cap-js
diff --git a/‎README.md‎
Lines changed: 20 additions & 1 deletion b/‎README.md‎
Lines changed: 20 additions & 1 deletion
diff --git a/‎_i18n/messages.properties‎
Lines changed: 1 addition & 2 deletions b/‎_i18n/messages.properties‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎lib/generic-handlers.js‎
Lines changed: 12 additions & 10 deletions b/‎lib/generic-handlers.js‎
Lines changed: 12 additions & 10 deletions
diff --git a/‎lib/helper.js‎
Lines changed: 70 additions & 21 deletions b/‎lib/helper.js‎
Lines changed: 70 additions & 21 deletions
diff --git a/‎lib/plugin.js‎
Lines changed: 72 additions & 35 deletions b/‎lib/plugin.js‎
Lines changed: 72 additions & 35 deletions
diff --git a/‎package.json‎
Lines changed: 2 additions & 1 deletion b/‎package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎srv/aws-s3.js‎
Lines changed: 1 addition & 9 deletions b/‎srv/aws-s3.js‎
Lines changed: 1 addition & 9 deletions
@@ -200,9 +200,11 @@ Scan status codes:
 - `Failed`: Scanning failed. 
 
 > [!Note]
-> The plugin currently supports file uploads up to 400 MB in size per attachment as this is a limitation of the [malware scanning service](https://help.sap.com/docs/malware-scanning-servce/sap-malware-scanning-service/what-is-sap-malware-scanning-service). Please note: this limitation remains even with the malware scanner disabled. 
 > The malware scanner supports mTLS authentication which requires an annual renewal of the certificate. Previously, basic authentication was used which has now been deprecated.
 
+> [!Note]
+> If the malware scanner reports a file size larger than the limit specified via [@Validation.Maximum](#specify-the-maximum-file-size) it removes the file and sets the status of the attachment metadata to failed.
+
 
 ### Visibility Control for Attachments UI Facet Generation
 
@@ -243,6 +245,23 @@ The typical sequence includes:
 1. **POST** -> create attachment metadata, returns ID  
 2. **PUT** -> upload file content using the ID
 
+### Specify the maximum file size
+
+You can specify the maximum file size by annotating the attachments content property with `@Validation.Maximum`
+
+```cds
+entity Incidents {
+  ...
+  attachments: Composition of many Attachments;
+}
+
+annotate Incidents.attachments with {
+  content @Validation.Maximum : '20MB';
+}
+```
+
+The default is 400MB
+
 ## Releases
 
 - The plugin is released to [NPM Registry](https://www.npmjs.com/package/@cap-js/attachments).
 
@@ -1,4 +1,3 @@
 UnableToDownloadAttachmentScanStatusNotClean=Unable to download the attachment as scan status is not clean.
-InvalidContentSize=Invalid Content Size.
-AttachmentSizeExceeded=File Size limit exceeded beyond 400 MB.
+AttachmentSizeExceeded=File size limit exceeded beyond {0}.
 MultiUpdateNotSupported=Multi update is not supported.
@@ -1,6 +1,7 @@
 const cds = require('@sap/cds')
 const LOG = cds.log('attachments')
 const { extname } = require("path")
+const { MAX_FILE_SIZE, sizeInBytes } = require('./helper')
 
 const isMultitenacyEnabled = !!cds.env.requires.multitenancy
 const objectStoreKind = cds.env.requires?.attachments?.objectStore?.kind
@@ -68,20 +69,21 @@ async function readAttachment([attachment], req) {
   attachment.content = await AttachmentsSrv.get(target, keys)
 }
 
+/**
+ * Checks the attachments size against the maximum defined by the annotation `@Validation.Maximum`. Default 400mb.
+ * If the limit is reached by the reported size of the content-length header or if the stream length exceeds 
+ * the limits the error is thrown.
+ * @param {import('@sap/cds').Request} req 
+ * @throws AttachmentSizeExceeded 
+ */
 function validateAttachmentSize(req) {
   if (!req.target?._attachments.isAttachmentsEntity || !req.data.content) return;
 
-  const contentLengthHeader = req.headers["content-length"]
-  let fileSizeInBytes
+  const maxFileSize = req.target.elements['content']['@Validation.Maximum'] ? (sizeInBytes(req.target.elements['content']['@Validation.Maximum'], req.target.name) ?? MAX_FILE_SIZE) : MAX_FILE_SIZE;
 
