@gov-cy/govcy-express-services 0.1.6 → 0.1.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",

package/src/middleware/govcyPageHandler.mjs

@@ -3,6 +3,7 @@ import { populateFormData } from "../utils/govcyFormHandling.mjs";
 import * as govcyResources from "../resources/govcyResources.mjs";
 import * as dataLayer from "../utils/govcyDataLayer.mjs";
 import { logger } from "../utils/govcyLogger.mjs";
+// import {flattenContext, evaluateExpressionWithFlattening, evaluatePageConditions } from "../utils/govcyExpressions.mjs";
 
 /**
  * Middleware to handle page rendering and form processing
@@ -30,7 +31,8 @@ export function govcyPageHandler() {
       // Deep copy pageTemplate to avoid modifying the original
       const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
 
-      //if user is logged in add he user bane section in the page template
+      // TODO: Conditional logic comes here
+      //if user is logged in add the user nane section in the page template
       if (dataLayer.getUser(req.session)) {
         pageTemplateCopy.sections.push(govcyResources.userNameSection(dataLayer.getUser(req.session).name)); // Add user name section
       }

package/src/utils/govcyDataLayer.mjs

@@ -246,6 +246,23 @@ export function getSiteSubmissionErrors(store, siteId) {
     return null;
 }
 
+/**
+ * Get the site's data from the store (including input data and eligibility data)
+ * 
+ * @param {object} store The session store
+ * @param {string} siteId |The site id
+ * @returns The site data or null if none exist.
+ */
+export function getSiteData(store, siteId) {
+    const inputData = store?.siteData?.[siteId] || {};
+    
+    if (inputData) {
+        return inputData;
+    }
+
+    return null;
+}
+
 /**
  * Get the site's input data from the store 
  * 

