@gov-cy/govcy-express-services 0.2.16 → 1.0.0-alpha.10

package/README.md

@@ -32,6 +32,7 @@ The project is designed to support the [Linear structure](https://gov-cy.github.
   - [📤 Site submissions](#-site-submissions)
   - [✅ Input validations](#-input-validations)
   - [✅ Conditional logic](#-conditional-logic)
+  - [💾 Temporary save](#-temporary-save)
 - [🛣️ Routes](#%EF%B8%8F-routes)
 - [👨‍💻 Enviromental variables](#-enviromental-variables)
 - [🔒 Security note](#-security-note)
@@ -55,6 +56,7 @@ The project is designed to support the [Linear structure](https://gov-cy.github.
 - Pre-filling posted values (in the same session)
 - Site level API eligibility checks
 - API integration with retry logic for form submissions.
+- Optional temporary save of in-progress form data via configurable API endpoints
 
 ## 📋 Prerequisites
 - Node.js 20+
@@ -492,7 +494,9 @@ Content-Type: application/json
 The API is expected to return a JSON response with the following structure (see [govcyApiRequest.mjs](src/utils/govcyApiRequest.mjs) for normalization):
 
 **On Success:**
-```json
+```http
+HTTP/1.1 200 OK
+
 {
   "Succeeded": true,
   "ErrorCode": 0,
@@ -501,7 +505,9 @@ The API is expected to return a JSON response with the following structure (see
 ```
 
 **On Failure:**
-```json
+```http
+HTTP/1.1 200 OK
+
 {
   "Succeeded": false,
   "ErrorCode": 102,
@@ -635,7 +641,9 @@ Content-Type: application/json
 The API is expected to return a JSON response with the following structure (see [govcyApiRequest.mjs](src/utils/govcyApiRequest.mjs) for normalization):
 
 **On Success:**
-```json
+```http
+HTTP/1.1 200 OK
+
 {
   "Succeeded": true,
   "ErrorCode": 0,
@@ -647,7 +655,9 @@ The API is expected to return a JSON response with the following structure (see
 ```
 
 **On Failure:**
-```json
+```http
+HTTP/1.1 200 OK
+
 {
   "Succeeded": false,
   "ErrorCode": 102,
@@ -1412,6 +1422,192 @@ Explanation:
 - `[].concat(...)`: safely flattens a string or array into an array.
 - `.includes('value1')`: checks if the value is selected.
 