-  if (contentLengthHeader) {
-    fileSizeInBytes = Number(contentLengthHeader)
-    const MAX_FILE_SIZE = 419430400 //400 MB in bytes
-    if (fileSizeInBytes > MAX_FILE_SIZE) {
-      return req.reject(400, "AttachmentSizeExceeded")
-    }
-  } else {
-    return req.reject(400, "InvalidContentSize")
+  if (req.headers["content-length"] && Number(req.headers["content-length"]) > maxFileSize) {
+    if (req.data.content.pause) { req.data.content.pause() }
+    return req.reject({status: 413, message: "AttachmentSizeExceeded", args: [req.target.elements['content']['@Validation.Maximum'] ?? '400MB']})
   }
 }
 
 
@@ -36,7 +36,7 @@ function validateServiceManagerCredentials(serviceManagerCreds) {
  */
 function validateInputs(tenantID, sm_url, token) {
   if (!tenantID) {
-    LOG.error( 'Tenant ID is required for object store credentials', null,
+    LOG.error('Tenant ID is required for object store credentials', null,
       'Ensure multitenancy is properly configured and tenant context is available', { tenantID })
     return false
   }
@@ -48,7 +48,7 @@ function validateInputs(tenantID, sm_url, token) {
   }
 
   if (!token) {
-    LOG.error( 'Access token is required for Service Manager API', null,
+    LOG.error('Access token is required for Service Manager API', null,
       'Check if token fetching completed successfully', { hasToken: !!token })
     return false
   }
@@ -67,20 +67,20 @@ async function fetchObjectStoreBinding(tenantID, token) {
 
   validateServiceManagerCredentials(serviceManagerCreds)
 
-   const { sm_url, url, clientid, clientsecret, certificate, key, certurl } = serviceManagerCreds
-
-   
-   if (!token) {
-     LOG.debug('Fetching access token for tenant', { tenantID, sm_url: sm_url })
-     token = await fetchToken(url, clientid, clientsecret, certificate, key, certurl)
-   }
-   
-   LOG.debug('Fetching object store credentials', { tenantID, sm_url })
-   
-   if (!validateInputs(tenantID, sm_url, token)) {
-     return null
-    }
-    
+  const { sm_url, url, clientid, clientsecret, certificate, key, certurl } = serviceManagerCreds
+
+
+  if (!token) {
+    LOG.debug('Fetching access token for tenant', { tenantID, sm_url: sm_url })
+    token = await fetchToken(url, clientid, clientsecret, certificate, key, certurl)
+  }
+
+  LOG.debug('Fetching object store credentials', { tenantID, sm_url })
+
+  if (!validateInputs(tenantID, sm_url, token)) {
+    return null
+  }
+
   LOG.debug('Making Service Manager API call', {
     tenantID,
     endpoint: `${sm_url}/v1/service_bindings`,
@@ -108,7 +108,7 @@ async function getObjectStoreCredentials(tenantID) {
     const items = await fetchObjectStoreBinding(tenantID)
 
     if (!items.length) {
-      LOG.error( `No object store service binding found for tenant`, null,
+      LOG.error(`No object store service binding found for tenant`, null,
         'Ensure an Object Store instance is subscribed and bound for this tenant',
         { tenantID, itemsFound: 0 })
       return null
@@ -129,7 +129,7 @@ async function getObjectStoreCredentials(tenantID) {
         'Verify Service Manager URL and API endpoint' :
         'Check network connectivity and Service Manager instance health'
 
-    LOG.error( 'Failed to fetch object store credentials', error, suggestion, {
+    LOG.error('Failed to fetch object store credentials', error, suggestion, {
       tenantID,
       httpStatus: error.response?.status,
       responseData: error.response?.data
@@ -171,7 +171,7 @@ async function fetchToken(url, clientid, clientsecret, certificate, key, certURL
     return fetchTokenWithClientSecret(url, clientid, clientsecret)
   } else {
     const suggestion = 'Ensure Service Manager binding includes either (clientid + clientsecret) or (certificate + key + certurl)'
-    LOG.error( 'Insufficient credentials for token fetching', null, suggestion, {
+    LOG.error('Insufficient credentials for token fetching', null, suggestion, {
       hasClientId: !!clientid,
       hasClientSecret: !!clientsecret,
       hasCertificate: !!certificate,
@@ -274,7 +274,7 @@ async function fetchTokenWithMTLS(certURL, clientid, certificate, key) {
     const duration = Date.now() - startTime
 
     if (!response.data?.access_token) {
-      LOG.error( 'MTLS token response missing access_token', null,
+      LOG.error('MTLS token response missing access_token', null,
         'Check MTLS certificate/key validity and Service Manager configuration',
         { clientid, duration, responseData: response.data })
       throw new Error('Access token not found in MTLS token response')
@@ -305,10 +305,59 @@ async function computeHash(input) {
   return hash.digest('hex')
 }
 
