@sap/cds 9.4.4 → 9.5.1

package/libx/_runtime/messaging/enterprise-messaging-utils/registerEndpoints.js

@@ -1,65 +1,64 @@
 const cds = require('../../cds.js')
 const express = require('express')
 const getTenantInfo = require('./getTenantInfo.js')
-const isSecured = () => cds.requires.auth && (cds.requires.auth.impl || cds.requires.auth.credentials)
 
 const _isAll = a => a && a.includes('all')
-let jwt_auth
+
+const _xsuaa_fallback = () => {
+  let xsuaa = cds.env.requires.messaging.xsuaa
+  xsuaa = typeof xsuaa === 'string' ? xsuaa : 'xsuaa'
+  const xsuaa_config = cds.env.requires[xsuaa]
+  if (!xsuaa_config) throw new Error(`Fallback XSUAA instance '${xsuaa}' not found!`)
+  if (!xsuaa_config.credentials) throw new Error(`Fallback XSUAA instance '${xsuaa}' has no credentials!`)
+  const jwt_auth = require('../../../../lib/srv/middlewares/auth/jwt-auth.js')
+  return jwt_auth(xsuaa_config)
+}
 
 class EndpointRegistry {
   constructor(basePath, LOG) {
     const deployPath = basePath + '/deploy'
     this.webhookCallbacks = new Map()
     this.deployCallbacks = new Map()
-    if (isSecured()) {
-      if (cds.requires.auth.impl) {
-        cds.app.use(basePath, cds.middlewares.before) // contains auth, trace, context
+
+    const _IS_SECURED = !!(
+      cds.env.requires.auth &&
+      (cds.env.requires.auth.impl || !(cds.env.requires.auth.kind in { mocked: 1, 'mocked-auth': 1 }))
+    )
+    const _IS_PRODUCTION = process.env.NODE_ENV === 'production'
+
+    cds.app.use(basePath, cds.middlewares.context())
+    if (_IS_SECURED) {
+      // unofficial XSUAA fallback
+      if (cds.env.requires.messaging.xsuaa) {
+        cds.app.use(basePath, _xsuaa_fallback())
       } else {
-        jwt_auth ??= require('../../../../lib/srv/middlewares/auth/jwt-auth.js')
-        cds.app.use(basePath, cds.middlewares.context())
-        cds.app.use(basePath, jwt_auth(cds.requires.auth))
-        cds.app.use(basePath, (err, req, res, next) => {
-          if (err === 401) res.sendStatus(401)
-          else next(err)
-        })
+        cds.app.use(basePath, cds.middlewares.auth())
       }
-      // unsuccessful auth doesn't automatically reject!
-      cds.app.use(basePath, (req, res, next) => {
-        // REVISIT: we should probably pass an error into next so that a (custom) error middleware can handle it
-        if (cds.context.user._is_anonymous) return res.status(401).end()
-        next()
+      // ensure that anonymous users get 401 on messaging endpoints
+      cds.app.use(basePath, (_req, _res, next) => {
+        next(cds.context.user._is_anonymous ? 401 : undefined)
       })
-    } else {
-      if (process.env.NODE_ENV === 'production') {
-        LOG.warn('Messaging endpoints not secured')
-      }
-      // auth middlewares set cds.context.user
-      cds.app.use(basePath, cds.middlewares.context())
-    }
+    } else if (_IS_PRODUCTION) LOG.warn('Messaging endpoints not secured')
+
     cds.app.use(basePath, express.json({ type: 'application/*+json' }))
     cds.app.use(basePath, express.json())
     cds.app.use(basePath, express.urlencoded({ extended: true }))
-    LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'OPTIONS' })
-
-    // Clear cds.context as it would interfere with subsequent transactions
-    // cds.app.use(basePath, (_req, _res, next) => {
-    //   cds.context = undefined // REVISIT: Why is that necessary?
-    //   next()
-    // })
 