+### 💾 Temporary save
+
+The **temporary save** feature allows user progress to be stored in an external API and automatically reloaded on the next visit.  
+This is useful for long forms or cases where users may leave and return later.
+
+#### How to configure temporary save 
+To use this feature, configure the config JSON file. In your service’s `site` object, add both a `submissionGetAPIEndpoint` and `submissionPutAPIEndpoint` entry:
+
+```json
+"submissionGetAPIEndpoint": {
+  "url": "TEST_SUBMISSION_GET_API_URL",
+  "method": "GET",
+  "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+  "serviceId": "TEST_SUBMISSION_API_SERVICE_ID"
+},
+"submissionPutAPIEndpoint": {
+  "url": "TEST_SUBMISSION_PUT_API_URL",
+  "method": "PUT",
+  "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+  "serviceId": "TEST_SUBMISSION_API_SERVICE_ID"
+}
+```
+
+These values should point to environment variables that hold your real endpoint URLs and credentials.
+
+In your `secrets/.env` file (and staging/production configs), define the variables referenced above:
+
+```dotenv
+TEST_SUBMISSION_GET_API_URL=https://example.com/api/submissionData
+TEST_SUBMISSION_PUT_API_URL=https://example.com/api/submissionData
+TEST_SUBMISSION_API_CLIENT_KEY=12345678901234567890123456789000
+TEST_SUBMISSION_API_SERVICE_ID=123
+```
+
+#### How temporary save works
+
+- **On first page load** for a site, using the `submissionGetAPIEndpoint` the system will:
+  1. Call the GET endpoint to retrieve any saved submission.
+  2. If found, populate the session’s `inputData` so fields are pre-filled.
+  3. If not found, call the PUT endpoint to create a new temporary record.
+- **On every form POST**, after successful validation:
+  - The `submissionPutAPIEndpoint` will fire-and-forget a `PUT` request to update the saved submission with the latest form data.
+  - The payload includes all required submission fields with `submission_data` JSON-stringified.
+
+#### `submissionGetAPIEndpoint` `GET` API Request and Response
+This API is used to retrieve the saved submission data.
+
+**Request:**
+
+- **HTTP Method**: GET
+- **URL**: Resolved from the url property in your config (from the environment variable).
+- **Headers**:
+  - **Authorization**: `Bearer <access_token>` (form user's cyLogin access token)
+  - **client-key**: `<clientKey>` (from config/env)
+  - **service-id**: `<serviceId>` (from config/env)
+  - **Accept**: `text/plain`
+- **Body**: The body contains the and either:
+  - an a `null` which means no data was found for the user
+  - a JSON object with all the form data collected from the user across all pages in previous sessions.
+
+**Example Request:**
+
+```http
+GET /temp-save-get-endpoint?status=0 HTTP/1.1
+Host: localhost:3002
+Authorization: Bearer eyJhbGciOi...
+client-key: 12345678901234567890123456789000
+service-id: 123
+Accept: text/plain
+Content-Type: application/json
+```
+
+**Response:**
+
+The API is expected to return a JSON response with the following structure:
+
+**When temporary submission data are found:**
+
+```http
+HTTP/1.1 200 OK
+
+{
+    "Succeeded": true,
+    "ErrorCode": 0,
+    "ErrorMessage": null,
+    "Data": {
+        "submissionData": "{\"index\":{\"formData\":{\"certificate_select\":[\"birth\",\"permanent_residence\"]}},\"data-entry-radios\":{\"formData\":{\"mobile_select\":\"other\",\"mobileTxt\":\"+35799484967\"}}}"
+    }
+}
+```
+
+**When temporary submission data are NOT found:**
+
+```http
+HTTP/1.1 404 Not Found
+
+{
+    "Succeeded": true,
+    "ErrorCode": 0,
+    "ErrorMessage": null,
+    "Data": null
+}
+```
+
+**When temporary submission retreival fails:**
+
+```http
+HTTP/1.1 200 OK
+
+{
+    "Succeeded": false,
+    "ErrorCode": 401,
+    "ErrorMessage": "Not authorized",
+    "Data": null
+}
+```
+
+#### `submissionPutAPIEndpoint` `PUT` API Request and Response
+This API is used to temporary save the submission data.
+
+**Request:**
+
+- **HTTP Method**: PUT
+- **URL**: Resolved from the url property in your config (from the environment variable).
+- **Headers**:
+  - **Authorization**: `Bearer <access_token>` (form user's cyLogin access token)
+  - **client-key**: `<clientKey>` (from config/env)
+  - **service-id**: `<serviceId>` (from config/env)
+  - **Accept**: `text/plain`
+- **Body**: The body contains the a JSON object with all the form data collected from the user across all pages.
+
+**Example Request:**
+
+```http
+PUT /temp-save-endpoint HTTP/1.1
+Host: localhost:3002
+Authorization: Bearer eyJhbGciOi...
+client-key: 12345678901234567890123456789000
+service-id: 123
+Accept: text/plain
+Content-Type: application/json
+
+{
+  "submission_data" : "{\"index\":{\"formData\":{\"certificate_select\":[\"birth\",\"permanent_residence\"]}},\"data-entry-radios\":{\"formData\":{\"mobile_select\":\"other\",\"mobileTxt\":\"+35799484967\"}}}"
+}
+```
+
+**Response:**
+
+The API is expected to return a JSON response with the following structure:
+
+**On success:**
+
+```http
+HTTP/1.1 200 OK
+
+{
+    "Succeeded": true,
+    "ErrorCode": 0,
+    "ErrorMessage": null,
+    "Data": {
+        "submissionData": "{\"index\":{\"formData\":{\"certificate_select\":[\"birth\",\"permanent_residence\"]}},\"data-entry-radios\":{\"formData\":{\"mobile_select\":\"other\",\"mobileTxt\":\"+35799484967\"}}}"
+    }
+}
+```
+
+**On failure:**
+
+```http
+HTTP/1.1 401 Unauthorized
+
+{
+    "Succeeded": false,
+    "ErrorCode": 401,
+    "ErrorMessage": "Not authorized",
+    "Data": null
+}
+```
+
+**Notes**:
+- The response is normalized to always use PascalCase keys (`Succeeded`, `ErrorCode`, etc.), regardless of the backend’s casing.
+
+#### Temporary save backward compatibility
+If these endpoints are not defined in the service JSON, the temporary save/load logic is skipped entirely.
+Existing services will continue to work without modification.
+
 ### 🛣️ Routes
 The project uses express.js to serve the following routes:
 