+
+const multipliers = {}
+multipliers.B = 1;
+multipliers.KB = multipliers.B * 1024;
+multipliers.MB = multipliers.KB * 1024;
+multipliers.GB = multipliers.MB * 1024;
+multipliers.TB = multipliers.GB * 1024;
+multipliers.PB = multipliers.TB * 1024;
+multipliers.EB = multipliers.PB * 1024;
+multipliers.ZB = multipliers.EB * 1024;
+
+const MAX_FILE_SIZE = 419430400 //400 MB in bytes
+
+/**
+ * Converts a byte size string into the corresponding number.
+ * 
+ * @param {string} size 20mb for example
+ * @returns Byte size or null if nothing was found
+ */
+function sizeInBytes(size, target) {
+  if (!size || (typeof size !== 'string' && typeof size !== 'number')) {
+    LOG.warn(`Could not determine the maximum byte size for the content of ${target}`)
+    return
+  }
+
+  if (typeof size === 'number') {
+    return size
+  }
+
+  const value = parseFloat(size);
+  if (isNaN(value)) {
+    LOG.warn(`Could not determine the maximum byte size for the content of ${target}`)
+    return
+  }
+
+  const unitMatches = size.toUpperCase().match(/([KMGTPEZ]I?)?B$/)
+  // Remove any optional "i" from the unit of measurement (ex, MiB).
+  const unit = unitMatches[0]?.replace(/i/i, "")
+
+  if (!unit) {
+    LOG.warn(`Could not determine the maximum byte size for the content of ${target}`)
+    return
+  }
+
+  return value * multipliers[unit]
+}
+
 module.exports = {
   fetchToken,
   getObjectStoreCredentials,
   computeHash,
+  sizeInBytes,
   fetchObjectStoreBinding,
-  validateServiceManagerCredentials
+  validateServiceManagerCredentials,
+  MAX_FILE_SIZE
 }
@@ -44,46 +44,83 @@ function unfoldModel(csn) {
   meta._enhanced_for_attachments = true
 }
 
-cds.once("served", async function registerPluginHandlers() {
-  if (!("sap.attachments.Attachments" in cds.model.definitions)) return
-  const AttachmentsSrv = await cds.connect.to("attachments")
-  // Searching all associations to attachments to add respective handlers
-  for (let srv of cds.services) {
-    if (srv instanceof cds.ApplicationService) {
-      LOG.debug(`Registering handlers for attachments entities for service: ${srv.name}`)
-      srv.before("READ", validateAttachment)
-      srv.after("READ", readAttachment)
-      srv.before("PUT", validateAttachmentSize)
-      srv.before("NEW", onPrepareAttachment)
-      srv.before("CREATE", (req) => {
-        return onPrepareAttachment(req)
-      })
+cds.ApplicationService.handle_attachments = cds.service.impl(async function () {
+  if (!cds.env.requires.attachments) return;
+  LOG.debug(`Registering handlers for attachments entities for service: ${this.name}`)
+  this.before("READ", validateAttachment)
+  this.after("READ", readAttachment)
+  this.before("PUT", validateAttachmentSize)
+  this.before("NEW", onPrepareAttachment)
+  this.before("CREATE", (req) => {
+    return onPrepareAttachment(req)
+  })
 
-      srv.before(["DELETE", "UPDATE"], function collectDeletedAttachmentsForDraftEnabled(req) {
-        if (!req.target?._attachments.hasAttachmentsComposition) return;
+  this.before(["DELETE", "UPDATE"], async function collectDeletedAttachmentsForDraftEnabled(req) {
+    if (!req.target?._attachments.hasAttachmentsComposition) return;
+    const AttachmentsSrv = await cds.connect.to("attachments")
+    return AttachmentsSrv.attachDeletionData.bind(AttachmentsSrv)(req)
+  })
+  this.after(["DELETE", "UPDATE"], async function deleteCollectedDeletedAttachmentsForDraftEnabled(res, req) {
+    if (!req.target?._attachments.hasAttachmentsComposition) return;
+    const AttachmentsSrv = await cds.connect.to("attachments")
+    return AttachmentsSrv.deleteAttachmentsWithKeys.bind(AttachmentsSrv)(res, req)
+  })
 
-        return AttachmentsSrv.attachDeletionData.bind(AttachmentsSrv)(req)
-      })
-      srv.after(["DELETE", "UPDATE"], function deleteCollectedDeletedAttachmentsForDraftEnabled(res, req) {
-        if (!req.target?._attachments.hasAttachmentsComposition) return;
+  // case: attachments uploaded in draft and draft is discarded
+  this.before(["CANCEL"], async function collectDiscardedAttachmentsForDraftEnabled(req) {
+    if (!req.target?.actives || !req.target?._attachments.hasAttachmentsComposition) return;
+    const AttachmentsSrv = await cds.connect.to("attachments")
+    return AttachmentsSrv.attachDraftDiscardDeletionData.bind(AttachmentsSrv)(req)
+  })
+  this.after(["CANCEL"], async function deleteCollectedDiscardedAttachmentsForDraftEnabled(res, req) {
+    // Check for actives to make sure it is the draft entity
+    if (!req.target?.actives || !req.target?._attachments.hasAttachmentsComposition) return;
+    const AttachmentsSrv = await cds.connect.to("attachments")
+    return AttachmentsSrv.deleteAttachmentsWithKeys.bind(AttachmentsSrv)(res, req)
+  })
 
