@gov-cy/govcy-express-services 1.0.0-alpha.1 → 1.0.0-alpha.11

package/src/utils/govcyHandleFiles.mjs

@@ -0,0 +1,307 @@
+import FormData from 'form-data';
+import { getPageConfigData } from "./govcyLoadConfigData.mjs";
+import { evaluatePageConditions } from "./govcyExpressions.mjs";
+import { getEnvVariable, getEnvVariableBool } from "./govcyEnvVariables.mjs";
+import { ALLOWED_FILE_MIME_TYPES, ALLOWED_FILE_SIZE_MB } from "./govcyConstants.mjs";
+import { govcyApiRequest } from "./govcyApiRequest.mjs";
+import * as dataLayer from "./govcyDataLayer.mjs";
+import { logger } from './govcyLogger.mjs'; 
+
+/**
+ * Handles the logic for uploading a file to the configured Upload API.
+ * Does not send a response — just returns a standard object to be handled by middleware.
+ *
+ * @param {object} opts - Input parameters
+ * @param {object} opts.service - The service config object
+ * @param {object} opts.store - Session store (req.session)
+ * @param {string} opts.siteId - Site ID
+ * @param {string} opts.pageUrl - Page URL
+ * @param {string} opts.elementName - Name of file input
+ * @param {object} opts.file - File object from multer (req.file)
+ * @returns {Promise<{ status: number, data?: object, errorMessage?: string }>}
+ */
+export async function handleFileUpload({ service, store, siteId, pageUrl, elementName, file }) {
+  try {
+    // Validate essentials
+    // Early exit if key things are missing
+    if (!file || !elementName) {
+      return {
+        status: 400,
+        dataStatus: 400,
+        errorMessage: 'Missing file or element name'
+      };
+    }
+
+    // Get the upload configuration
+    const uploadCfg = service?.site?.fileUploadAPIEndpoint;
+    // Check if upload configuration is available
+    if (!uploadCfg?.url || !uploadCfg?.clientKey || !uploadCfg?.serviceId) {
+      return {
+        status: 400,
+        dataStatus: 401,
+        errorMessage: 'Missing upload configuration'
+      };
+    }
+
+    // Environment vars
+    const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+    let url = getEnvVariable(uploadCfg.url || "", false);
+    const clientKey = getEnvVariable(uploadCfg.clientKey || "", false);
+    const serviceId = getEnvVariable(uploadCfg.serviceId || "", false);
+    const dsfGtwKey = getEnvVariable(uploadCfg?.dsfgtwApiKey || "", "");
+    const method = (uploadCfg?.method || "PUT").toLowerCase();
+
+     // Check if the upload API is configured correctly
+    if (!url || !clientKey) {
+      return {
+        status: 400,
+        dataStatus: 402,
+        errorMessage: 'Missing environment variables for upload'
+      };
+    }
+
+    // Construct the URL with tag being the elementName
+    const tag = encodeURIComponent(elementName.trim());
+    url += `/${tag}`;
+
+    // Get the page configuration using utility (safely extracts the correct page)
+    const page = getPageConfigData(service, pageUrl);
+    // Check if the page template is valid
+    if (!page?.pageTemplate) {
+      return {
+        status: 400,
+        dataStatus: 403,
+        errorMessage: 'Invalid page configuration'
+      };
+    }
+
+    // ----- Conditional logic comes here
+    // Respect conditional logic: If the page is skipped due to conditions, abort
+    const conditionResult = evaluatePageConditions(page, store, siteId);
+    if (conditionResult.result === false) {
+      return {
+        status: 403,
+        dataStatus: 404,
+        errorMessage: 'This page is skipped by conditional logic'
+      };
+    }
+
+    // deep copy the page template to avoid modifying the original
+    const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+    // Validate the field: Only allow upload if the page contains a fileInput with the given name
+    const isAllowed = pageContainsFileInput(pageTemplateCopy, elementName);
+    if (!isAllowed) {
+      return {
+        status: 403,
+        dataStatus: 405,
+        errorMessage: `File input [${elementName}] not allowed on this page`
+      };
+    }
+
+    // Empty file check
+    if (file.size === 0) {
+      return {
+        status: 400,
+        dataStatus: 406,
+        errorMessage: 'Uploaded file is empty'
+      };
+    }
+
+    // file type checks
+    // 1. Check declared mimetype
+    if (!ALLOWED_FILE_MIME_TYPES.includes(file.mimetype)) {
+        return {
+            status: 400,
+            dataStatus: 407,
+            errorMessage: 'Invalid file type (MIME not allowed)'
+        };
+    }
+
+    // 2. Check actual file content (magic bytes) matches claimed MIME type
+    if (!isMagicByteValid(file.buffer, file.mimetype)) {
+        return {
+            status: 400,
+            dataStatus: 408,
+            errorMessage: 'Invalid file type (magic byte mismatch)'
+        };
+    }
+
+    // File size check
+    if (file.size > ALLOWED_FILE_SIZE_MB * 1024 * 1024) {
+      return {
+        status: 400,
+        dataStatus: 409,
+        errorMessage: 'File exceeds allowed size'
+      };
+    }
+
+    // Prepare FormData
+    const form = new FormData();
+    form.append('file', file.buffer, {
+      filename: file.originalname,
+      contentType: file.mimetype,
+    });
+    
+    logger.debug("Prepared FormData with file:", {
+        filename: file.originalname,
+        mimetype: file.mimetype,
+        size: file.size