package/src/utils/govcyExpressions.mjs

@@ -0,0 +1,232 @@
+/**
+ * @module govcyExpressions
+ * 
+ * This module provides utility functions for evaluating JavaScript expressions
+ * with a flattened context, ensuring safe execution and preventing unsafe patterns.
+ * 
+ */
+import { logger } from "../utils/govcyLogger.mjs";
+import * as dataLayer from "../utils/govcyDataLayer.mjs";
+
+/**
+ * Recursively flattens nested objects into dot-path keys.
+ * E.g. { a: { b: { c: 5 } } } → { "a.b.c": 5 }
+ * 
+ * Example usage:
+ * ```javascript
+ * flattenContext(req.session.siteData["testService"],"testService")
+ * ```
+ * This will output:
+ * ```json
+ * {
+   "testService.inputData.index.formData.certificate_select": [
+    "birth",
+    "permanent_residence"
+  ],
+  "testService.inputData.page1.formData.mobile_select": "mobile",
+  "testService.inputData.page1.formData.mobileTxt": "",
+  "testService.inputData.page2.formData.mobile": "+35722404383",
+  "testService.inputData.page2.formData.dateGot_day": "12",
+  "testService.inputData.page2.formData.dateGot_month": "10",
+  "testService.inputData.page2.formData.dateGot_year": "1212",
+  "testService.inputData.page2.formData.appointment": "10/06/2025"
+ }
+ * 
+ * @param {object} obj - The object to flatten
+ * @param {string} prefix - The prefix for nested keys (used internally)
+ * @param {object} res - The result object to store flattened keys (used internally) 
+ * @returns {object} - Flattened object with dot-path keys 
+ */
+export function flattenContext(obj, prefix = '', res = {}) {
+  for (const [key, val] of Object.entries(obj)) {
+    const path = prefix ? `${prefix}.${key}` : key;
+    if (val !== null && typeof val === 'object' && !Array.isArray(val)) {
+      flattenContext(val, path, res);
+    } else {
+      res[path] = val;
+    }
+  }
+  return res;
+}
+
+/**
+ * Validates a JavaScript expression string against a blocklist of unsafe patterns.
+ * Throws an error if any unsafe pattern is found.
+ * 
+ * @throws {Error} If the expression contains any unsafe patterns 
+ * @param {string} expression - The JavaScript expression to validate
+ * @returns {void} 
+ */
+function validateExpression(expression) {
+  const blocklist = [
+    'while(', 'for(', 'do{', // loops
+    'Function(', 'constructor(', // access to internals
+    'process', 'require', // Node.js access
+    'global', 'this', 'eval', // execution context or scope tricks
+    '__proto__', 'prototype', // prototype chain abuse
+    'setTimeout', 'setInterval', // async/loops
+  ];
+
+  for (const forbidden of blocklist) {
+    if (expression.includes(forbidden)) {
+        logger.debug(`Blocked unsafe expression: contains "${forbidden}"`, expression);
+        throw new Error(`Blocked unsafe expression: contains "${forbidden}"`);
+    }
+  }
+}
+
+
+/**
+ * Evaluates a JavaScript expression string with a given context. 
+ * 
+ * @param {string} expression - The JavaScript expression to evaluate 
+ * @param {object} dataLayer - The context object containing data for evaluation
+ * @throws {Error} If the expression is invalid or contains unsafe patterns 
+ * @returns 
+ */
+export function evaluateExpression(expression, dataLayer = {}) {
+    validateExpression(expression); // ⛔️ Blocks known unsafe patterns
+
+    // The expression will reference: dataLayer["some.path.key"]
+    console.debug(`Evaluating expression: ${expression}`, dataLayer);
+    const fn = new Function('dataLayer', `return (${expression});`);
+    return fn(dataLayer);
+}
+
+
+/**
+ * Evaluates expression **with automatic flattening**.
+ * This is a convenience wrapper for most use cases.
+ * 
+ * @param {string} expression - JS expression using dataLayer["..."]
+ * @param {object} object - Unflattened data object (e.g., session.siteData[siteKey])
+ * @param {string} prefix - Prefix to add to all keys (usually the siteKey)
+ * @returns {*} - The evaluated result
+ */
+export function evaluateExpressionWithFlattening(expression, object, prefix = '') {
+  const dataLayer = flattenContext(object, prefix);
+  return evaluateExpression(expression, dataLayer);
+}
+
+
+/**
+ * Evaluates whether a page should be rendered or redirected based on its conditions.
+ *
+ * - Conditions are located in `page.pageData.conditions`
+ * - Each condition must have a valid `expression` and `redirect`
+ * - If an expression evaluates to `true`, the user is redirected
+ * - If all expressions fail (or none exist), the page is rendered
+ *
+ * @param {object} page - The page object containing `pageData.conditions`
+ * @param {object} store - The full session object (e.g., `req.session`)
+ * @param {string} siteKey - The key for the current site context (e.g., `"nsf2"`)
+ * @param {object} req - The request object (used to track redirect depth)
+ * @returns {{ result: true } | { result: false, redirect: string }}
+ *          An object indicating whether to render the page or redirect
+ */
+export function evaluatePageConditions(page, store, siteKey, req) {
+  // Get conditions array from nested page structure
+  const conditions = page?.pageData?.conditions;
+
+  // --- Protect against infinite redirects ---
+  const depth = req?._pageRedirectDepth || 0;           // Track redirect depth per request (resets every HTTP call)
+  if (depth > 10) {                                     // Safer default max limit
+    logger.debug(`Max redirect depth exceeded for siteKey '${siteKey}'`);
+    return { result: true };
+  }
+
+  // If no conditions or not an array, render the page by default
+  if (!Array.isArray(conditions) || conditions.length === 0) {
+    logger.debug(`No conditions found for page '${page.pageData?.url || page.id}'`);
+    return { result: true };
+  }
+
+  // Get scoped session data for this site
+  const siteData = dataLayer.getSiteData(store, siteKey);
+  if (!siteData || typeof siteData !== 'object') {
+    logger.debug(`No site data found for siteKey '${siteKey}' on page '${page.pageData?.url || page.id}'`);
+    return { result: true }; // If site data is missing, continue safely
+  }
+
+  // Evaluate each condition
+  for (const [i, condition] of conditions.entries()) {
+    // Ensure the condition is well-formed
+    const isValid =
+      typeof condition === 'object' &&
+      condition !== null &&
+      typeof condition.expression === 'string' &&
+      condition.expression.trim() !== '' &&
+      typeof condition.redirect === 'string' &&
+      condition.redirect.trim() !== '';
+
+    if (!isValid) {
+      logger.debug(`Skipping invalid condition at index ${i} on page '${page.pageData?.url || page.id}'`, condition);
+      continue;
+    }
+
+    try {
+      // Evaluate the expression using flattened site data
+      const result = evaluateExpressionWithFlattening(
+        condition.expression,
+        siteData,
+        siteKey
+      );
+
+      // ✅ If expression is true → trigger redirect
+      if (result === true) {                            // Only redirect if explicitly `true`
+        // --- Protect against infinite redirects ---
+        req._pageRedirectDepth = depth + 1;             // Increment redirect counter only if redirecting
+        // return redirect response
+        return { result: false, redirect: condition.redirect };
+      }
+    } catch (err) {
+      logger.debug(`Expression error in condition[${i}] on page '${page.pageData?.url || page.id}':`, condition.expression);
+      logger.debug('→', err.message);
+      // ❌ Expression threw an error — skip and evaluate next
+    }
+  }
+
+  // ✅ All expressions were false or skipped → allow page rendering
+  return { result: true };
+}
+
+
+
+// console.log(evaluateExpression(
+//     '(dataLayer["test.inputData.index.formData.certificate_select"] == "permanent_residence") || (dataLayer["test.eligibility.TEST_ELIGIBILITY_2_API_URL.result.Succeeded"] == false)',
+//     flattenContext(req.session.siteData.test,'test')));
+
+
+// console.log(evaluatePageConditions(page, req.session, siteId));
+
+
+      // {
+      //   "pageData": {
+      //     "url": "data-entry-textinput",
+      //     "title": {
+      //       "el": "Σταθερό τηλέφωνο",
+      //       "en": "Landline number",
+      //       "tr": ""
+      //     },
+      //     "layout": "layouts/govcyBase.njk",
+      //     "mainLayout": "two-third",
+      //     "nextPage": "data-entry-all",
+      //     "conditions": [
+      //       {
+      //         "expression": "dataLayer['test.eligibility.TEST_ELIGIBILITY_1_API_URL.result.Succeeded'] == false || dataLayer['test.inputData.data-entry-radios.formData.mobile_select'] == 'mobile'",
+      //         "redirect": "review"
+      //       },
+      //       {
+      //         "expression": "dataLayer['test.eligibility.TEST_ELIGIBILITY_1_API_URL.result.Succeeded'] == false",
+      //         "redirect": "review"
+      //       }
+      //     ]
+      //   },
+
+// Todo:
+// - [X] Add unit tests
+// - [ ] Add page with conditions in JSON
+// - [ ] Add logic on the page handler to evaluate conditions
+// - [ ] Add logic on review and review post page handler to evaluate the conditions
+// - [ ] Add Functional tests for the conditions
+// - [ ] Add documentation for the conditions