+    LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'OPTIONS' })
     cds.app.options(basePath, (req, res) => {
       try {
-        if (isSecured() && !cds.context.user.is('emcallback')) return res.sendStatus(403)
+        if (_IS_SECURED && !cds.context.user.is('emcallback')) return res.sendStatus(403)
         res.set('webhook-allowed-origin', req.headers['webhook-request-origin'])
         res.sendStatus(200)
       } catch {
         res.sendStatus(500)
       }
     })
+
     LOG._debug && LOG.debug('Register inbound endpoint', { basePath, method: 'POST' })
     cds.app.post(basePath, (req, res) => {
       try {
-        if (isSecured() && !cds.context.user.is('emcallback')) return res.sendStatus(403)
+        if (_IS_SECURED && !cds.context.user.is('emcallback')) return res.sendStatus(403)
         const queueName = req.query.q
         if (!queueName) {
           LOG.error('Query parameter `q` not found.')
@@ -95,9 +94,11 @@ class EndpointRegistry {
         return res.sendStatus(500)
       }
     })
+
     cds.app.post(deployPath, async (req, res) => {
+      LOG.debug('Handling deploy request')
       try {
-        if (isSecured() && !cds.context.user.is('emmanagement')) return res.sendStatus(403)
+        if (_IS_SECURED && !cds.context.user.is('emmanagement')) return res.sendStatus(403)
         const tenants = req.body && !_isAll(req.body.tenants) && req.body.tenants
         const queues = req.body && !_isAll(req.body.queues) && req.body.queues
         const options = { wipeData: req.body && req.body.wipeData }
@@ -114,12 +115,15 @@ class EndpointRegistry {
         const hasError = results.some(r => r.failed.length)
         if (hasError) return res.status(500).send(results)
         return res.status(201).send(results)
-      } catch {
+      } catch (e) {
+        LOG.error('Error while handling deploy request: ', e)
         // REVISIT: Still needed with cds-mtxs?
         // If an unknown tenant id is provided, cds-mtx will crash ("Cannot read property 'hanaClient' of undefined")
         return res.sendStatus(500)
       }
     })
+
+    cds.app.use(basePath, cds.middlewares.errors())
   }
 
   registerWebhookCallback(queueName, cb) {

package/libx/_runtime/messaging/enterprise-messaging.js

@@ -17,12 +17,12 @@ const BASE_PATH = '/messaging/enterprise-messaging'
 
 const _checkAppURL = appURL => {
   if (!appURL)
-    throw new Error(
+    cds.error(
       'Enterprise Messaging: You need to provide an HTTPS endpoint to your application.\n\nHint: You can set the application URI in environment variable `VCAP_APPLICATION.application_uris[0]`. This is needed because incoming messages are delivered through HTTP via webhooks.\nExample: `{ ..., "VCAP_APPLICATION": { "application_uris": ["my-app.com"] } }`\nIn case you want to use Enterprise Messaging in shared (that means single-tenant) mode, you can use kind `enterprise-messaging-shared`.'
     )
 
   if (appURL.startsWith('https://localhost'))
-    throw new Error(
+    cds.error(
       'The endpoint of your application is local and cannot be reached from Enterprise Messaging.\n\nHint: For local development you can set up a tunnel to your local endpoint and enter its public https endpoint in `VCAP_APPLICATION.application_uris[0]`.\nIn case you want to use Enterprise Messaging in shared (that means single-tenant) mode, you can use kind `enterprise-messaging-shared`.'
     )
 }

package/libx/_runtime/remote/Service.js

@@ -160,8 +160,7 @@ const resolvedTargetOfQuery = q => q?._transitions?.at(-1)?.target
 const _resolveSelectionStrategy = selectionStrategy => {
   const { DestinationSelectionStrategies } = getCloudSdkConnectivity()
   const strategy = DestinationSelectionStrategies[selectionStrategy]
-  if (typeof strategy !== 'function')
-    throw new Error(`Unsupported destination selection strategy "${selectionStrategy}".`)
+  if (typeof strategy !== 'function') cds.error`Unsupported destination selection strategy "${selectionStrategy}".`
   return strategy
 }
 
@@ -185,7 +184,7 @@ const _getDestination = (name, credentials) => {
 class RemoteService extends cds.Service {
   init() {
     if (([...this.entities].length || [...this.operations].length) && !this.options.credentials)
-      throw new Error(`No credentials configured for "${this.name}".`)
+      cds.error`No credentials configured for "${this.name}".`
 
     this.kind = _getKind(this.options) // TODO: Simplify
 
@@ -236,7 +235,7 @@ class RemoteService extends cds.Service {
       // Early validation on first request for use case without remote API
       // Ideally, that's done on bootstrap of the remote service
       if (typeof this.destination === 'object' && !this.destination.url)
-        throw new Error(`"url" or "destination" property must be configured in "credentials" of "${this.name}".`)
+        cds.error`"url" or "destination" property must be configured in "credentials" of "${this.name}".`
 
