Description

CDS 10 removes the authInfo property from the low-level HTTP request object exposed via cds.context.http.req. Authorization information is now available exclusively through the CDS user abstraction: cds.context.user.authInfo (or equivalently req.user.authInfo inside a request handler). Code that accesses authInfo via the HTTP request path will receive undefined at runtime and may throw or silently misbehave depending on how the value is used. The replacement path has been available since CDS 8.

How to Check

• [ ] Search source files for .http.req.authInfo — any occurrence is breaking.
• [ ] Check helper or middleware modules that extract authorization claims for uses of the req.authInfo path inside CAP middleware.

Migration Steps

1. Replace all accesses to authInfo via the HTTP request path with the user abstraction:

-const authInfo = cds.context.http.req.authInfo;
+const authInfo = cds.context.user.authInfo;

2. Inside request handlers where req is the CDS request object:

-const authInfo = req.http.req.authInfo;
+const authInfo = req.user.authInfo;

3. Verify that the authInfo object shape exposed by cds.context.user.authInfo meets all usage requirements — the structure is the same as the previously forwarded value.

Notes

cds.context.user.authInfo has been available since CDS 8. No fallback or compat flag is provided for this removal.