@gov-cy/govcy-express-services 1.0.0-alpha.17 → 1.0.0-alpha.19

package/README.md

@@ -326,6 +326,13 @@ Here is an example JSON config:
       "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID",
       "dsfgtwApiKey": "TEST_SUBMISSION_DSF_GTW_KEY"
     },
+    "fileDeleteAPIEndpoint": {     //<-- File delete API endpoint
+      "url": "TEST_DELETE_FILE_API_URL",
+      "method": "DELETE",
+      "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+      "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID",
+      "dsfgtwApiKey": "TEST_SUBMISSION_DSF_GTW_KEY"
+    },
     "eligibilityAPIEndpoints": [     //<-- Eligibility API endpoints
       {
         "url": "TEST_ELIGIBILITY_2_API_URL",
@@ -696,6 +703,7 @@ Here are some details explaining the JSON structure:
   - `submissionPutAPIEndpoint`: The submission put API endpoint, to be used for temporary saving the submission data. See more on the [temporary save feature](#-temporary-save-feature) section below.
   - `fileUploadAPIEndpoint`: The file upload API endpoint, to be used for uploading files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
   - `fileDownloadAPIEndpoint`: The file download API endpoint, to be used for downloading files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
+  - `fileDeleteAPIEndpoint`: The file delete API endpoint, to be used for deleting files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
 - `pages` array: An array of page objects, each representing a page in the site. 
     - `pageData` object: Contains the metadata to be rendered on the page. See [govcy-frontend-renderer](https://github.com/gov-cy/govcy-frontend-renderer/tree/main#site-and-page-meta-data-explained) for more details
       - `nextPage`: The URL of the next page to be rendered after the user clicks the `continue` button.
@@ -1263,7 +1271,7 @@ The data is collected from the form elements and the data layer and are sent via
   "submissionDataVersion": "0.1",         // Submission data version
   "submissionData": {                      // Submission raw data. Object, will be stringified
     "index": {                              // Page level
-      "id_select": ["id", "arc"],           // field level. Could be string or array
+      "id_select": ["id", "arc"],           // field level: checkboxes are ALWAYS arrays (may be []); radios/select/text are strings
       "id_number": "654654",
       "arc_number": "",
       "aka": "232323",
@@ -1516,8 +1524,8 @@ The data is collected from the form elements and the data layer and are sent via
             "el": "Ταυτοποίηση",
             "en": "Identification"
           },
-          "value": ["id", "arc"],          // Field value. Could be string or array
-          "valueLabel": [                       // Field value label. Could be string or array
+          "value": ["id", "arc"],          // Field value. // field level: checkboxes are ALWAYS arrays (may be []); radios/select/text are strings
+          "valueLabel": [                       // Field value label
             {
               "el": "Ταυτότητα",
               "en": "ID",
@@ -2168,7 +2176,7 @@ The [💾 Temporary save feature](#-temporary-save-feature) must be enabled for
 
 
 #### How to enable and configure file uploads 
-To use this feature, configure the config JSON file. In your service’s `site` object, add both a `fileUploadAPIEndpoint` and `fileDownloadAPIEndpoint` entry:
+To use this feature, configure the config JSON file. In your service’s `site` object, add a `fileUploadAPIEndpoint`, `fileDownloadAPIEndpoint`and `fileDeleteAPIEndpoint` entry:
 
 ```json
 "fileUploadAPIEndpoint": {
@@ -2182,6 +2190,12 @@ To use this feature, configure the config JSON file. In your service’s `site`
   "method": "GET",
   "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
   "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID"
+},
+"fileDeleteAPIEndpoint": {
+  "url": "TEST_DELETE_FILE_API_URL",
+  "method": "DELETE",
+  "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+  "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID"
 }
 ```
 
@@ -2301,7 +2315,10 @@ Here is a sample code section of a page definition with a file input field:
 - **When clinking `view`**: 
   - The file is downloaded using the `fileDownloadAPIEndpoint` and opened in a new tab.
 - **When clinking `delete`**:
-  - A confimation page is displayed asking the user to confirm the deletion. If the user confirms, the file is deleted from the data layer and the `fileView` element is removed from the page.
+  - A confimation page is displayed asking the user to confirm the deletion. If the user confirms (clicks `Yes`):
+    - The file is deleted using the `fileDeleteAPIEndpoint`
+    - The file is deleted from the data layer and the `fileView` element is removed from the page.