@@ -1500,6 +1696,11 @@ TEST_SUBMISSION_API_CLIENT_KEY=12345678901234567890123456789000
 TEST_SUBMISSION_API_SERVIVE_ID=123
 TEST_SUBMISSION_DSF_GTW_KEY=12345678901234567890123456789000
 
+# Optional Temporary Save GET and PUT endpoint (test service)
+TEST_SUBMISSION_GET_API_URL=http://localhost:3002/getTempSubmission
+TEST_SUBMISSION_PUT_API_URL=http://localhost:3002/save
+
+
 # Eligibility checks (optional test APIs)
 TEST_ELIGIBILITY_1_API_URL=http://localhost:3002/eligibility1
 TEST_ELIGIBILITY_2_API_URL=http://localhost:3002/eligibility2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "0.2.16",
+  "version": "1.0.0-alpha.10",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",
@@ -48,12 +48,14 @@
   },
   "dependencies": {
     "@gov-cy/dsf-email-templates": "^2.1.0",
-    "@gov-cy/govcy-frontend-renderer": "^1.18.0",
+    "@gov-cy/govcy-frontend-renderer": "^1.21.0",
     "axios": "^1.9.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "express-session": "^1.17.3",
+    "form-data": "^4.0.4",
+    "multer": "^2.0.2",
     "openid-client": "^6.3.4",
     "puppeteer": "^24.6.0"
   },

package/src/index.mjs

@@ -23,6 +23,10 @@ import { serviceConfigDataMiddleware } from './middleware/govcyConfigSiteData.mj
 import { govcyManifestHandler } from './middleware/govcyManifestHandler.mjs';
 import { govcyRoutePageHandler } from './middleware/govcyRoutePageHandler.mjs';
 import { govcyServiceEligibilityHandler } from './middleware/govcyServiceEligibilityHandler.mjs';
+import { govcyLoadSubmissionData } from './middleware/govcyLoadSubmissionData.mjs';
+import { govcyFileUpload } from './middleware/govcyFileUpload.mjs';
+import { govcyFileDeletePageHandler, govcyFileDeletePostHandler } from './middleware/govcyFileDeleteHandler.mjs';
+import { govcyFileViewHandler } from './middleware/govcyFileViewHandler.mjs';
 import { isProdOrStaging , getEnvVariable, whatsIsMyEnvironment } from './utils/govcyEnvVariables.mjs';
 import { logger } from "./utils/govcyLogger.mjs";
 
@@ -127,12 +131,20 @@ export default function initializeGovCyExpressService(){
 
   // 📝 -- ROUTE: Serve manifest.json dynamically for each site
   app.get('/:siteId/manifest.json', serviceConfigDataMiddleware, govcyManifestHandler());
+
+  // 🗃️ -- ROUTE: Handle POST requests for file uploads for a page. 
+  app.post('/apis/:siteId/:pageUrl/upload', 
+    serviceConfigDataMiddleware, 
+    requireAuth, // UNCOMMENT 
+    naturalPersonPolicy, // UNCOMMENT 
+    govcyServiceEligibilityHandler(true), // UNCOMMENT 
+    govcyFileUpload);
   
   // 🏠 -- ROUTE: Handle route with only siteId (/:siteId or /:siteId/)
-  app.get('/:siteId', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true),govcyPageHandler(), renderGovcyPage());
+  app.get('/:siteId', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true),govcyLoadSubmissionData(),govcyPageHandler(), renderGovcyPage());
   