-        return AttachmentsSrv.deleteAttachmentsWithKeys.bind(AttachmentsSrv)(res, req)
-      })
 
-      // case: attachments uploaded in draft and draft is discarded
-      srv.before(["CANCEL"], function collectDiscardedAttachmentsForDraftEnabled(req) {
-        if (!req.target?.actives || !req.target?._attachments.hasAttachmentsComposition) return;
+  this.prepend(() =>
+    this.on(
+      ["PUT", "UPDATE"],
+      async function putUpdateAttachments(req, next) {
+        // Skip entities which are not Attachments and skip if content is not updated
+        if (!req.target._attachments.isAttachmentsEntity || !req.data.content) return next()
 
-        return AttachmentsSrv.attachDraftDiscardDeletionData.bind(AttachmentsSrv)(req)
-      })
-      srv.after(["CANCEL"], function deleteCollectedDiscardedAttachmentsForDraftEnabled(res, req) {
-        // Check for actives to make sure it is the draft entity
-        if (!req.target?.actives || !req.target?._attachments.hasAttachmentsComposition) return;
+        let metadata = await this.run(SELECT.from(req.subject).columns('url', ...Object.keys(req.target.keys)))
+        if (metadata.length > 1) {
+          return req.error(501, 'MultiUpdateNotSupported')
+        }
+        metadata = metadata[0]
+        if (!metadata) {
+          return req.reject(404)
+        }
+        req.data.ID = metadata.ID
+        req.data.url ??= metadata.url
+        for (const key in metadata) {
+          if (key.startsWith('up_')) {
+            req.data[key] = metadata[key]
+          }
+        }
+        const AttachmentsSrv = await cds.connect.to("attachments")
+        return await AttachmentsSrv.put(req.target, req.data)
+      }
+    )
+  )
 
-        return AttachmentsSrv.deleteAttachmentsWithKeys.bind(AttachmentsSrv)(res, req)
-      })
+  this.prepend(() =>
+    this.on(
+      ["CREATE"],
+      async function createAttachments(req, next) {
+        if (!req.target._attachments.isAttachmentsEntity || req.req?.url?.endsWith('/content') || !req.data.url || !(req.data.content || (Array.isArray(req.data) && req.data[0]?.content))) return next()
+        const AttachmentsSrv = await cds.connect.to("attachments")
+        return AttachmentsSrv.put(req.target, req.data)
+      }
+    )
+  )
 
-      AttachmentsSrv.registerHandlers(srv)
-    }
-  }
+
+
+  const AttachmentsSrv = await cds.connect.to("attachments")
+  AttachmentsSrv.registerHandlers(this)
 })
@@ -46,9 +46,11 @@
       },
       "kinds": {
         "malwareScanner-mock": {
+          "model": "@cap-js/attachments/srv/malwareScanner-mocked",
           "impl": "@cap-js/attachments/srv/malwareScanner-mocked"
         },
         "malwareScanner-btp": {
+          "model": "@cap-js/attachments/srv/malwareScanner",
           "impl": "@cap-js/attachments/srv/malwareScanner"
         },
         "attachments-db": {
@@ -89,7 +91,6 @@
           "kind": "malwareScanner-mock"
         },
         "attachments": {
-          "scan": false,
           "kind": "db"
         }
       },
 
@@ -140,7 +140,7 @@ module.exports = class AWSAttachmentsService extends require("./object-store") {
         params: input,
       })
 
-      // The file upload has to be done first, so super.put can compute the hash
+      // The file upload has to be done first, so super.put can compute the hash and trigger malware scan
       await multipartUpload.done()
       await super.put(attachments, metadata)
 
@@ -152,14 +152,6 @@ module.exports = class AWSAttachmentsService extends require("./object-store") {
         key: Key,
         duration
       })
-
-      // Initiate malware scan if configured
-      LOG.debug('Initiating malware scan for uploaded file', {
-        fileId: metadata.ID,
-        filename: metadata.filename
-      })
-      const MalwareScanner = await cds.connect.to('malwareScanner')
-      await MalwareScanner.emit('ScanFile', { target: attachments.name, keys: { ID: metadata.ID } })
     } catch (err) {
       const duration = Date.now() - startTime
       LOG.error(