+    - If the same file is used on another page (with the same `fileId` and `sha256`), they are also removed from the data layer
 - **On the `review` page after upload**:
   - The element is displayed with a link to `View file`. A `Change` link is also displayed for the whole page.
 - **On the `success` page and email after upload**:
@@ -2441,6 +2458,65 @@ HTTP/1.1 404 Not Found
 }
 ```
 
+#### `fileDeleteAPIEndpoint` `DELETE` API Request and Response
+This API is used to delete the file uploaded by the user. It returns the file data in Base64. 
+> ⚠️ **Important note:**  
+> If the same file (same `fileId` and `sha256`) is used for other fields in the same application for the same service and the same user, when deleted it will be removed from all instances in the data layer. A warning will appear in the user's delete confirmation page to warn the users in such cases. 
+
+**Request:**
+
+- **HTTP Method**: DELETE
+- **URL**: Resolved from the url property in your config (from the environment variable) concatenated with `/:fileid/:sha256`. For example `https://example.com/api/fileDelete/123456789123456/12345678901234567890123`: 
+  - `fileid` is the `fileId` of the file uploaded by the user.
+  - `sha256` is the `sha256` of the file uploaded by the user.
+- **Headers**:
+  - **Authorization**: `Bearer <access_token>` (form user's cyLogin access token)
+  - **client-key**: `<clientKey>` (from config/env)
+  - **service-id**: `<serviceId>` (from config/env)
+  - **Accept**: `text/plain`
+
+**Example Request:**
+
+```http
+DELETE fileDelete/123456789123456/12345678901234567890123 HTTP/1.1
+Host: localhost:3002
+Authorization: Bearer eyJhbGciOi...
+client-key: 12345678901234567890123456789000
+service-id: 123
+Accept: text/plain
+Content-Type: application/json
+```
+
+**Response:**
+
+The API is expected to return a JSON response with the following structure:
+
+**When file is found and deleted:**
+
+```http
+HTTP/1.1 200 OK
+
+{
+  "ErrorCode": 0,
+  "ErrorMessage": null,
+  "Succeeded": true
+}
+```
+
+**When file is NOT found:**
+
+```http
+HTTP/1.1 404 Not Found
+
+{
+    "ErrorCode": 404,
+    "ErrorMessage": "File not found",
+    "InformationMessage": null,
+    "Data": null,
+    "Succeeded": false
+}
+```
+
 #### File uploads in the data layer
 The system uses the `fileId` and `sha256` to identify the file uploaded by the user. The file information are stored in the data layer in the following format:
 
@@ -2566,6 +2642,7 @@ TEST_SUBMISSION_PUT_API_URL=http://localhost:3002/save
 # Optional File Upload and download endpoints (test service)
 TEST_FILE_UPLOAD_API_URL=http://localhost:3002/fileUpload
 TEST_FILE_DOWNLOAD_API_URL=http://localhost:3002/fileDownload
+TEST_FILE_DELETE_API_URL=http://localhost:3002/fileDelete
 
 # Eligibility checks (optional test APIs)
 TEST_ELIGIBILITY_1_API_URL=http://localhost:3002/eligibility1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "1.0.0-alpha.17",
+  "version": "1.0.0-alpha.19",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",
@@ -51,7 +51,7 @@
   },
   "dependencies": {
     "@gov-cy/dsf-email-templates": "^2.1.0",
-    "@gov-cy/govcy-frontend-renderer": "^1.22.1",
+    "@gov-cy/govcy-frontend-renderer": "^1.23.0",
     "axios": "^1.9.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.3.1",

package/src/middleware/govcyFileDeleteHandler.mjs

@@ -2,10 +2,11 @@ import * as govcyResources from "../resources/govcyResources.mjs";
 import * as dataLayer from "../utils/govcyDataLayer.mjs";
 import { logger } from "../utils/govcyLogger.mjs";
 import { pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
-import { whatsIsMyEnvironment } from '../utils/govcyEnvVariables.mjs';
+import { whatsIsMyEnvironment, getEnvVariable, getEnvVariableBool } from '../utils/govcyEnvVariables.mjs';
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
 import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
 import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { govcyApiRequest } from "../utils/govcyApiRequest.mjs";
 import { URL } from "url";
 
 
@@ -50,7 +51,7 @@ export function govcyFileDeletePageHandler() {
             const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
 
             // If the element data is not found, return an error response
-            if (!elementData) {
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
                 return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
             }
 
@@ -80,6 +81,20 @@ export function govcyFileDeletePageHandler() {
                 ]
             };
 
+            //contruct the warning if the file was uploaded more than once