       const requestConfig = extractRequestConfig(req, query, this)
       requestConfig.headers = _getHeaders(requestConfig.headers, req)
@@ -294,7 +293,7 @@ class RemoteService extends cds.Service {
       )
     // rewrite the query to a target entity served by this service...
     const query = this.resolve(req.query)
-    if (!query) throw new Error(`Target ${req.target.name} cannot be resolved for service ${this.name}`)
+    if (!query) cds.error`Target ${req.target.name} cannot be resolved for service ${this.name}`
     const target = query._target || req.target
     // we need to provide target explicitly because it's cached within ensure_target
     const _req = new cds.Request({ query, target, _resolved: true, headers: req.headers, method: req.method })

package/libx/_runtime/ucl/Service.js

@@ -3,8 +3,10 @@ const LOG = cds.log('ucl')
 
 const fs = require('fs').promises
 const https = require('https')
+const { getCloudSdk } = require('../remote/utils/cloudSdkProvider')
 
 const { READ_QUERY, CREATE_MUTATION, UPDATE_MUTATION, DELETE_MUTATION } = require('./queries')
+
 const TRUSTED_CERT = {
   CANARY: {
     ISSUER: 'CN=SAP PKI Certificate Service Client CA,OU=SAP BTP Clients,O=SAP SE,L=cf-eu10-canary,C=DE',
@@ -33,6 +35,21 @@ module.exports = class UCLService extends cds.Service {
       return await this._dispatchNotification(req)
     })
 
+    if (cds.env.requires.ucl?.destination) {
+      LOG.debug('Destination for asynchronous UCL callbacks configured.')
+
+      this.after(
+        [`assign/#succeeded`, `unassign/#succeeded`],
+        async (res, req) => await this.schedule('successfulMapping', { res, req })
+      )
+      this.after(
+        [`assign/#failed`, `unassign/#failed`],
+        async (res, req) => await this.schedule('failedMapping', { res, req })
+      )
+      this.on('successfulMapping', req => this.handleSuccessfulMapping(req.data.res, req.data.req))
+      this.on('failedMapping', req => this.handleFailedMapping(req.data.res, req.data.req))
+    }
+
     await super.init()
 
     if (cds.env.requires.ucl?.applicationTemplate) await this._upsertApplicationTemplate(cds.env.requires.ucl)
@@ -100,11 +117,7 @@ module.exports = class UCLService extends cds.Service {
   async _dispatchNotification(req) {
     // Call User defined handlers for tenant mapping notifications
 
-    // REVISIT: Java unpacks the location header and enables the async flow aswell
-    if (req.headers.location)
-      throw new cds.error(400, 'Location header found in tenant mapping notification: Async flow not supported!')
-
-    LOG.debug('Tenant mapping notification:', req.data)
+    LOG.debug('Tenant mapping notification: ', req.data)
 
     const { operation } = req.data?.context ?? {}
     if (operation !== 'assign' && operation !== 'unassign')
@@ -113,14 +126,98 @@ module.exports = class UCLService extends cds.Service {
         `Invalid operation "${operation}" in tenant mapping notification. Expected "assign" or "unassign".`
       )
 
-    const response = (await this.send(operation, req.data)) ?? {}
+    const locationUrl = req.headers.location
+    if (locationUrl?.length) return this._dispatchAsyncMappingNotification(req, operation, locationUrl)
+    return this._dispatchSyncMappingNotification(req, operation)
+  }
+
+  async _dispatchAsyncMappingNotification(req, operation, locationUrl) {
+    // Get destination based on configured destination name
+    const destinationName = cds.env.requires.ucl.destination
+    if (typeof destinationName != 'string' || !destinationName?.length)
+      throw new cds.error(500, 'UCL Notification includes location but no callback destination was configured')
+    const destination = await getCloudSdk().getDestination(destinationName)
+
+    // Make sure the received callback location matches the configured destination
+    let destinationHost, locationHost
+    try {
+      locationHost = new URL(locationUrl).host
+    } catch (e) {
+      throw new cds.error(400, `Failed parsing URL in location header: ${e.message}`)
+    }
+    try {
+      destinationHost = new URL(destination.url).host
+    } catch (e) {
+      throw new cds.error(500, `Failed parsing URL in destination "${destinationName}": ${e.message}`)
+    }
+    if (locationHost !== destinationHost) {
+      throw new cds.error(
+        400,
+        `Host mismatch: locationUrl host (${locationHost}) does not match destination.url host (${destinationHost})`
+      )
+    }
+
+    // Schedule the tenant mapping task
+    await this.schedule(operation, req.data, req.headers)
 