   // 👀 -- ROUTE: Add Review Page Route (BEFORE the dynamic route)
-  app.get('/:siteId/review',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyReviewPageHandler(), renderGovcyPage());
+  app.get('/:siteId/review',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(),govcyLoadSubmissionData(), govcyReviewPageHandler(), renderGovcyPage());
   
   // ✅📄 -- ROUTE: Add Success PDF Route (BEFORE the dynamic route)
   app.get('/:siteId/success/pdf',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcySuccessPageHandler(true), govcyPDFRender());
@@ -140,8 +152,17 @@ export default function initializeGovCyExpressService(){
   // ✅ -- ROUTE: Add Success Page Route (BEFORE the dynamic route)
   app.get('/:siteId/success',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcySuccessPageHandler(), renderGovcyPage());
   
+  // 👀🗃️ -- ROUTE: View file (BEFORE the dynamic route)
+  app.get('/:siteId/:pageUrl/view-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileViewHandler());
+
+  // ❌🗃️ -- ROUTE: Delete file (BEFORE the dynamic route)
+  app.get('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileDeletePageHandler(), renderGovcyPage());
+  
   // 📝 -- ROUTE: Dynamic route to render pages based on siteId and pageUrl, using govcyPageHandler middleware
-  app.get('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyPageHandler(), renderGovcyPage());
+  app.get('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyLoadSubmissionData(), govcyPageHandler(), renderGovcyPage());
+  
+  // ❌🗃️📥 -- ROUTE: Handle POST requests for delete file
+  app.post('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyFileDeletePostHandler());
   
   // 📥 -- ROUTE: Handle POST requests for review page. The `submit` action
   app.post('/:siteId/review', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyReviewPostHandler());
@@ -149,7 +170,6 @@ export default function initializeGovCyExpressService(){
   // 👀📥 -- ROUTE: Handle POST requests (Form Submissions) based on siteId and pageUrl, using govcyFormsPostHandler middleware
   app.post('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyFormsPostHandler());
   
-  
   // post for /:siteId/review
   
   // 🔹 Catch 404 errors (must be after all routes)

package/src/middleware/cyLoginAuth.mjs

@@ -7,6 +7,8 @@
 import { getLoginUrl, handleCallback, getLogoutUrl } from '../auth/cyLoginAuth.mjs';
 import { logger } from "../utils/govcyLogger.mjs";
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { errorResponse } from "../utils/govcyApiResponse.mjs"; 
+import { isApiRequest } from '../utils/govcyApiDetection.mjs';
 
 /**
  * Middleware to check if the user is authenticated. If not, redirect to the login page.
@@ -17,6 +19,12 @@ import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
  */
 export function requireAuth(req, res, next) {
     if (!req.session.user) {
+        if (isApiRequest(req)) {
+            const err = new Error("Unauthorized: user not authenticated");
+            err.status = 401;
+            return next(err);
+        }
+
         // Store the original URL before redirecting to login
         req.session.redirectAfterLogin = req.originalUrl;
         return res.redirect('/login');

package/src/middleware/govcyCsrf.mjs

@@ -1,5 +1,8 @@
 
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { errorResponse } from '../utils/govcyApiResponse.mjs';
+import { isApiRequest } from '../utils/govcyApiDetection.mjs';
+
 /**
  * Middleware to handle CSRF token generation and validation.
  * 
@@ -14,7 +17,18 @@ export function govcyCsrfMiddleware(req, res, next) {
   }
 
   req.csrfToken = () => req.session.csrfToken;
-
+  
+  if (
+    req.method === 'POST' &&
+    req.headers['content-type']?.includes('multipart/form-data') &&
+    isApiRequest(req)) {
+    const tokenFromHeader = req.get('X-CSRF-Token');
+    // UNCOMMENT
+    if (!tokenFromHeader || tokenFromHeader !== req.session.csrfToken) {
+      return res.status(400).json(errorResponse(403, 'Invalid CSRF token'));
+    }
+    return next();
+  } 
   // Check token on POST requests
   if (req.method === 'POST') {
     const tokenFromBody = req.body._csrf;

