Description
CDS 10 removes the tokenInfo property from the CDS user object (cds.context.user and req.user). Raw token information is now accessible via the unified auth-info object at cds.context.user.authInfo.token. Any code that reads tokenInfo directly on a CDS user object will receive undefined at runtime. The authInfo object was introduced as part of the broader consolidation of authentication metadata under a single property, and tokenInfo was kept as an alias during the transition period that ended with CDS 10.
How to Check
- [ ] Search source files for
.tokenInfo— flag all occurrences where the receiver iscds.context.user,req.user, or a variable that holds a CDS user object. - [ ] Check authentication helper modules and middleware that inspect the user token for claims or JWT fields.
Migration Steps
- Replace
.tokenInfoon a CDS user object with.authInfo.token:
-const tokenInfo = cds.context.user.tokenInfo;
+const tokenInfo = cds.context.user.authInfo.token;- Inside request handlers:
-const tokenInfo = req.user.tokenInfo;
+const tokenInfo = req.user.authInfo.token;- If token claims are accessed directly on
tokenInfo, verify they remain accessible at the same path onauthInfo.token:
-const audience = req.user.tokenInfo.getAudiences();
+const audience = req.user.authInfo.token.getAudiences();Notes
.tokenInfo occurrences in third-party JWT libraries (e.g. @sap/xssec) are not affected by this CAP change. Only accesses where the receiver is a CDS user object need to be updated. When in doubt, trace the receiver back to its assignment site.