+            const warningSameFile = {
+                element: "warning",
+                params: {
+                    text: govcyResources.staticResources.text.deleteSameFileWarning,
+                }
+            };
+
+            const showSameFileWarning = dataLayer.isFileUsedInSiteInputDataAgain(
+                req.session,
+                siteId,
+                elementData 
+            );
+
             // Construct page title
             const pageRadios = {
                 element: "radios",
@@ -88,7 +103,8 @@ export function govcyFileDeletePageHandler() {
                     name: "deleteFile",
                     legend: pageTitle,
                     isPageHeading: true,
-                    classes: "govcy-mb-6",
+                    classes: "govcy-mb-6",// only include the warning block when the file is referenced >1 times
+                    elements: showSameFileWarning ? [warningSameFile] : [],
                     items: [
                         {
                             value: "yes",
@@ -171,7 +187,7 @@ export function govcyFileDeletePageHandler() {
  * This middleware processes the post, validates the form and handles the file data layer
  */
 export function govcyFileDeletePostHandler() {
-    return (req, res, next) => {
+    return async (req, res, next) => {
         try {
             // Extract siteId and pageUrl from request
             let { siteId, pageUrl, elementName } = req.params;
@@ -198,6 +214,15 @@ export function govcyFileDeletePostHandler() {
             if (!fileInputElement) {
                 return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
             }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
             // the page base return url
             const pageBaseReturnUrl = `http://localhost:3000/${siteId}/${pageUrl}`;
 
@@ -220,7 +245,62 @@ export function govcyFileDeletePostHandler() {
 
             //if no validation errors
             if (req.body.deleteFile === "yes") {
-                dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                // Try to delete the file via the delete API. 
+                // If it fails, log the error but continue to remove the file from the session
+                try {
+                    // Get the delete file configuration
+                    const deleteCfg = serviceCopy?.site?.fileDeleteAPIEndpoint;
+                    // Check if download file configuration is available
+                    if (!deleteCfg?.url || !deleteCfg?.clientKey || !deleteCfg?.serviceId) {
+                        return handleMiddlewareError(`File delete APU configuration not found`, 404, next);
+                    }
+
+                    // Environment vars
+                    const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+                    let url = getEnvVariable(deleteCfg.url || "", false);
+                    const clientKey = getEnvVariable(deleteCfg.clientKey || "", false);
+                    const serviceId = getEnvVariable(deleteCfg.serviceId || "", false);
+                    const dsfGtwKey = getEnvVariable(deleteCfg?.dsfgtwApiKey || "", "");
+                    const method = (deleteCfg?.method || "GET").toLowerCase();
+
+                    // Check if the upload API is configured correctly
+                    if (!url || !clientKey) {
+                        return handleMiddlewareError(`Missing environment variables for upload`, 404, next);
+                    }
+
+                    // Construct the URL with tag being the elementName
+                    url += `/${encodeURIComponent(elementData.fileId)}/${encodeURIComponent(elementData.sha256)}`;
+
+                    // Get the user
+                    const user = dataLayer.getUser(req.session);
+                    // Perform the delete request
+                    const response = await govcyApiRequest(
+                        method,
+                        url,
+                        {},
+                        true,
+                        user,
+                        {
+                            accept: "text/plain",
+                            "client-key": clientKey,
+                            "service-id": serviceId,
+                            ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+                        },
+                        3,
+                        allowSelfSignedCerts
+                    );
+
+                    // If not succeeded, handle error
+                    if (!response?.Succeeded) {