+    });
+
+    // Get the user
+    const user = dataLayer.getUser(store);
+    // Perform the upload request
+    const response = await govcyApiRequest(
+      method,
+      url,
+      form,
+      true,
+      user,
+      {
+        accept: "text/plain",
+        "client-key": clientKey,
+        "service-id": serviceId,
+        ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+      },
+      3,
+      allowSelfSignedCerts
+    );
+
+    // If not succeeded, handle error
+    if (!response?.Succeeded) {
+      return {
+        status: 500,
+        dataStatus: 410,
+        errorMessage: `${response?.ErrorCode} - ${response?.ErrorMessage} - fileUploadAPIEndpoint returned succeeded false`
+      };
+    }
+
+    // Check if the response contains the expected data
+    if (!response?.Data?.fileId || !response?.Data?.sha256) {
+      return {
+        status: 500,
+        dataStatus: 411,
+        errorMessage: 'Missing fileId or sha256 in response'
+      };
+    }
+
+    // ✅ Success
+    // Store the file metadata in the session store
+    // unneeded handle of `Attachment` at the end
+    // dataLayer.storePageDataElement(store, siteId, pageUrl, elementName+"Attachment", {
+    dataLayer.storePageDataElement(store, siteId, pageUrl, elementName, {
+      sha256: response.Data.sha256,
+      fileId: response.Data.fileId,
+    });
+    logger.debug("File upload successful", response.Data);
+    logger.info(`File uploaded successfully for element ${elementName} on page ${pageUrl} for site ${siteId}`);
+    return {
+      status: 200,
+      data: {
+        sha256: response.Data.sha256,
+        filename: response.Data.fileName || '',
+        fileId: response.Data.fileId,
+        mimeType: response.Data.contentType || '',
+        fileSize: response.Data?.fileSize || ''
+      }
+    };
+
+  } catch (err) {
+    return {
+      status: 500,
+      dataStatus: 500,
+      errorMessage: 'Upload failed' + (err.message ? `: ${err.message}` : ''),
+    };
+  }
+}
+
+//--------------------------------------------------------------------------
+// Helper Functions
+/**
+ * Recursively checks whether any element (or its children) is a fileInput
+ * with the matching elementName.
+ *
+ * Supports:
+ * - Top-level fileInput
+ * - Nested `params.elements` (used in groups, conditionals, etc.)
+ * - Conditional radios/checkboxes with `items[].conditionalElements`
+ * 
+ * @param {Array} elements - The array of elements to search
+ * @param {string} targetName - The name of the file input to check
+ * @returns {boolean} True if a matching fileInput is found, false otherwise
+ */
+function containsFileInput(elements = [], targetName) {
+  for (const el of elements) {
+    // ✅ Direct file input match
+    if (el.element === 'fileInput' && el.params?.name === targetName) {
+      return el;
+    }
+    // 🔁 Recurse into nested elements (e.g. groups, conditionals)
+    if (Array.isArray(el?.params?.elements)) {
+      const nestedMatch = containsFileInput(el.params.elements, targetName);
+      if (nestedMatch) return nestedMatch; // ← propagate the found element
+    }
+
+    // 🎯 Special case: conditional radios/checkboxes
+    if (
+      (el.element === 'radios' || el.element === 'checkboxes') &&
+      Array.isArray(el?.params?.items)
+    ) {
+      for (const item of el.params.items) {
+        if (Array.isArray(item?.conditionalElements)) {
+          const match = containsFileInput(item.conditionalElements, targetName);
+          if (match) return match; // ← propagate the found element
+        }
+      }
+    }
+  }
+  return false;
+}
+
+/**
+ * Checks whether the specified page contains a valid fileInput for this element ID
+ * under any <form> element in its sections
+ * 
+ * @param {object} pageTemplate The page template object
+ * @param {string} elementName The name of the element to check
+ * @return {boolean} True if a fileInput exists, false otherwise
+ */
+export function pageContainsFileInput(pageTemplate, elementName) {
+  const sections = pageTemplate?.sections || [];
+
+  for (const section of sections) {
+    for (const el of section?.elements || []) {
+      if (el.element === 'form') {
+        const match = containsFileInput(el.params?.elements, elementName);
+        if (match) {
+          return match; // ← return the actual element
+        }
+      }
+    }
+  }
+
+  return null; // no match found
+}
+
+
+/**
+ * Validates magic bytes against expected mimetype
+ * @param {Buffer} buffer 
+ * @param {string} mimetype 
+ * @returns {boolean}
+ */
+export function isMagicByteValid(buffer, mimetype) {
+  const signatures = {
+    'application/pdf':      [0x25, 0x50, 0x44, 0x46],                // %PDF
+    'image/png':            [0x89, 0x50, 0x4E, 0x47],                // PNG
+    'image/jpeg':           [0xFF, 0xD8, 0xFF],                      // JPG/JPEG
+    'application/vnd.openxmlformats-officedocument.wordprocessingml.document': [0x50, 0x4B, 0x03, 0x04], // DOCX
+    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': [0x50, 0x4B, 0x03, 0x04],       // XLSX
+  };
+
+  const expected = signatures[mimetype];
+  if (!expected) return false; // unknown type
+
+  const actual = Array.from(buffer.slice(0, expected.length));
+  return expected.every((byte, i) => actual[i] === byte);
+}