package/src/middleware/govcyFileDeleteHandler.mjs

@@ -0,0 +1,238 @@
+import * as govcyResources from "../resources/govcyResources.mjs";
+import * as dataLayer from "../utils/govcyDataLayer.mjs";
+import { logger } from "../utils/govcyLogger.mjs";
+import { pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
+import { whatsIsMyEnvironment } from '../utils/govcyEnvVariables.mjs';
+import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
+import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { URL } from "url";
+
+
+/**
+ * Middleware to handle the delete file page.
+ * This middleware processes the delete file page, populates the question, and shows validation errors.
+ */
+export function govcyFileDeletePageHandler() {
+    return (req, res, next) => {
+        try {
+            const { siteId, pageUrl, elementName } = req.params;
+
+            // Create a deep copy of the service to avoid modifying the original
+            let serviceCopy = req.serviceData;
+
+            // ⤵️ Find the current page based on the URL
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // deep copy the page template to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // ✅ Skip this POST handler if the page's conditions evaluate to true (redirect away)
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            // Validate if the file input has a label
+            if (!fileInputElement?.params?.label) {
+                return handleMiddlewareError(`File input [${elementName}] does not have a label`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // Deep copy page title (so we don’t mutate template)
+            const pageTitle = JSON.parse(JSON.stringify(govcyResources.staticResources.text.deleteFileTitle));
+
+            // Replace label placeholders on page title
+            for (const lang of Object.keys(pageTitle)) {
+                const labelForLang = fileInputElement.params.label[lang] || fileInputElement.params.label.el || "";
+                pageTitle[lang] = pageTitle[lang].replace("{{file}}", labelForLang);
+            }
+
+
+            // Deep copy renderer pageData from
+            let pageData = JSON.parse(JSON.stringify(govcyResources.staticResources.rendererPageData));
+
+            // Handle isTesting 
+            pageData.site.isTesting = (whatsIsMyEnvironment() === "staging");
+
+            // Base page template structure
+            let pageTemplate = {
+                sections: [
+                    {
+                        name: "beforeMain",
+                        elements: [govcyResources.staticResources.elements.backLink]
+                    }
+                ]
+            };
+
+            // Construct page title
+            const pageRadios = {
+                element: "radios",
+                params: {
+                    id: "deleteFile",
+                    name: "deleteFile",
+                    legend: pageTitle,
+                    isPageHeading: true,
+                    classes: "govcy-mb-6",
+                    items: [
+                        {
+                            value: "yes",
+                            text: govcyResources.staticResources.text.deleteYesOption
+                        },
+                        {
+                            value: "no",
+                            text: govcyResources.staticResources.text.deleteNoOption
+                        }
+                    ]
+
+                }
+            };
+            //-------------
+
+            // Construct submit button
+            const formElement = {
+                element: "form",
+                params: {
+                    action: govcyResources.constructPageUrl(siteId, `${pageUrl}/delete-file/${elementName}`, (req.query.route === "review" ? "review" : "")),
+                    method: "POST",
+                    elements: [
+                        pageRadios,
+                        {
+                            element: "button",
+                            params: {
+                                type: "submit",
+                                text: govcyResources.staticResources.text.continue
+                            }
+                        },
+                        govcyResources.csrfTokenInput(req.csrfToken())
+                    ]
+                }
+            };
+
+            // --------- Handle Validation Errors ---------
+            // Check if validation errors exist in the request
+            const validationErrors = [];
+            let mainElements = [];
+            if (req?.query?.hasError) {
+                validationErrors.push({
+                    link: '#deleteFile-option-1',
+                    text: govcyResources.staticResources.text.deleteFileValidationError
+                });
+                mainElements.push(govcyResources.errorSummary(validationErrors));
+                formElement.params.elements[0].params.error = govcyResources.staticResources.text.deleteFileValidationError;
+            }
+            //--------- End Handle Validation Errors ---------
+
+            // Add elements to the main section, the H1, summary list, the submit button and the JS
+            mainElements.push(formElement, govcyResources.staticResources.elements["govcyFormsJs"]);
+            // Append generated summary list to the page template
+            pageTemplate.sections.push({ name: "main", elements: mainElements });
+
+            //if user is logged in add he user bane section in the page template
+            if (dataLayer.getUser(req.session)) {
+                pageTemplate.sections.push(govcyResources.userNameSection(dataLayer.getUser(req.session).name)); // Add user name section
+            }
+
+            //prepare pageData
+            pageData.site = serviceCopy.site;
+            pageData.pageData.title = pageTitle;
+
+            // Attach processed page data to the request
+            req.processedPage = {
+                pageData: pageData,
+                pageTemplate: pageTemplate
+            };
+            logger.debug("Processed delete file page data:", req.processedPage);
+            next();
+        } catch (error) {
+            return next(error); // Pass error to govcyHttpErrorHandler
+        }
+    };
+}
+
+
+/**
+ * Middleware to handle delete file post form processing
+ * This middleware processes the post, validates the form and handles the file data layer
+ */
+export function govcyFileDeletePostHandler() {
+    return (req, res, next) => {
+        try {
+            // Extract siteId and pageUrl from request
+            let { siteId, pageUrl, elementName } = req.params;
+
+            // get service data
+            let serviceCopy = req.serviceData;
+
+            // 🔍 Find the page by pageUrl
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // Deep copy pageTemplate to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // Check if the page has conditions and apply logic
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+            // the page base return url
+            const pageBaseReturnUrl = `http://localhost:3000/${siteId}/${pageUrl}`;
+
+            //check if input `deleteFile` has a value
+            if (!req?.body?.deleteFile ||
+                (req.body.deleteFile !== "yes" && req.body.deleteFile !== "no")) {
+                logger.debug("⛔️ No deleteFile value provided on POST — skipping form save and redirecting:", req.body);
+                //construct the page url with error 
+                let myUrl = new URL(pageBaseReturnUrl + `/delete-file/${elementName}`);
+                //check if the route is review
+                if (req.query.route === "review") {
+                    myUrl.searchParams.set("route", "review");
+                }
+                //set the error flag
+                myUrl.searchParams.set("hasError", "1");
+
+                //redirect to the same page with error summary (relative path)
+                return res.redirect(govcyResources.constructErrorSummaryUrl(myUrl.pathname + myUrl.search));
+            }
+
+            //if no validation errors
+            if (req.body.deleteFile === "yes") {
+                dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+            }
+            // construct the page url
+            let myUrl = new URL(pageBaseReturnUrl);
+            //check if the route is review
+            if (req.query.route === "review") {
+                myUrl.searchParams.set("route", "review");
+            }
+
+            // redirect to the page (relative path)
+            res.redirect(myUrl.pathname + myUrl.search);
+        } catch (error) {
+            return next(error);  // Pass error to govcyHttpErrorHandler
+        }
+    };
+}