+                        logger.error("fileDeleteAPIEndpoint returned succeeded false");
+                    }
+
+                } catch (error) {
+                    logger.error(`fileDeleteAPIEndpoint Call failed: ${error.message}`);
+                }
+                // if succeeded all good
+                // dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                dataLayer.removeAllFilesFromSite(req.session, siteId, { fileId: elementData.fileId, sha256: elementData.sha256 });
                 logger.info(`File deleted by user`, { siteId, pageUrl, elementName });
             }
             // construct the page url
@@ -233,6 +313,7 @@ export function govcyFileDeletePostHandler() {
             // redirect to the page (relative path)
             res.redirect(myUrl.pathname + myUrl.search);
         } catch (error) {
+            logger.error("Error in govcyFileDeletePostHandler middleware:", error.message);
             return next(error);  // Pass error to govcyHttpErrorHandler
         }
     };

package/src/resources/govcyResources.mjs

@@ -123,7 +123,7 @@ export const staticResources = {
         },
         deleteFileTitle : {
             en: "Are you sure you want to delete the file \"{{file}}\"? ",
-            el: "Είστε σίγουροι ότι θέλετε να διαγράψετε το αρχείο \"{{file}}\";",
+            el: "Σίγουρα θέλετε να διαγράψετε το αρχείο \"{{file}}\";",
             tr: "Are you sure you want to delete the file \"{{file}}\"? "
         },
         deleteYesOption: {
@@ -145,6 +145,11 @@ export const staticResources = {
             en: "View file",
             el: "Προβολή αρχείου",
             tr: "View file"
+        },
+        deleteSameFileWarning: {
+            en: "Υou have uploaded the same file more than once in this application. If you delete it, it will be deleted from all places in the application.",
+            el: "Έχετε ανεβάσει το αρχείο αυτό και σε άλλα σημεία της αίτησης. Αν το διαγράψετε, θα διαγραφεί από όλα τα σημεία.",
+            tr: "Υou have uploaded the same file more than once in this application. If you delete it, it will be deleted from all places in the application."
         }
     },
     //remderer sections

package/src/utils/govcyDataLayer.mjs

@@ -102,7 +102,7 @@ export function storePageData(store, siteId, pageUrl, formData) {
 export function storePageDataElement(store, siteId, pageUrl, elementName, value) {
     // Ensure session structure is initialized
     initializeSiteData(store, siteId, pageUrl);
-    
+
     // Store the element value
     store.siteData[siteId].inputData[pageUrl].formData[elementName] = value;
 }
@@ -191,11 +191,11 @@ export function storeSiteSubmissionData(store, siteId, submissionData) {
     // let rawData = getSiteInputData(store, siteId);
     // Store the submission data
     store.siteData[siteId].submissionData = submissionData;
-      
+
     // Clear validation errors from the session
     store.siteData[siteId].inputData = {};
     // Clear presaved/temporary save data
-    store.siteData[siteId].loadData = {}; 
+    store.siteData[siteId].loadData = {};
 
 }
 
@@ -208,7 +208,7 @@ export function storeSiteSubmissionData(store, siteId, submissionData) {
  * @param {object} result - API response
  */
 export function storeSiteEligibilityResult(store, siteId, endpointKey, result) {
-    
+
     initializeSiteData(store, siteId); // Ensure the structure exists
 
     if (!store.siteData[siteId].eligibility) store.siteData[siteId].eligibility = {};
@@ -244,7 +244,7 @@ export function getSiteEligibilityResult(store, siteId, endpointKey, maxAgeMs =
  */
 export function getPageValidationErrors(store, siteId, pageUrl) {
     const validationErrors = store?.siteData?.[siteId]?.inputData?.[pageUrl]?.validationErrors || null;
-    
+
     if (validationErrors) {
         // Clear validation errors from the session
         delete store.siteData[siteId].inputData[pageUrl].validationErrors;
@@ -275,7 +275,7 @@ export function getPageData(store, siteId, pageUrl) {
  */
 export function getSiteSubmissionErrors(store, siteId) {
     const validationErrors = store?.siteData?.[siteId]?.submissionErrors || null;
-    
+
     if (validationErrors) {
         // Clear validation errors from the session
         delete store.siteData[siteId].submissionErrors;
@@ -294,7 +294,7 @@ export function getSiteSubmissionErrors(store, siteId) {
  */
 export function getSiteData(store, siteId) {
     const inputData = store?.siteData?.[siteId] || {};
-    
+
     if (inputData) {
         return inputData;
     }
@@ -311,7 +311,7 @@ export function getSiteData(store, siteId) {
  */
