@sap/cds 9.2.1 → 9.3.0

package/lib/srv/middlewares/auth/jwt-auth.js

@@ -32,11 +32,16 @@ module.exports = function jwt_auth(config) {
 
     try {
       const securityContext = await createSecurityContext(auth_service, { req })
-      const tokenInfo = securityContext.token
       const ctx = cds.context
-      ctx.user = user_factory(tokenInfo)
-      ctx.tenant = tokenInfo.getZoneId()
-      req.authInfo = securityContext //> compat req.authInfo
+      ctx.user = user_factory(securityContext)
+      ctx.tenant = securityContext.token.getZoneId()
+      // REVISIT: remove compat in cds^10
+      Object.defineProperty(req, 'authInfo', {
+        get() {
+          cds.utils.deprecated({ kind: 'API', old: 'cds.context.http.req.authInfo', use: 'cds.context.user.authInfo' })
+          return securityContext
+        }
+      })
     } catch (e) {
       if (e instanceof ValidationError) {
         LOG.warn('Unauthenticated request: ', e)
@@ -53,7 +58,8 @@ module.exports = function jwt_auth(config) {
 function get_user_factory(credentials, xsappname, kind) {
   xsappname = xsappname + '.'
 
-  return function user_factory(tokenInfo) {
+  return function user_factory(securityContext) {
+    const tokenInfo = securityContext.token
     const payload = tokenInfo.getPayload()
 
     let id = payload.user_name
@@ -81,7 +87,14 @@ function get_user_factory(credentials, xsappname, kind) {
       attr.email = payload.email
     }
 
-    return new cds.User({ id, roles, attr, tokenInfo })
+    return new cds.User({
+      id, roles, attr, authInfo: securityContext,
+      // REVISIT: remove compat in cds^10
+      get tokenInfo() {
+        cds.utils.deprecated({ kind: 'API', old: 'cds.context.user.tokenInfo', use: 'cds.context.user.authInfo.token' })
+        return securityContext.token
+      }
+    })
   }
 }
 

package/lib/srv/protocols/hcql.js

@@ -1,5 +1,6 @@
 const cds = require('../../index'), {inspect} = cds.utils
 const express = require('express')
+
 const LOG = cds.log('hcql')
 const PROD = process.env.NODE_ENV === 'production'
 
@@ -11,7 +12,11 @@ class HCQLAdapter extends require('./http') {
     .get ('/\\$csn', this.schema.bind(this))      //> return the CSN as schema
     .use (express.json(this.body_parser_options)) //> for application/json -> cqn
     .use (express.text(this.body_parser_options)) //> for text/plain -> cql -> cqn
-
+    .use ((req,res,next) => {
+      const q = typeof req.body === 'string' ? req.body : inspect(req.body, { depth: 4 })
+      LOG.info (req.method, decodeURI (req.baseUrl + req.path), q)
+      next()
+    })
     // Route for custom actions and functions ...
     const action = this.action.bind(this)
     router.param('action', (r,_,next,a) => a in this.service.actions ? next() : next('route'))
@@ -40,6 +45,7 @@ class HCQLAdapter extends require('./http') {
     router.use (this.crud.bind(this))
     return router
   }
+  log (req) { } // eslint-disable-line no-unused-vars
 
 
   /**
@@ -73,7 +79,15 @@ class HCQLAdapter extends require('./http') {
     if (q.SELECT) {
       if (req.get('Accept-Language')) q.SELECT.localized = true
       if (req.get('X-Total-Count')) q.SELECT.count = true
+      // special handling for $search queries
+      const {where} = q.SELECT, $search = where?.[0]
+      if ($search?.func === '$search') {
+        q.SELECT.search = $search.args
+        where.splice(0, where[1] === '>' ? 4 : 2) // remove $search(...) > 0.1 and ...
+        if (where.length === 0) delete q.SELECT.where // remove empty where clause
+      }
     }
+
     // got a valid query
     if (LOG._debug) LOG.debug (inspect(q))
     return this.valid(q)
@@ -96,6 +110,7 @@ class HCQLAdapter extends require('./http') {
     if (!results) return res.end()
     if (results.$count) res.set ('X-Total-Count', results.$count)
     if (typeof results === 'object') return res.json (results)
+    if (res.req.method === 'DELETE') return res.sendStatus(204)
     else res.send (results)
   }
 

package/lib/srv/srv-dispatch.js

@@ -64,7 +64,7 @@ exports.handle = async function handle (req) {
     }()
     if (req.errors) throw req.reject()
   }
-  else if (req.query) throw _unhandled (this,req)
+  else if (req.event in (req.target?.actions ?? srv.actions)) throw _unhandled(this,req)
 