package/src/utils/govcyLoadSubmissionDataAPIs.mjs

@@ -73,7 +73,8 @@ export async function govcyLoadSubmissionDataAPIs(store, service, siteId, next)
                     ...(getCfgDsfGtwApiKey !== '' && { "dsfgtw-api-key": getCfgDsfGtwApiKey }) // Use the DSF API GTW secret from environment variables
                 },
                 3,
-                allowSelfSignedCerts
+                allowSelfSignedCerts,
+                [200, 404] // Allowed HTTP status codes
             );
 
             // If not succeeded, handle error
@@ -88,7 +89,9 @@ export async function govcyLoadSubmissionDataAPIs(store, service, siteId, next)
                 dataLayer.storeSiteLoadData(store, siteId, getResponse.Data);
 
                 try {
-                    const parsed = JSON.parse(getResponse.Data.submissionData || "{}");
+                    const parsed = JSON.parse(getResponse.Data.submissionData
+                        || getResponse.Data.submission_data 
+                        || "{}");
                     if (parsed && typeof parsed === "object") {
                         dataLayer.storeSiteInputData(store, siteId, parsed);
                         logger.debug(`💾 Input data restored from saved submission for siteId: ${siteId}`);
@@ -99,11 +102,15 @@ export async function govcyLoadSubmissionDataAPIs(store, service, siteId, next)
 
             // if not call the PUT submission API
             } else {
+                const tempPutPayload = {
+                    // submission_data: JSON.stringify({}),
+                    submissionData: JSON.stringify({})
+                };
                 // If no data, call the PUT submission API to create it
                 const putResponse = await govcyApiRequest(
                     putCfgMethod,
                     putCfgUrl,
-                    putCfgParams,
+                    tempPutPayload,
                     true, // use access token auth
                     user,
                     { 

package/src/utils/govcySubmitData.mjs

@@ -66,6 +66,12 @@ export function prepareSubmissionData(req, siteId, service) {
             // Store in submissionData
             submissionData[pageUrl].formData[elId] = value;
 
+            // handle fileInput
+            if (elType === "fileInput") {
+                // change the name of the key to include "Attachment" at the end but not have the original key
+                submissionData[pageUrl].formData[elId + "Attachment"] = value;
+                delete submissionData[pageUrl].formData[elId];
+            }
 
             // 🔄 If radios with conditionalElements, walk ALL options
             if (elType === "radios" && Array.isArray(element.params?.items)) {
@@ -85,6 +91,12 @@ export function prepareSubmissionData(req, siteId, service) {
 
                         // Store even if the field was not visible to user
                         submissionData[pageUrl].formData[condId] = condValue;
+                        // handle fileInput
+                        if (condType === "fileInput") {
+                            // change the name of the key to include "Attachment" at the end but not have the original key
+                            submissionData[pageUrl].formData[condId + "Attachment"] = condValue;
+                            delete submissionData[pageUrl].formData[condId];
+                        }
                     }
                 }
             }
@@ -291,6 +303,10 @@ function getValue(formElement, pageUrl, req, siteId) {
     let value = ""
     if (formElement.element === "dateInput") {
         value = getDateInputISO(pageUrl, formElement.params.name, req, siteId);
+    } else if (formElement.element === "fileInput") {
+        // unneeded handle of `Attachment` at the end
+        // value = dataLayer.getFormDataValue(req.session, siteId, pageUrl, formElement.params.name + "Attachment");
+        value = dataLayer.getFormDataValue(req.session, siteId, pageUrl, formElement.params.name);
     } else {
         value = dataLayer.getFormDataValue(req.session, siteId, pageUrl, formElement.params.name);
     }
@@ -340,6 +356,17 @@ function getValueLabel(formElement, value, pageUrl, req, siteId, service) {
         return govcyResources.getSameMultilingualObject(service.site.languages, formattedDate);
     }
 
