auth, local url

Author: oklemenz2

CHANGELOG.md

@@ -9,8 +9,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ### Fixed
 
-- For local development, authentication is skipped for authentication kind `mocked`
-- First mocked user (of `cds.requires.auth.users`) is taken as authenticated user for websocket connection (e.g. `alice`)
+- Authentication is skipped for kind `mocked` and `basic` for local development
+- Anonymous user or first user of `cds.requires.auth.users` (i.e. `alice`) when not set
+- Supports relative paths for `WebSocketBaseURL` for local development
 
 ## Version 1.9.4 - 2026-02-03
 

README.md

@@ -433,10 +433,20 @@ Example for xsuaa based CDS auth strategy:
 
 Headers of Websocket Upgrade request can be accessed via `req.http.req.headers` in websocket service handlers.
 
-#### Local Development Authorization
+#### Local Development
 
-For local development, authentication is skipped for authentication kind `mocked`. First mocked user (of `cds.requires.auth.users`)
-is taken as authenticated user for websocket connection (e.g. `alice`) in local development setup.
+For local development, authentication is skipped for authentication kind `mocked` and `basic`.
+If login is required (`cds.requires.auth.login_required: true`), first mocked user (see `cds.requires.auth.users`)
+is taken as authenticated user for websocket connection (e.g. `alice`), 
+otherwise the websocket connection is established with an anonymous user.
+
+Using authentication kind `basic` or `cds.requires.auth.login_required: true` is not recommended for local development,
+as the websocket connection is established via WebSocket Upgrade request, which does not support interactive login.
+Nevertheless, it could be simulated by hardcoding an authentication cookie in browser as follows:
+
+```js
+document.cookie = "X-Authorization=Basic YWxpY2U6YWxpY2U; path=/"; // mock auth for alice
+```
 
 ### Invocation Context
 
@@ -1234,19 +1244,23 @@ Modeled action parameters `context`, `exit` and `reset` are mapped from `pcp` me
 #### Event-Driven Side Effects
 
 PCP format can be used to emit Fiori Elements Event-Driven Side Effects via WebSocket events.
+Websocket kind `ws` must be configured (default), as UI5 only supports WebSocket protocol for Fiori Elements side effects.
 
 First OData V4 service metadata is extended for side effects to automatically connect to the corresponding websocket endpoint and channel:
 
 ```cds
 @Common : {
-  WebSocketBaseURL : '/ws/fiori',
+  WebSocketBaseURL : 'ws/fiori',
   WebSocketChannel #sideEffects: 'sideeffects'
 }
 service FioriService {
    ...
 }
 ```
 
+Path of `WebSocketBaseURL` shall be defined relatively (i.e. no leading slash) to the OData service URL,
+to be correctly resolved in Fiori Elements, especially in context of WorkZone.
+
 Event-driven side effects are configured in PCP format enabled service via the following annotations:
 
 - **Event level**:
@@ -1271,7 +1285,7 @@ Example:
 
 ```cds
 @Common: {
-    WebSocketBaseURL: '/ws/fiori',
+    WebSocketBaseURL: 'ws/fiori',
     WebSocketChannel #sideEffects: 'sideeffects',
 }
 service FioriService {

package-lock.json

@@ -56,10 +56,10 @@
     "@sap/cds": "^9.7.1",
     "@sap/cds-dk": "^9.7.0",
     "@socket.io/redis-adapter": "^8.3.0",
-    "@socket.io/redis-streams-adapter": "^0.2.3",
+    "@socket.io/redis-streams-adapter": "^0.3.0",
     "eslint": "^9.39.2",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-jest": "^29.12.2",
+    "eslint-plugin-jest": "^29.13.0",
     "eslint-plugin-n": "^17.23.2",
     "globals": "^17.3.0",
     "jest": "^30.2.0",

package.json

@@ -443,13 +443,14 @@ class SocketServer {
       !restrict_all ||
       cds.context?.user?._is_privileged ||
       !cds.context?.user?._is_anonymous ||
-      cds.env.requires?.auth.kind === "mocked"
+      ["mocked", "basic"].includes(cds.env.requires?.auth.kind)
     ) {
-      if (cds.env.requires?.auth.kind === "mocked") {
-        const mockedUsers = Object.values(cds.env.requires?.auth?.users || {});
-        if (mockedUsers.length) {
-          req.user ??= new cds.User(mockedUsers[0]);
+      if (cds.context && !cds.context.user) {
+        const users = Object.values(cds.env.requires?.auth?.users || {});
+        if (cds.env.requires?.auth?.login_required && users.length) {
+          cds.context.user = new cds.User(users[0]);
         }
+        cds.context.user ??= new cds.User.Anonymous();
       }
       return next();
     }

src/socket/base.js

@@ -39,6 +39,10 @@ class SocketWSServer extends SocketServer {
         request.queryOptions = urlObj?.query || {};
         request.id ??= request.queryOptions.id;
         request.url = urlObj?.pathname;
+        if (!this.services.get(request.url)) {
+          // Route webapp relative requests (local)
+          request.url = request.url.replace(/\/.*\/webapp(\/.*)/, "$1");
+        }
         if (!(typeof this.services.get(request.url) === "function")) {
           socket.write(`HTTP/1.1 404 Not Found\r\n\r\n`);
           socket.destroy();

src/socket/ws.js

@@ -1,7 +1,7 @@
 using {sap.capire.bookshop as my} from '../db/bookshop';
 
 @Common: {
-    WebSocketBaseURL: '/ws/fiori',
+    WebSocketBaseURL: 'ws/fiori',
     WebSocketChannel #sideEffects: 'sideeffects',
 }
 service FioriService {