   // .after handlers run in parallel
   handlers = this.handlers.after.filter (h => h.for(req))

package/lib/utils/cds-utils.js

@@ -144,14 +144,11 @@ exports.location = function() {
 }
 
 
-exports.exists = function(x) {
-  if (x) {
-    const y = resolve (cds.root,x)
-    return fs.existsSync(y)
-  }
+exports.exists = function(x) { if (!x) return
+  const y = resolve (cds.root,x)
+  return fs.existsSync(y)
 }
 
-// REVISIT naming: doesn't return boolean
 exports.isdir = function isdir (...args) {
   if (args.length) try {
     const y = resolve (cds.root,...args)
@@ -161,7 +158,6 @@ exports.isdir = function isdir (...args) {
   } catch {/* ignore */}
 }
 
-// REVISIT naming: doesn't return boolean
 exports.isfile = function isfile (...args) {
   if (args.length) try {
     const y = resolve (cds.root,...args)
@@ -189,7 +185,7 @@ exports.read = async function read (file, _encoding) {
   } catch(e) {
     throw new Error (`Failed to parse JSON in ${f}: ${e.message}`)
   }
-  else return src
+  else return process.platform === 'win32' ? src?.replace(/\r\n/g, '\n') : src
 }
 
 exports.write = function write (file, data, o) {

package/lib/utils/csv-reader.js

@@ -16,7 +16,7 @@ exports.readHeader = async function (inStream, o = { ignoreComments: true }) {
   let delimiter = ';'
   let cols = []
   let filtered = false
-  await _filterLines(inStream, null, (line, readLine) => {
+  await _filterLines({ delimiter }, inStream, null, (line, readLine) => {
     if (!cols.length) {
       if (o.ignoreComments && _ignoreLine(line)) {
         filtered = true
@@ -33,17 +33,16 @@ exports.readHeader = async function (inStream, o = { ignoreComments: true }) {
   return { cols, delimiter, filtered }
 }
 
-exports.stripComments = async function (file, outStream) {
-  // most files don't need filtering, so do a quick check first
-  const { filtered } = await exports.readHeader(createReadStream(file))
-  if (!filtered) return false
+exports.stripComments = async function (file, outStream, trimWhitespaces = false) {
+
+  const { delimiter } = await exports.readHeader(createReadStream(file))
 
   // buffer whole content so that we can write the out file
   const inStream = Readable.from([await fsp.readFile(file)])
   // clears the output file
   outStream = outStream || createWriteStream(file)
   let prelude = true
-  await _filterLines(inStream, outStream, line => {
+  await _filterLines({ delimiter, trimWhitespaces }, inStream, outStream, line => {
     if (prelude) {
       if (_ignoreLine(line)) return false
       prelude = false
@@ -58,13 +57,34 @@ function _ignoreLine(line) {
   return line[0] === '#' || !line.trim().length
 }
 
-function _filterLines(input, out, filter) {
+function _filterLines({ delimiter, trimWhitespaces }, input, out, filter) {
   return new Promise((resolve, reject) => {
     const rl = require('readline').createInterface({ input, crlfDelay: Infinity })
     const resumeOnDrain = () => rl.resume()
     let filtered = false
     rl.on('line', line => {
       if (filter(line, rl)) {
+        // Process the line character by character to handle quoted fields properly
+        if (trimWhitespaces) {
+          const result = []
+          let field = ''
+          let quoted = false
+
+          for (const char of line) {
+            if (char === '"') {
+              quoted = !quoted
+              field += char
+            } else if (char === delimiter && !quoted) {
+              result.push(field.startsWith('"') ? field : field.trim())
+              field = ''
+            } else {
+              field += char
+            }
+          }
+          // Don't forget the last field
+          result.push(field.startsWith('"') ? field : field.trim())
+          line = result.join(delimiter)
+        }
         if (out && !out.write(line + '\n')) {
           rl.pause() // pause when writable signals so
           out.removeListener('drain', resumeOnDrain) // avoid too many listeners

package/libx/_runtime/cds.js

@@ -23,9 +23,3 @@ cds.Service.prototype._requires_resolving = function (req) {
   if (req.target?.name?.startsWith(this.definition?.name + '.')) return false
   else return true
 }
-
-// FIXME: move resolve out of cds.ql !
-const resolve = require('../../lib/ql/resolve')
-cds.Service.prototype.resolve = function (query) {
-  return resolve(query, this)
-}

package/libx/_runtime/common/Service.js

@@ -11,6 +11,7 @@ class ApplicationService extends cds.Service {
     for (let each of clazz.generics) clazz[each].call(this)
     return super.init()
   }
+
   static get generics() {
     return (this._generics ??= new Set([
       ...(this.__proto__.generics || []),
@@ -54,6 +55,10 @@ class ApplicationService extends cds.Service {
     return require('./generic/crud')
   }
 