package/src/middleware/govcyFileUpload.mjs

@@ -0,0 +1,36 @@
+import multer from 'multer';
+import { logger } from '../utils/govcyLogger.mjs';
+import { successResponse, errorResponse } from '../utils/govcyApiResponse.mjs';
+import { ALLOWED_MULTER_FILE_SIZE_MB } from "../utils/govcyConstants.mjs";
+import { handleFileUpload } from "../utils/govcyHandleFiles.mjs";
+
+// Configure multer to store the file in memory (not disk) and limit the size to 10MB
+const upload = multer({
+    storage: multer.memoryStorage(),
+    limits: { fileSize: ALLOWED_MULTER_FILE_SIZE_MB * 1024 * 1024 } // 10MB
+});
+
+
+
+
+export const govcyFileUpload = [
+    upload.single('file'), // multer parses the uploaded file and stores it in req.file
+
+    async function govcyUploadHandler(req, res) {
+        const result = await handleFileUpload({
+            service: req.serviceData,
+            store: req.session,
+            siteId: req.params.siteId,
+            pageUrl: req.params.pageUrl,
+            elementName: req.body?.elementName,
+            file: req.file
+        });
+
+        if (result.status !== 200) {
+            logger.error("Upload failed", result);
+            return res.status(result.status).json(errorResponse(result.dataStatus, result.errorMessage || 'File upload failed'));
+        }
+
+        return res.json(successResponse(result.data));
+    }
+];