 export function getSiteInputData(store, siteId) {
     const inputData = store?.siteData?.[siteId]?.inputData || {};
-    
+
     if (inputData) {
         return inputData;
     }
@@ -328,7 +328,7 @@ export function getSiteInputData(store, siteId) {
  */
 export function getSiteLoadData(store, siteId) {
     const loadData = store?.siteData?.[siteId]?.loadData || {};
-    
+
     if (loadData) {
         return loadData;
     }
@@ -344,9 +344,9 @@ export function getSiteLoadData(store, siteId) {
  * @returns {string|null} The reference number or null if not available
  */
 export function getSiteLoadDataReferenceNumber(store, siteId) {
-  const ref = store?.siteData?.[siteId]?.loadData?.referenceValue;
+    const ref = store?.siteData?.[siteId]?.loadData?.referenceValue;
 
-  return typeof ref === 'string' && ref.trim() !== '' ? ref : null;
+    return typeof ref === 'string' && ref.trim() !== '' ? ref : null;
 }
 
 
@@ -359,9 +359,9 @@ export function getSiteLoadDataReferenceNumber(store, siteId) {
  */
 export function getSiteSubmissionData(store, siteId) {
     initializeSiteData(store, siteId); // Ensure the structure exists
-    
+
     const submission = store?.siteData?.[siteId]?.submissionData || {};
-    
+
     if (submission) {
         return submission;
     }
@@ -388,7 +388,7 @@ export function getFormDataValue(store, siteId, pageUrl, elementName) {
  * @param {object} store The session store 
  * @returns The user object from the store or null if it doesn't exist.
  */
-export function getUser(store){
+export function getUser(store) {
     return store.user || null;
 }
 
@@ -396,3 +396,181 @@ export function clearSiteData(store, siteId) {
     delete store?.siteData[siteId];
 }
 
+/**
+ * Check if a file reference is used in more than one place (field) across the site's inputData.
+ *
+ * A "file reference" is an object like:
+ *   { sha256: "abc...", fileId: "xyz..." }
+ *
+ * Matching rules:
+ *  - If both fileId and sha256 are provided, both must match.
+ *  - If only one is provided, we match by that single property.
+ *
+ * Notes:
+ *  - Does NOT mutate the session.
+ *  - Safely handles missing site/pages.
+ *  - If a form field is an array (e.g., multiple file inputs), each item is checked.
+ *
+ * @param {object} store   The session object (e.g., req.session)
+ * @param {string} siteId  The site identifier
+ * @param {object} params  { fileId?: string, sha256?: string }
+ * @returns {boolean}      true if the file is found in more than one place, else false
+ */
+export function isFileUsedInSiteInputDataAgain(store, siteId, { fileId, sha256 } = {}) {
+    // If neither identifier is provided, we cannot match anything
+    if (!fileId && !sha256) return false;
+
+    // Ensure session structure is initialized
+    initializeSiteData(store, siteId);
+
+    // Site input data: session.siteData[siteId].inputData
+    const site = store?.siteData?.[siteId]?.inputData;
+    if (!site || typeof site !== 'object') return false;
+
+    let hits = 0; // how many fields across the site reference this file
+
+    // Loop all pages under the site
+    for (const pageKey of Object.keys(site)) {
+        const formData = site[pageKey]?.formData;
+        if (!formData || typeof formData !== 'object') continue;
+
+        // Loop all fields on the page
+        for (const [_, value] of Object.entries(formData)) {
+            if (value == null) continue;
+
+            // Normalize to an array to also support multi-value fields (e.g., multiple file inputs)
+            const candidates = Array.isArray(value) ? value : [value];
+
+            for (const candidate of candidates) {
+                // We only consider objects that look like file references
+                if (
+                    candidate &&
+                    typeof candidate === 'object' &&
+                    'fileId' in candidate &&
+                    'sha256' in candidate
+                ) {
+                    const idMatches = fileId ? candidate.fileId === fileId : true;
+                    const shaMatches = sha256 ? candidate.sha256 === sha256 : true;
+
+                    if (idMatches && shaMatches) {
+                        hits += 1;
+                        // As soon as we see it in more than one place, we can answer true
+                        if (hits > 1) return true;
+                    }
+                }
+            }
+        }
+    }
+
+    // If we get here, it was used 0 or 1 times
+    return false;
+}
+
+
+/**
+ * Remove (replace with "") file values across ALL pages of a site,
+ * matching a specific fileId and/or sha256.