+  static get handle_flows() {
+    return require('./generic/flows')
+  }
+
   // Overload .handle in order to resolve projections up to a definition that is known by the remote service instance.
   // Result is post processed according to the inverse projection in order to reflect the correct result of the original query.
   async handle(req) {

package/libx/_runtime/common/generic/crud.js

@@ -8,7 +8,7 @@ const _targetEntityDoesNotExist = async req => {
 
 module.exports = cds.service.impl(function () {
   // prettier-ignore
-  this.on(['CREATE', 'READ', 'UPDATE', 'DELETE', 'UPSERT'], '*', async function handle_crud_requests(req) {
+  this.on(['CREATE', 'READ', 'UPDATE', 'UPSERT', 'DELETE'], '*', async function handle_crud_requests(req) {
 
     if (!cds.db)
       return req.reject ('NO_DATABASE_CONNECTION') // REVISIT: error message

package/libx/_runtime/common/generic/flows.js

@@ -0,0 +1,106 @@
+const cds = require('../../cds')
+
+const { getFrom } = require('../../../../lib/compile/for/flows')
+
+const FLOW_STATUS = '@flow.status'
+const FROM = '@from'
+const TO = '@to'
+// backwards compat
+const FLOW_FROM = '@flow.from'
+const FLOW_TO = '@flow.to'
+
+function buildAllowedCondition(action, statusElementName, statusEnum) {
+  const fromList = getFrom(action)
+  const conditions = fromList.map(from => `${statusElementName} = '${statusEnum[from].val ?? from}'`)
+  return `(${conditions.join(' OR ')})`
+}
+
+async function isCurrentStatusInFrom(req, action, statusElementName, statusEnum) {
+  const cond = buildAllowedCondition(action, statusElementName, statusEnum)
+  const parsedXpr = cds.parse.expr(cond)
+  const dbEntity = await SELECT.one.from(req.subject).where(parsedXpr)
+  return dbEntity !== undefined
+}
+
+async function checkStatus(req, action, statusElementName, statusEnum) {
+  const allowed = await isCurrentStatusInFrom(req, action, statusElementName, statusEnum)
+  if (!allowed) {
+    const from = getFrom(action)
+    req.reject({
+      code: 409,
+      message: from.length > 1 ? 'INVALID_FLOW_TRANSITION_MULTI' : 'INVALID_FLOW_TRANSITION_SINGLE',
+      args: [action.name, statusElementName, from.join(',')]
+    })
+  }
+}
+
+/**
+ * handler registration
+ */
+module.exports = cds.service.impl(function () {
+  const entry = []
+  const exit = []
+
+  for (const entity of this.entities) {
+    if (!entity.actions || !entity.elements) continue
+
+    const fromActions = []
+    const toActions = []
+    for (const action of entity.actions) {
+      if (action[FROM] || action[FLOW_FROM]) fromActions.push(action)
+      if (action[TO] || action[FLOW_TO]) toActions.push(action)
+    }
+    if (fromActions.length === 0 && toActions.length === 0) continue
+
+    let statusElement = Object.values(entity.elements).find(el => el[FLOW_STATUS])
+    if (!statusElement) {
+      cds.error(
+        `Entity ${entity.name} does not have a status element, but its actions have registered @flow annotations.`
+      )
+    }
+
+    let statusEnum, statusElementName
+    if (statusElement.enum) {
+      statusEnum = statusElement.enum
+      statusElementName = statusElement.name
+    } else if (statusElement?._target?.elements['code']) {
+      statusEnum = statusElement._target.elements['code'].enum
+      statusElementName = statusElement.name + '_code'
+    } else {
+      cds.error(
+        `Status element in entity ${entity.name} is not an enum and does not have a valid target with code enum.`
+      )
+    }
+
+    entry.push({ events: fromActions, entity, statusElementName, statusEnum })
+    exit.push({ events: toActions, entity, statusElementName, statusEnum })
+  }
+
+  this.prepend(function () {
+    for (const each of entry) {
+      this.before(
+        each.events,
+        each.entity,
+        Object.assign(
+          async function handle_entry_state(req) {
+            const action = req.target.actions[req.event]
+            await checkStatus(req, action, each.statusElementName, each.statusEnum)
+          },
+          { _initial: true }
+        )
+      )
+    }
+
+    for (const each of exit) {
+      async function handle_exit_state(req, next) {
+        const res = await next()
+        const action = req.target.actions[req.event]
+        const to = action[TO] ?? action[FLOW_TO]
+        const toKey = to['#'] ?? to['='] ?? to
+        await UPDATE(req.subject).with({ [each.statusElementName]: each.statusEnum[toKey].val ?? toKey })
+        return res
+      }
+      this.on(each.events, each.entity, handle_exit_state)
+    }
+  })
+})