+    // Respond 202 Accepted to UCL
+    req.http.res.status(202)
+    return
+  }
+
+  async _dispatchSyncMappingNotification(req, operation) {
+    const response = (await this.send(operation, req.data)) ?? {}
     if (response.error) req.http.res.status(400)
     else response.state ??= operation === 'assign' ? 'CONFIG_PENDING' : 'READY'
-
     return response
   }
 
+  async handleSuccessfulMapping(callbackResult, tenantMapping) {
+    const { operation, operationId } = tenantMapping.data.context
+
+    LOG.debug(`UCL ${operation} operation succeeded:`, callbackResult, tenantMapping)
+
+    // SPII v3 (operationId exists) vs v2
+    const method = operationId ? 'PUT' : 'PATCH'
+
+    const data = {
+      ...callbackResult,
+      state: callbackResult.state ?? (operation === 'assign' ? 'CONFIG_PENDING' : 'READY')
+    }
+    const response = await getCloudSdk().executeHttpRequest(
+      { destinationName: cds.env.requires.ucl.destination },
+      { method, url: tenantMapping.headers.location, data }
+    )
+
+    if (response.status >= 500)
+      cds.error(`Callback to UCL for successful ${operation} operation failed: ${response.data.error}`)
+    if (response.status >= 400)
+      cds.error(`UCL rejected successful ${operation} operation callback: ${response.data.error}`, {
+        unrecoverable: true
+      })
+  }
+
+  async handleFailedMapping(callbackError, tenantMapping) {
+    const { operation, operationId } = tenantMapping.data.context
+
+    LOG.error(`UCL ${operation} operation failed:`, callbackError, tenantMapping)
+
+    // SPII v3 (operationId exists) vs v2
+    const method = operationId ? 'PUT' : 'PATCH'
+
+    const response = await getCloudSdk().executeHttpRequest(
+      { destinationName: cds.env.requires.ucl.destination },
+      { method, url: tenantMapping.headers.location, data: { state: 'ERROR' } }
+    )
+
+    if (response.status >= 500)
+      cds.error(`Callback to UCL for failed ${operation} operation failed: ${response.data.error}`)
+    if (response.status >= 400)
+      cds.error(`UCL rejected failed ${operation} operation callback: ${response.data.error}`, {
+        unrecoverable: true
+      })
+  }
+
   /*
    * the rest is for upserting the application template
    */
@@ -162,22 +259,22 @@ module.exports = class UCLService extends cds.Service {
 
     this._applicationTemplate = _getApplicationTemplate(cds.env.requires.ucl)
     if (!this._applicationTemplate.applicationNamespace) {
-      throw new Error(
+      cds.error(
         'The UCL service requires a valid `applicationTemplate`, please provide it as described in the documentation.'
       )
     }
 
     if (!cds.requires.multitenancy && cds.env.profile !== 'mtx-sidecar')
-      throw new Error(
+      cds.error(
         'The UCL service requires multitenancy, please enable it in your cds configuration with `cds.requires.multitenancy` or by using the mtx sidecar.'
       )
     if (!cds.env.requires.ucl.credentials)
-      throw new Error('No credentials found for the UCL service, please bind the service to your app.')
+      cds.error('No credentials found for the UCL service, please bind the service to your app.')
 
     if (!cds.env.requires.ucl.x509?.cert && !cds.env.requires.ucl.x509?.certPath)
-      throw new Error('UCL requires `x509.cert` or `x509.certPath`.')
+      cds.error('UCL requires `x509.cert` or `x509.certPath`.')
     if (!cds.env.requires.ucl.x509?.pkey && !cds.env.requires.ucl.x509?.pkeyPath)
-      throw new Error('UCL requires `x509.pkey` or `x509.pkeyPath`.')
+      cds.error('UCL requires `x509.pkey` or `x509.pkeyPath`.')
 
     const [cert, key] = await Promise.all([
       cds.env.requires.ucl.x509?.cert ??
@@ -191,7 +288,7 @@ module.exports = class UCLService extends cds.Service {
     const existingTemplate = await this._readTemplate()
     const template = existingTemplate ? await this._updateTemplate(existingTemplate) : await this._createTemplate() // TODO: Make sure return value is correct
 
