties
         .all('/\\$batch', require('./middleware/batch')(this))
         // handle
-        // REVISIT: with old adapter, we return 405 for HEAD requests -> check OData spec
         .head('*', (_, res) => res.sendStatus(405))
         .post('*', operation4(this), create4(this))
         .get('*', operation4(this), stream4(this), read4(this))
-        .use('*', (req, res, next) => {
-          // operations must have been handled above (POST or GET)
-          const { operation } = req._query.SELECT?.from.ref?.slice(-1)[0] || {}
-          next(operation ? { code: 405 } : undefined)
-        })
+        .use(validate_operation_http_method)
         .put('*', update4(this), create4(this, 'upsert'))
         .patch('*', update4(this), create4(this, 'upsert'))
         .delete('*', delete4(this))

package/libx/odata/index.js

@@ -1,6 +1,6 @@
 /** @typedef {import('../../lib/srv/cds.Service')} Service */
 
-const cds = require('../../')
+const cds = require('../..')
 const { decodeURIComponent } = cds.utils
 
 const odata2cqn = require('./parse/parser').parse

package/libx/odata/middleware/batch.js

@@ -62,7 +62,6 @@ const _validateBatch = body => {
       throw _deserializationError(`Method '${method}' is not allowed. Only DELETE, GET, PATCH, POST or PUT are.`)
 
     _validateProperty('url', url, 'string')
-    // TODO: need similar validation in multipart/mixed batch
     if (url.startsWith('/$batch')) throw _deserializationError('Nested batch requests are not allowed.')
 
     // TODO: support for non JSON bodies?
@@ -260,7 +259,12 @@ const _tx_done = async (tx, responses, isJson) => {
     // here, the commit was rejected even though all requests were successful (e.g., by custom handler or db consistency check)
     rejected = 'rejected'
     // construct commit error (without modifying original error)
-    const error = normalizeError(Object.create(e), { locale: cds.context.locale })
+    const error = normalizeError(Object.create(e), {
+      get locale() {
+        return cds.context.locale
+      },
+      get() {}
+    })
     // replace all responses with commit error
     for (const res of responses) {
       res.status = 'fail'

package/libx/odata/middleware/create.js

@@ -72,7 +72,7 @@ module.exports = (adapter, isUpsert) => {
 
         handleSapMessages(cdsReq, req, res)
 
-        if (!target._isSingleton) {
+        if (!target._isSingleton && !res.hasHeader('location')) {
           res.set('location', location4(cdsReq.target, service, result || cdsReq.data))
         }
 

package/libx/odata/middleware/error.js

@@ -4,17 +4,8 @@ const { shutdown_on_uncaught_errors } = cds.env.server
 exports = module.exports = () =>
   function odata_error(err, req, res, next) {
     if (exports.pass_through(err)) return next(err)
+    else req._is_odata = true
     if (err.details) err = _fioritized(err)
-    const content_id = req.headers['content-id']
-    if (content_id) err['@Core.ContentID'] = content_id
-    err['@Common.numericSeverity'] ??= err.numericSeverity || 4
-
-    // propagate content-id and set @Common.numericSeverity
-    err.details?.forEach(e => {
-      if (content_id) e['@Core.ContentID'] = content_id
-      e['@Common.numericSeverity'] ??= e.numericSeverity || 4 // Fiori expects this in error.details
-    })
-
     exports.normalizeError(err, req)
     return next(err)
   }
@@ -25,14 +16,18 @@ exports.pass_through = err => {
 }
 
 exports.normalizeError = (err, req, cleanse = ODATA_PROPERTIES) => {
-  const locale = cds.i18n.locale.from(req)
-  err.status = _normalize(err, locale, cleanse) || 500
+  err.status = _normalize(err, req, cleanse) || 500
   return err
 }
 
-exports.getSapMessages = (messages, req) => {
+exports.getLocalizedMessages = (messages, req) => {
   const locale = cds.i18n.locale.from(req)
-  for (let m of messages) _normalize(m, locale, SAP_MSG_PROPERTIES)
+  for (let m of messages) _normalize(m, req, SAP_MSG_PROPERTIES, locale)
+  return messages
+}
+
+exports.getSapMessages = (messages, req) => {
+  messages = exports.getLocalizedMessages(messages, req)
   return JSON.stringify(messages).replace(
     /[\u007F-\uFFFF]/g,
     c => '\\u' + c.charCodeAt(0).toString(16).padStart(4, '0')
@@ -45,10 +40,13 @@ const SAP_MSG_PROPERTIES = { ...ODATA_PROPERTIES, longtextUrl: 2, transition: 2,
 const BAD_REQUESTS = { ENTITY_ALREADY_EXISTS: 1, FK_CONSTRAINT_VIOLATION: 2, UNIQUE_CONSTRAINT_VIOLATION: 3 }
 
 // prettier-ignore
-const _normalize = (err, locale = cds.env.i18n.default_language, keep) => {
+const _normalize = (err, req, keep,
+  locale = cds.i18n.locale.from(req) || cds.env.i18n.default_language,
+  content_id = req.get('content-id')
+) => {
 