+ *
+ * Matching rules:
+ *  - If BOTH fileId and sha256 are provided, a file object must match BOTH.
+ *  - If ONLY fileId is provided, match on fileId.
+ *  - If ONLY sha256 is provided, match on sha256.
+ *
+ * Scope:
+ *  - Operates on every page under store.siteData[siteId].inputData.
+ *  - Shallow traversal of formData:
+ *      • Direct fields: formData[elementId] = { fileId, sha256, ... }
+ *      • Arrays: [ {fileId...}, {sha256...}, "other" ] → ["", "", "other"] (for matches)
+ *
+ * Side effects:
+ *  - Mutates store.siteData[siteId].inputData[*].formData in place.
+ *  - Intentionally returns nothing.
+ *
+ * @param {object} store - The data-layer store.
+ * @param {string} siteId - The site key under store.siteData to modify.
+ * @param {{ fileId?: string|null, sha256?: string|null }} match - Identifiers to match.
+ *   Provide at least one of fileId/sha256. If both are given, both must match.
+ */
+export function removeAllFilesFromSite(
+    store,
+    siteId,
+    { fileId = null, sha256 = null } = {}
+) {
+    // Ensure session structure is initialized
+    initializeSiteData(store, siteId);
+    // --- Guard rails ---------------------------------------------------------
+
+    // Nothing to remove if neither identifier is provided.
+    if (!fileId && !sha256) return;
+
+    // Per your structure: dig under .inputData for the site's pages.
+    const site = store?.siteData?.[siteId]?.inputData;
+    if (!site || typeof site !== "object") return;
+
+    // --- Helpers -------------------------------------------------------------
+
+    // Is this value a "file-like" object (has fileId and/or sha256)?
+    const isFileLike = (v) =>
+        v &&
+        typeof v === "object" &&
+        (Object.prototype.hasOwnProperty.call(v, "fileId") ||
+            Object.prototype.hasOwnProperty.call(v, "sha256"));
+
+    // Does a file-like object match the provided criteria?
+    const isMatch = (obj) => {
+        if (!isFileLike(obj)) return false;
+
+        // Strict when both are given
+        if (fileId && sha256) {
+            return obj.fileId === fileId && obj.sha256 === sha256;
+        }
+        // Otherwise match whichever was provided
+        if (fileId) return obj.fileId === fileId;
+        if (sha256) return obj.sha256 === sha256;
+
+        return false;
+    };
+
+    // --- Main traversal over all pages --------------------------------------
+
+    for (const page of Object.values(site)) {
+        // Each page should be an object with a formData object
+        const formData =
+            page &&
+                typeof page === "object" &&
+                page.formData &&
+                typeof page.formData === "object"
+                ? page.formData
+                : null;
+
+        if (!formData) continue; // skip content-only pages, etc.
+
+        // For each field on this page…
+        for (const key of Object.keys(formData)) {
+            const val = formData[key];
+
+            // Case A: a single file object → replace with "" if it matches.
+            if (isMatch(val)) {
+                formData[key] = "";
+                continue;
+            }
+
+            // Case B: an array → replace ONLY the matching items with "".
+            if (Array.isArray(val)) {
+                let changed = false;
+                const mapped = val.map((item) => {
+                    if (isMatch(item)) {
+                        changed = true;
+                        return "";
+                    }
+                    return item;
+                });
+                if (changed) formData[key] = mapped;
+            }
+
+            // Note: If you later store file-like objects deeper in nested objects,
+            // add a recursive visitor here (with cycle protection / max depth).