-    if (!template) throw new Error('The UCL service could not create an application template.')
+    if (!template) cds.error('The UCL service could not create an application template.')
 
     cds.once('listening', async () => {
       const provisioning = await cds.connect.to('cds.xt.SaasProvisioningService')
@@ -234,8 +331,7 @@ module.exports = class UCLService extends cds.Service {
 
           const body = JSON.parse(response.body)
 
-          if (body.errors)
-            throw new Error('Request to UCL service failed with:\n' + JSON.stringify(body.errors, null, 2))
+          if (body.errors) cds.error('Request to UCL service failed with:\n' + JSON.stringify(body.errors, null, 2))
 
           resolve(body.data)
         })

package/libx/common/utils/streaming.js

@@ -7,7 +7,7 @@ exports.validateMimetypeIsAcceptedOrThrow = (headers, contentType) => {
   if (headers.accept.includes(contentType)) return
   if (headers.accept.includes(contentType.slice(0,contentType.indexOf('/')) + '/*')) return
   const msg = `Content type "${contentType}" is not listed in accept header "${headers.accept}"`
-  throw Object.assign(new Error(msg), { statusCode: 406 })
+  cds.error({ status: 406, message: msg })
 }
 
 // REVISIT: We should use express' res.type(...) instead of res.set('Content-Type', ...)

package/libx/odata/middleware/batch.js

@@ -19,7 +19,7 @@ const CRLF = '\r\n'
  * common
  */
 
-const _deserializationError = message => cds.error(`Deserialization Error: ${message}`, { code: 400 })
+const _deserializationError = message => cds.error({ status: 400, message: `Deserialization Error: ${message}` })
 
 // Function must be called with an object containing exactly one key-value pair representing the property name and its value
 const _validateProperty = (name, value, type) => {
@@ -39,8 +39,7 @@ const _validateBatch = body => {
 
   _validateProperty('requests', requests, 'Array')
 
-  if (requests.length > cds.env.odata.batch_limit)
-    cds.error('BATCH_TOO_MANY_REQ', { code: 'BATCH_TOO_MANY_REQ', statusCode: 429 })
+  if (requests.length > cds.env.odata.batch_limit) cds.error({ status: 429, message: 'BATCH_TOO_MANY_REQ' })
 
   const ids = {}
 
@@ -469,7 +468,7 @@ const _processBatch = async (srv, router, req, res, next, body, ct, boundary) =>
 
 const _multipartBatch = async (srv, router, req, res, next) => {
   const boundary = getBoundary(req)
-  if (!boundary) return next(new cds.error('No boundary found in Content-Type header', { code: 400 }))
+  if (!boundary) return next(new cds.error({ status: 400, message: 'No boundary found in Content-Type header' }))
 
   try {
     const { requests } = await multipartToJson(req.body, boundary)
@@ -574,7 +573,7 @@ module.exports = adapter => {
 
   return function odata_batch(req, res, next) {
     if (req.method !== 'POST') {
-      throw cds.error(`Method ${req.method} is not allowed for calls to $batch endpoint`, { code: 405 })
+      cds.error({ status: 405, message: `Method ${req.method} is not allowed for calls to $batch endpoint` })
     }
 
     if (req.headers['content-type'].includes('application/json')) {
@@ -588,6 +587,9 @@ module.exports = adapter => {
       })
     }
 
-    throw cds.error('Batch requests must have content type multipart/mixed or application/json', { statusCode: 400 })
+    cds.error({
+      status: 400,
+      message: 'Batch requests must have content type multipart/mixed or application/json'
+    })
   }
 }

package/libx/odata/middleware/create.js

@@ -25,7 +25,7 @@ module.exports = (adapter, isUpsert) => {
 
     if (one && !isUpsert) {
       const msg = 'Method POST is not allowed for singletons and individual entities'
-      throw Object.assign(new Error(msg), { statusCode: 405 })
+      cds.error({ status: 405, message: msg })
     }
 
     const model = cds.context.model ?? service.model
@@ -35,7 +35,7 @@ module.exports = (adapter, isUpsert) => {
     const data = req.body
     if (Array.isArray(data)) {
       const msg = 'Only single entity representations are allowed'
-      throw Object.assign(new Error(msg), { statusCode: 400 })
+      cds.error({ status: 400, message: msg })
     }
     odataBind(data, target)
     normalizeTimeData(data, model, target)

package/libx/odata/middleware/delete.js

@@ -11,7 +11,7 @@ module.exports = adapter => {
   return function deleet(req, res, next) {
     if (getPreferReturnHeader(req)) {
       const msg = "The 'return' preference is not allowed in DELETE requests"
-      throw Object.assign(new Error(msg), { statusCode: 400 })
+      cds.error({ status: 400, message: msg })
     }
 