   // Determine status code if not already set
-  const details = err.details?.map?.(each => _normalize (each, locale, keep))
+  const details = err.details?.map?.(each => _normalize (each, req, keep, locale, content_id))
   const status = err.status || err.statusCode || _status4(err) || _reduce(details)
 
   // Determine error code and message
@@ -64,7 +62,11 @@ const _normalize = (err, locale = cds.env.i18n.default_language, keep) => {
   Object.defineProperty(err, 'toJSON', { value: function() {
     const that = keep ? {} : {...this}
     if (keep) for (let k in this) if (k in keep || k[0] === '@') that[k] = this[k]
-    if (locale) that.message = i18n.messages.at (key, locale, this.args)
+    if (req._is_odata && keep !== SAP_MSG_PROPERTIES) {
+      that['@Common.numericSeverity'] ??= err.numericSeverity || 4
+      if (content_id) that['@Core.ContentID'] = content_id
+    }
+    if (locale) that.message = _message4 (err, key, locale)
     if (!that.message) that.message = this.message
     return that
   }})
@@ -76,6 +78,14 @@ const _status4 = err => {
   if (err.message in BAD_REQUESTS) return 400 // REVISIT: should we use 409 or 500 instead?
 }
 
+const _message4 = (err, key, locale) => {
+  if (err.i18n) {
+    key = /{i18n>(.*)}/.exec(err.i18n)?.[1]
+    if (!key) return err.i18n
+  }
+  return i18n.messages.at(key, locale, err.args)
+}
+
 const _reduce = details => {
   const unique = [...new Set(details)]
   if (unique.length === 1) return unique[0] // if only one unique status exists, we use that

package/libx/odata/middleware/operation.js

@@ -2,7 +2,7 @@ const cds = require('../../../')
 
 const { pipeline } = require('node:stream/promises')
 
-const { cds2edm, handleSapMessages } = require('../utils')
+const { handleSapMessages } = require('../utils')
 const getODataMetadata = require('../utils/metadata')
 const postProcess = require('../utils/postProcess')
 const getODataResult = require('../utils/result')
@@ -143,12 +143,6 @@ module.exports = adapter => {
           return res.sendStatus(204)
         }
 
-        if (operation.returns._type?.match?.(/^cds\./)) {
-          const context = `${'../'.repeat(query?.SELECT?.from?.ref?.length)}$metadata#${cds2edm[operation.returns._type]}`
-          result = { '@odata.context': context, value: result }
-          return res.send(result)
-        }
-
         if (res.statusCode === 201 && !res.hasHeader('location')) {
           const location = location4(operation.returns, service, result)
           if (location) res.set('location', location)
@@ -160,21 +154,21 @@ module.exports = adapter => {
         }
 
         // REVISIT: enterprise search result? -> simply return what was provided
-        if (operation.returns.type !== 'sap.esh.SearchResult') {
-          const isCollection = !!operation.returns.items
-          const _target = operation.returns.items ?? operation.returns
-          const options = { result, isCollection }
-          if (!_target.name) {
-            // case: return inline type def
-            options.edmName = _opResultName({ service, operation, returnType: _target })
-          }
-          const SELECT = {
-            from: query ? { ref: [...query.SELECT.from.ref, { operation: operation.name }] } : {},
-            one: !isCollection
-          }
-          const metadata = getODataMetadata({ SELECT, _target }, options)
-          result = getODataResult(result, metadata, { isCollection })
+        if (operation.returns.type === 'sap.esh.SearchResult') return res.send(result)
+
+        const isCollection = !!operation.returns.items
+        const _target = operation.returns.items ?? operation.returns
+        const options = { result, isCollection }
+        if (!_target.name) {
+          // case: return inline type def
+          options.edmName = _opResultName({ service, operation, returnType: _target })
+        }
+        const SELECT = {
+          from: query ? { ref: [...query.SELECT.from.ref, { operation: operation.name }] } : {},
+          one: !isCollection
         }
+        const metadata = getODataMetadata({ SELECT, _target }, options)
+        result = getODataResult(result, metadata, { isCollection })
 
         res.send(result)
       })

package/libx/odata/middleware/stream.js

@@ -149,7 +149,7 @@ module.exports = adapter => {
           }
 
           const stream = getReadable(result)
-          if (!stream) return res.sendStatus(204)
+          if (stream == null) return res.sendStatus(204)
 
           validateMimetypeIsAcceptedOrThrow(req.headers, mimetype)
           if (!res.get('content-type')) res.set('content-type', mimetype)

package/libx/odata/parse/afterburner.js

@@ -249,13 +249,17 @@ function _handleCollectionBoundActions(current, ref, i, namespace, one) {
   )
 
   if (onCollection && one) {
-    const msg = `${action.kind.at(0).toUpperCase() + action.kind.slice(1)} "${action.name}" must be called on a collection of ${current.name}`
+    const msg = `${action.kind.at(0).toUpperCase() + action.kind.slice(1)} "${
+      action.name
+    }" must be called on a collection of ${current.name}`
     throw Object.assign(new Error(msg), { statusCode: 400 })
   }
 
   if (incompleteKeys) {
     if (!onCollection) {
-      const msg = `${action.kind.at(0).toUpperCase() + action.kind.slice(1)} "${action.name}" must be called on a single instance of ${current.name}`
+      const msg = `${action.kind.at(0).toUpperCase() + action.kind.slice(1)} "${
+        action.name
+      }" must be called on a single instance of ${current.name}`
       throw Object.assign(new Error(msg), { statusCode: 400 })
     }
 