+        }
+    }
+}
+

package/src/utils/govcySubmitData.mjs

@@ -17,7 +17,7 @@ import { logger } from "./govcyLogger.mjs";
 export function prepareSubmissionData(req, siteId, service) {
     // Get the raw data from the session store
     // const rawData = dataLayer.getSiteInputData(req.session, siteId);
-    
+
     // ----- Conditional logic comes here
     // Filter site input data based on active pages only
     // const rawData = {};
@@ -143,7 +143,7 @@ export function prepareSubmissionData(req, siteId, service) {
  * @returns {object} The API-ready submission data object with all fields as strings
  */
 export function prepareSubmissionDataAPI(data) {
-    
+
     return {
         submissionUsername: String(data.submissionUsername ?? ""),
         submissionEmail: String(data.submissionEmail ?? ""),
@@ -232,7 +232,7 @@ export function preparePrintFriendlyData(req, siteId, service) {
         }
     }
 
-    return submissionData ;
+    return submissionData;
 }
 
 //------------------------------- Helper Functions -------------------------------//
@@ -317,6 +317,19 @@ function getValue(formElement, pageUrl, req, siteId) {
     } else {
         value = dataLayer.getFormDataValue(req.session, siteId, pageUrl, formElement.params.name);
     }
+
+    // 🔁 Normalize checkboxes: always return an array
+    if (formElement.element === "checkboxes") {
+        // If no value, return empty array
+        if (value == null || value === "") return [];
+        // If already an array, return as-is (but strip empties just in case)
+        if (Array.isArray(value)) {
+            // Strip empties just in case
+            return value.filter(v => v != null && v !== "");
+        }
+        // Else single value, convert to array
+        return [String(value)];
+    }
     return value;
 }
 
@@ -460,10 +473,10 @@ export function generateReviewSummary(submissionData, req, siteId, showChangeLin
                 {
                     "element": "htmlElement",
                     "params": {
-                        "text": { 
-                            "en": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.en}<span class="govcy-visually-hidden"> ${key?.en || ""}</span></a>`, 
-                            "el": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.el}<span class="govcy-visually-hidden"> ${key?.el || ""}</span></a>`, 
-                            "tr": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.tr}<span class="govcy-visually-hidden"> ${key?.tr || ""}</span></a>` 
+                        "text": {
+                            "en": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.en}<span class="govcy-visually-hidden"> ${key?.en || ""}</span></a>`,
+                            "el": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.el}<span class="govcy-visually-hidden"> ${key?.el || ""}</span></a>`,
+                            "tr": `<a href="/${siteId}/${pageUrl}/view-file/${elementName}" target="_blank">${govcyResources.staticResources.text.viewFile.tr}<span class="govcy-visually-hidden"> ${key?.tr || ""}</span></a>`
                         }
                     }
                 }
@@ -471,7 +484,7 @@ export function generateReviewSummary(submissionData, req, siteId, showChangeLin
         };
     }
 
-    
+
 
 
     // Loop through each page in the submission data
@@ -550,7 +563,7 @@ export function generateSubmitEmail(service, submissionData, submissionId, req)
             }
         );
     }
-    
+
     // Add data title to the body
     body.push(
         {
@@ -568,7 +581,7 @@ export function generateSubmitEmail(service, submissionData, submissionId, req)
         body.push(
             {
                 component: "bodyHeading",
-                params: {"headingLevel":2},
+                params: { "headingLevel": 2 },
                 body: govcyResources.getLocalizeContent(pageTitle, req.globalLang)
             }
         );
@@ -578,14 +591,14 @@ export function generateSubmitEmail(service, submissionData, submissionId, req)
         for (const field of fields) {
             const label = govcyResources.getLocalizeContent(field.label, req.globalLang);
             const valueLabel = getSubmissionValueLabelString(field.valueLabel, req.globalLang);
-            dataUl.push({key: label, value: valueLabel});
+            dataUl.push({ key: label, value: valueLabel });
         }
         // add data to the body
         body.push(
-        {
-            component: "bodyKeyValue",
-            params: {type:"ul", items: dataUl},
-        });
+            {
+                component: "bodyKeyValue",
+                params: { type: "ul", items: dataUl },
+            });
 
     }
 
@@ -606,84 +619,84 @@ export function generateSubmitEmail(service, submissionData, submissionId, req)
 
 
 
- /*
+/*
 {
-  "bank-details": {