+    // handle fileInput
+    if (formElement.element === "fileInput") {
+        // TODO: Ask Andreas how to handle empty file inputs 
+        if (value) {
+            return govcyResources.staticResources.text.fileUploaded;
+        } else {
+            return govcyResources.getSameMultilingualObject(service.site.languages, "");
+            // return govcyResources.staticResources.text.fileNotUploaded;
+        }
+    }
+
     // textInput, textArea, etc.
     return govcyResources.getSameMultilingualObject(service.site.languages, value);
 }
@@ -410,6 +437,33 @@ export function generateReviewSummary(submissionData, req, siteId, showChangeLin
         };
     }
 
+    /**
+     * Helper function to create a summary list item for file links.
+     * @param {object} key the key of multilingual object
+     * @param {string} value the value
+     * @param {string} siteId the site id
+     * @param {string} pageUrl the page url
+     * @param {string} elementName the element name
+     * @returns {object} the summary list item with file link
+    */
+    function createSummaryListItemFileLink(key, value, siteId, pageUrl, elementName) {
+        return {
+            "key": key,
+            "value": [
+                {
+                    "element": "htmlElement",
+                    "params": {
+                        "text": { 
+                            "en": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.en}<span class="govcy-visually-hidden"> ${key?.en || ""}</span></a>`, 
+                            "el": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.el}<span class="govcy-visually-hidden"> ${key?.el || ""}</span></a>`, 
+                            "tr": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.tr}<span class="govcy-visually-hidden"> ${key?.tr || ""}</span></a>` 
+                        }
+                    }
+                }
+            ]
+        };
+    }
+
     
 
 
@@ -425,8 +479,14 @@ export function generateReviewSummary(submissionData, req, siteId, showChangeLin
         for (const field of fields) {
             const label = field.label;
             const valueLabel = getSubmissionValueLabelString(field.valueLabel, req.globalLang);
-            // add the field to the summary entry
-            summaryListInner.params.items.push(createSummaryListItem(label, valueLabel));
+            // --- HACK --- to see if this is a file element
+            // check if field.value is an object with `sha256` and `fileId` properties
+            if (typeof field.value === "object" && field.value.hasOwnProperty("sha256") && field.value.hasOwnProperty("fileId") && showChangeLinks) {
+                summaryListInner.params.items.push(createSummaryListItemFileLink(label, valueLabel, siteId, pageUrl, field.name));
+            } else {
+                // add the field to the summary entry
+                summaryListInner.params.items.push(createSummaryListItem(label, valueLabel));
+            }
         }
 
         // Add inner summary list to the main summary list

package/src/utils/govcyTempSave.mjs

@@ -27,7 +27,8 @@ export async function tempSaveIfConfigured(store, service, siteId) {
   const inputData = dataLayer.getSiteInputData(store, siteId) || {};
   const tempPayload = {
     // mirror final submission format: send stringified JSON
-    submission_data: JSON.stringify(inputData)
+    // submission_data: JSON.stringify(inputData),
+    submissionData: JSON.stringify(inputData)
   };
 
   if (!url || !clientKey) {

package/src/utils/govcyValidator.mjs

@@ -263,6 +263,9 @@ export function validateFormElements(elements, formData, pageUrl) {
         formData[`${field.params.name}_day`]]
           .filter(Boolean) // Remove empty values
           .join("-") // Join remaining parts
+        // unneeded handle of `Attachment` at the end
+        // : (field.element === "fileInput") // Handle fileInput
+        //   ? formData[`${field.params.name}Attachment`] || ""
         : formData[field.params.name] || ""; // Get submitted value
 
       //Autocheck: check for "checkboxes", "radios", "select" if `fieldValue` is one of the `field.params.items
@@ -310,6 +313,10 @@ export function validateFormElements(elements, formData, pageUrl) {
                   formData[`${conditionalElement.params.name}_day`]]
                     .filter(Boolean) // Remove empty values
                     .join("-") // Join remaining parts
+                  : (conditionalElement.element === "fileInput") // Handle fileInput
+                      // unneeded handle of `Attachment` at the end
+                      // ? formData[`${conditionalElement.params.name}Attachment`] || ""
+                      ? formData[`${conditionalElement.params.name}`] || ""
                   : formData[conditionalElement.params.name] || ""; // Get submitted value
 
                 //Autocheck: check for "checkboxes", "radios", "select" if `fieldValue` is one of the `field.params.items`