@@ -510,7 +514,9 @@ function _processSegments(from, model, namespace, cqn, protocol) {
 
   if (incompleteKeys) {
     // > last segment not fully qualified
-    const msg = `Entity "${current.name}" has ${keysOf(current).length} keys. Only ${keyCount} ${keyCount === 1 ? 'was' : 'were'} provided.`
+    const msg = `Entity "${current.name}" has ${keysOf(current).length} keys. Only ${keyCount} ${
+      keyCount === 1 ? 'was' : 'were'
+    } provided.`
     throw Object.assign(new Error(msg), { statusCode: 400 })
   }
 
@@ -820,7 +826,13 @@ module.exports = (cqn, model, namespace, protocol) => {
 
   // hierarchy requests, quick check to avoid unnecessary traversing
   // REVISIT: Should be done via annotation on backlink, would make lookup easier
-  if (target?.elements?.LimitedDescendantCount) {
+  const _getRecurse = SELECT => {
+    if (SELECT.recurse) return SELECT.recurse
+    if (SELECT.from && SELECT.from.SELECT) return _getRecurse(SELECT.from.SELECT)
+  }
+
+  const _recurse = _getRecurse(cqn.SELECT)
+  if (_recurse) {
     let uplinkName
     for (const key in target) {
       if (key.match(/@Aggregation\.RecursiveHierarchy\s*#.*\.ParentNavigationProperty/)) {
@@ -829,10 +841,12 @@ module.exports = (cqn, model, namespace, protocol) => {
         break
       }
     }
-    if (uplinkName) {
-      let r = cqn.SELECT.recurse
-      if (r) r.ref[0] = uplinkName
-    }
+    if (!uplinkName || !target.elements[uplinkName])
+      throw new cds.error(
+        500,
+        'Cannot resolve `ParentNavigationProperty` in `@Aggregation.RecursiveHierarchy` annotation'
+      )
+    _recurse.ref[0] = uplinkName
   }
 
   // REVISIT: better

package/libx/odata/parse/cqn2odata.js

@@ -1,4 +1,4 @@
-const cds = require('../../../')
+const cds = require('../../..')
 
 const { formatVal } = require('../utils')
 
@@ -65,10 +65,7 @@ function hasValidProps(obj, ...names) {
   for (const propName of names) {
     const validate = validators[propName]
     const isValid = validate && validate(obj[propName])
-
-    if (!isValid) {
-      return false
-    }
+    if (!isValid) return false
   }
 
   return true
@@ -183,23 +180,32 @@ function _xpr(expr, target, kind, isLambda, navPrefix = []) {
         if (inExpr) res.push(`(${inExpr})`)
         i += 1
       } else if (_isLambda(cur, expr[i + 1])) {
+        // Process 'exists' expression
+
         const { where } = expr[i + 1].ref.at(-1)
-        const nav = expr[i + 1].ref.map(ref => ref?.id ?? ref).join('/')
+        const navSegments = expr[i + 1].ref.map(ref => ref?.id ?? ref)
+        const nav = navSegments.join('/')
 
         if (kind === 'odata-v2') {
           // odata-v2 does not support lambda expressions but successfactors allows filter like for to-one assocs
           cds.log('remote').info(`OData V2 does not support lambda expressions. Using path expression as best effort.`)
           isLambda = false
           res.push(_xpr(where, target, kind, isLambda, [...navPrefix, nav]))
-        } else if (!where) {
-          res.push(`${nav}/any()`)
-        } else {
+        } else if (res.at(-1) === 'not' && where.length === 2 && where[0] === 'not' && where[1].xpr) {
+          // Convert double negation 'not exists where not' to 'all'
+          // > reverting the mirrored transformation performed in grammar.peggy/lambda
+
+          res.pop()
+          res.push(`${nav}/all(${LAMBDA_VARIABLE}:${_xpr(where[1].xpr, target, kind, true, navPrefix)})`)
+        } else if (where) {
           res.push(
             `${nav}/any(${LAMBDA_VARIABLE}:${_xpr(where, target?.elements[nav]._target, kind, true, navPrefix)})`
           )
+        } else {
+          res.push(`${nav}/any()`)
         }
 
-        i++
+        i += 1
       } else {
         res.push(OPERATORS[cur] || cur.toLowerCase())
       }