-    "formData": {
-      "AccountName": "asd",
-      "Iban": "CY12 0020 0123 0000 0001 2345 6789",
-      "Swift": "BANKCY2NXXX",
-      "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
-    }
-  },
-  "answer-bank-boc": {
-    "formData": {
-      "Objection": "Object",
-      "country": "Azerbaijan",
-      "ObjectionReason": "ObjectionReasonCode1",
-      "ObjectionExplanation": "asdsa",
-      "DepositsBOCAttachment": "",
-      "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
-    }
-  },
-  "bank-settlement": {
-    "formData": {
-      "ReceiveSettlementExplanation": "",
-      "ReceiveSettlementDate_day": "",
-      "ReceiveSettlementDate_month": "",
-      "ReceiveSettlementDate_year": "",
-      "ReceiveSettlement": "no",
-      "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
-    }
-  }
+ "bank-details": {
+   "formData": {
+     "AccountName": "asd",
+     "Iban": "CY12 0020 0123 0000 0001 2345 6789",
+     "Swift": "BANKCY2NXXX",
+     "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
+   }
+ },
+ "answer-bank-boc": {
+   "formData": {
+     "Objection": "Object",
+     "country": "Azerbaijan",
+     "ObjectionReason": "ObjectionReasonCode1",
+     "ObjectionExplanation": "asdsa",
+     "DepositsBOCAttachment": "",
+     "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
+   }
+ },
+ "bank-settlement": {
+   "formData": {
+     "ReceiveSettlementExplanation": "",
+     "ReceiveSettlementDate_day": "",
+     "ReceiveSettlementDate_month": "",
+     "ReceiveSettlementDate_year": "",
+     "ReceiveSettlement": "no",
+     "_csrf": "sjknv79rxjgv0uggo0d5312vzgz37jsh"
+   }
+ }
 }
 
 
 
 [
-  {
-    pageUrl: "personal-details",
-    pageTitle: { en: "Personal data", el: "Προσωπικά στοιχεία" }, // from pageData.title in correct language
-    fields: [
-      [
-        {
-            id: "firstName",
-            label: { en: "First Name", el: "Όνομα" },
-            value: "John",  // The actual user input value
-            valueLabel: { en: "John", el: "John" }  // Same label as the value for text inputs
-        },
-        {
-            id: "lastName",
-            label: { en: "Last Name", el: "Επίθετο" },
-            value: "Doe",  // The actual user input value
-            valueLabel: { en: "Doe", el: "Doe" }  // Same label as the value for text inputs
-        },
-        {
-            id: "gender",
-            label: { en: "Gender", el: "Φύλο" },
-            value: "m",  // The actual value ("male")
-            valueLabel: { en: "Male", el: "Άντρας" }  // The corresponding label for "male"
-        },
-        {
-            id: "languages",
-            label: { en: "Languages", el: "Γλώσσες" },
-            value: ["en", "el"],  // The selected values ["en", "el"]
-            valueLabel: [
-                { en: "English", el: "Αγγλικά" },  // Labels corresponding to "en" and "el"
-                { en: "Greek", el: "Ελληνικά" }
-            ]
-        },
-        {
-            id: "birthDate",
-            label: { en: "Birth Date", el: "Ημερομηνία Γέννησης" },
-            value: "1990-01-13",  // The actual value based on user input
-            valueLabel: "13/1/1990"  // Date inputs label will be conveted to D/M/YYYY
-        }
-    ]
-  },
-  ...
+ {
+   pageUrl: "personal-details",
+   pageTitle: { en: "Personal data", el: "Προσωπικά στοιχεία" }, // from pageData.title in correct language
+   fields: [
+     [
+       {
+           id: "firstName",
+           label: { en: "First Name", el: "Όνομα" },
+           value: "John",  // The actual user input value
+           valueLabel: { en: "John", el: "John" }  // Same label as the value for text inputs
+       },
+       {
+           id: "lastName",
+           label: { en: "Last Name", el: "Επίθετο" },
+           value: "Doe",  // The actual user input value
+           valueLabel: { en: "Doe", el: "Doe" }  // Same label as the value for text inputs
+       },
+       {
+           id: "gender",
+           label: { en: "Gender", el: "Φύλο" },
+           value: "m",  // The actual value ("male")
+           valueLabel: { en: "Male", el: "Άντρας" }  // The corresponding label for "male"
+       },
+       {
+           id: "languages",
+           label: { en: "Languages", el: "Γλώσσες" },
+           value: ["en", "el"],  // The selected values ["en", "el"]
+           valueLabel: [
+               { en: "English", el: "Αγγλικά" },  // Labels corresponding to "en" and "el"
+               { en: "Greek", el: "Ελληνικά" }
+           ]
+       },
+       {
+           id: "birthDate",
+           label: { en: "Birth Date", el: "Ημερομηνία Γέννησης" },
+           value: "1990-01-13",  // The actual value based on user input
+           valueLabel: "13/1/1990"  // Date inputs label will be conveted to D/M/YYYY
+       }
+   ]
+ },
+ ...
 ]
 
 
 
-    */
+   */