     // REVISIT: better solution for query._propertyAccess
@@ -21,7 +21,7 @@ module.exports = adapter => {
     } = req._query
 
     if (!one) {
-      throw Object.assign(new Error('Method DELETE is not allowed for entity collections'), { statusCode: 405 })
+      cds.error({ status: 405, message: 'Method DELETE is not allowed for entity collections' })
     }
 
     const model = cds.context.model ?? service.model

package/libx/odata/middleware/metadata.js

@@ -90,17 +90,24 @@ module.exports = adapter => {
       const { tenant, features } = cds.context
 
       try {
-        let edmx
-        // If no extensibility nor fts, do not provide model to mtxs
-        const modelNeeded = cds.env.requires.extensibility || features?.given
-        edmx =
-          metadataCache.edm ||
-          (await mps.getEdmx({
-            tenant,
-            model: modelNeeded ? await mps.getCsn(tenant, features) : undefined,
-            service: service.definition.name
-          }))
-        metadataCache.edm = edmx
+        let edmx = metadataCache.edm
+
+        if (!edmx) {
+          let model
+          // REVISIT: remove compat with cds^10
+          if (cds.env.features.odata_metadata_compat) {
+            const modelNeeded = cds.env.requires.extensibility || features?.given
+            model = modelNeeded ? await mps.getCsn(tenant, features) : undefined
+          } else {
+            model = cds.context.model ?? service.model
+          }
+
+          // REVISIT: Why do we need the model provider at all to get the edmx?
+          // The locale is intentionally not provided to the model provider
+          // because we want to cache the unlocalized edmx and do localization on the fly
+          edmx = metadataCache.edm || (await mps.getEdmx({ tenant, model, service: service.definition.name }))
+          metadataCache.edm = edmx
+        }
         const extBundle = cds.env.requires.extensibility && (await mps.getI18n({ tenant, locale }))
         edmx = cds.localize(service.model, locale, edmx, extBundle)
         metadataCache.xmlEtag[locale] = generateEtag(edmx)

package/libx/odata/middleware/read.js

@@ -183,7 +183,7 @@ module.exports = adapter => {
   return function read(req, res, next) {
     if (getPreferReturnHeader(req)) {
       const msg = `The 'return' preference is not allowed in ${req.method} requests`
-      throw Object.assign(new Error(msg), { statusCode: 400 })
+      cds.error({ status: 400, message: msg })
     }
 
     // $apply with concat -> multiple queries with special handling
@@ -267,7 +267,7 @@ module.exports = adapter => {
         const metadata = getODataMetadata(query, { result, isCollection: !one })
         result = getODataResult(result, metadata, { isCollection: !one, property: _propertyAccess })
 
-        if (!result) throw new cds.error({ code: 404 })
+        if (!result) cds.error(404)
 
         res.send(result)
       })

package/libx/odata/middleware/service-document.js

@@ -19,7 +19,7 @@ module.exports = adapter => {
   return function service_document(req, res) {
     if (req.method !== 'GET' && req.method !== 'HEAD') {
       const msg = `Method ${req.method} is not allowed for calls to the service endpoint`
-      throw Object.assign(new Error(msg), { statusCode: 405 })
+      cds.error({ status: 405, message: msg })
     }
 
     const model = cds.context.model ?? service.model

package/libx/odata/middleware/update.js

@@ -54,7 +54,7 @@ module.exports = adapter => {
     // REVISIT: patch on collection is allowed in odata 4.01
     if (!one) {
       if (req.method === 'PATCH')
-        throw cds.error(`Method ${req.method} is not allowed for entity collections`, { status: 405 })
+        cds.error(`Method ${req.method} is not allowed for entity collections`, { status: 405 })
       const entity = service.model?.definitions[req._query._subject.ref[0]]
       const keys = {},
         data = req.body || {}