package/libx/_runtime/common/generic/paging.js

@@ -1,6 +1,6 @@
 const cds = require('../../cds')
 
-module.exports = exports = cds.service.impl(function () {
+module.exports = cds.service.impl(function () {
   this.before('READ', '*', handle_paging)
 })
 
@@ -46,5 +46,5 @@ const _addPaging = function ({ SELECT }, target) {
 handle_paging._initial = true
 
 // needed in lean draft
-exports.getPageSize = getPageSize
-exports.commonGenericPaging = handle_paging
+module.exports.getPageSize = getPageSize
+module.exports.commonGenericPaging = handle_paging

package/libx/_runtime/common/utils/differ.js

@@ -21,13 +21,9 @@ const columnRefs = (data, target) => {
     .filter(k => !k.isAssociation && !k.virtual)
     .forEach(k => columns.add(k.name))
 
-  if (!Array.isArray(data)) data = [data]
-  // loop and get all columns from current level
-  for (const row of data) {
-    for (const e in row) {
-      if (target.elements[e] && !target.elements[e].isAssociation) {
-        columns.add(e)
-      }
+  for (const e in target.elements) {
+    if (!target.elements[e].isAssociation) {
+      columns.add(e)
     }
   }
 
@@ -44,18 +40,12 @@ const expandColumns = (target, data, columns = [], elementMap = new Map()) => {
 
   for (const compName in compositions) {
     let compositionData
-    if (data === null || (Array.isArray(data) && !data.length)) {
+    if (data == null || (Array.isArray(data) && !data.length)) {
       compositionData = null
     } else {
       compositionData = data[compName]
     }
 
-    // ignore not provided compositions as nothing happens with them (expect deep delete)
-    if (compositionData === undefined) {
-      // fill columns in case
-      continue
-    }
-
     const composition = compositions[compName]
 
     const fqn = composition.parent.name + ':' + composition.name
@@ -83,7 +73,7 @@ const expandColumns = (target, data, columns = [], elementMap = new Map()) => {
 
     if (composition.is2many) {
       // expandColumn.expand = getColumnsFromDataOrKeys(compositionData, composition._target)
-      if (compositionData === null || compositionData.length === 0) {
+      if (compositionData == null || compositionData.length === 0) {
         // deep delete, get all subitems until recursion depth
         expandColumns(composition._target, null, expandColumn.expand, newElementMap)
         continue

package/libx/_runtime/common/utils/resolveView.js

@@ -528,7 +528,7 @@ const _mappedValue = (col, alias) => {
   return [key, { val: col.val }]
 }
 
-const getDBTable = target => cds.ql.resolve.table(target)
+const getDBTable = target => cds.db.resolve.table(target)
 
 const _appendForeignKeys = (newColumns, target, columns, { as, ref = [] }) => {
   const el = target.elements[as] || target.query._target?.elements[ref.at(-1)]
@@ -575,7 +575,7 @@ const _checkForForbiddenViews = (queryTarget, event) => {
 const _getTransitionData = (target, columns, service, options) => {
   let { abort, skipForbiddenViewCheck, event } = options
   // REVISIT revert after cds-dbs pr
-  if (!abort) abort = cds.ql.resolve.abortDB
+  if (!abort) abort = service.resolve.abortDB
   // REVISIT: Find less param polluting way to skip forbidden view check for reads
   if (!skipForbiddenViewCheck) _checkForForbiddenViews(target, event)
   const isAborted = abort(target)