@gov-cy/govcy-express-services 1.0.0-alpha.18 → 1.0.0-alpha.19

package/README.md

@@ -326,6 +326,13 @@ Here is an example JSON config:
       "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID",
       "dsfgtwApiKey": "TEST_SUBMISSION_DSF_GTW_KEY"
     },
+    "fileDeleteAPIEndpoint": {     //<-- File delete API endpoint
+      "url": "TEST_DELETE_FILE_API_URL",
+      "method": "DELETE",
+      "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+      "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID",
+      "dsfgtwApiKey": "TEST_SUBMISSION_DSF_GTW_KEY"
+    },
     "eligibilityAPIEndpoints": [     //<-- Eligibility API endpoints
       {
         "url": "TEST_ELIGIBILITY_2_API_URL",
@@ -696,6 +703,7 @@ Here are some details explaining the JSON structure:
   - `submissionPutAPIEndpoint`: The submission put API endpoint, to be used for temporary saving the submission data. See more on the [temporary save feature](#-temporary-save-feature) section below.
   - `fileUploadAPIEndpoint`: The file upload API endpoint, to be used for uploading files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
   - `fileDownloadAPIEndpoint`: The file download API endpoint, to be used for downloading files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
+  - `fileDeleteAPIEndpoint`: The file delete API endpoint, to be used for deleting files. See more on the [file upload feature](#%EF%B8%8F-files-uploads-feature) section below.
 - `pages` array: An array of page objects, each representing a page in the site. 
     - `pageData` object: Contains the metadata to be rendered on the page. See [govcy-frontend-renderer](https://github.com/gov-cy/govcy-frontend-renderer/tree/main#site-and-page-meta-data-explained) for more details
       - `nextPage`: The URL of the next page to be rendered after the user clicks the `continue` button.
@@ -2168,7 +2176,7 @@ The [💾 Temporary save feature](#-temporary-save-feature) must be enabled for
 
 
 #### How to enable and configure file uploads 
-To use this feature, configure the config JSON file. In your service’s `site` object, add both a `fileUploadAPIEndpoint` and `fileDownloadAPIEndpoint` entry:
+To use this feature, configure the config JSON file. In your service’s `site` object, add a `fileUploadAPIEndpoint`, `fileDownloadAPIEndpoint`and `fileDeleteAPIEndpoint` entry:
 
 ```json
 "fileUploadAPIEndpoint": {
@@ -2182,6 +2190,12 @@ To use this feature, configure the config JSON file. In your service’s `site`
   "method": "GET",
   "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
   "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID"
+},
+"fileDeleteAPIEndpoint": {
+  "url": "TEST_DELETE_FILE_API_URL",
+  "method": "DELETE",
+  "clientKey": "TEST_SUBMISSION_API_CLIENT_KEY",
+  "serviceId": "TEST_SUBMISSION_API_SERVIVE_ID"
 }
 ```
 
@@ -2301,7 +2315,10 @@ Here is a sample code section of a page definition with a file input field:
 - **When clinking `view`**: 
   - The file is downloaded using the `fileDownloadAPIEndpoint` and opened in a new tab.
 - **When clinking `delete`**:
-  - A confimation page is displayed asking the user to confirm the deletion. If the user confirms, the file is deleted from the data layer and the `fileView` element is removed from the page.
+  - A confimation page is displayed asking the user to confirm the deletion. If the user confirms (clicks `Yes`):
+    - The file is deleted using the `fileDeleteAPIEndpoint`
+    - The file is deleted from the data layer and the `fileView` element is removed from the page.
+    - If the same file is used on another page (with the same `fileId` and `sha256`), they are also removed from the data layer
 - **On the `review` page after upload**:
   - The element is displayed with a link to `View file`. A `Change` link is also displayed for the whole page.
 - **On the `success` page and email after upload**:
@@ -2441,6 +2458,65 @@ HTTP/1.1 404 Not Found
 }
 ```
 
+#### `fileDeleteAPIEndpoint` `DELETE` API Request and Response
+This API is used to delete the file uploaded by the user. It returns the file data in Base64. 
+> ⚠️ **Important note:**  
+> If the same file (same `fileId` and `sha256`) is used for other fields in the same application for the same service and the same user, when deleted it will be removed from all instances in the data layer. A warning will appear in the user's delete confirmation page to warn the users in such cases. 
+
+**Request:**
+
+- **HTTP Method**: DELETE
+- **URL**: Resolved from the url property in your config (from the environment variable) concatenated with `/:fileid/:sha256`. For example `https://example.com/api/fileDelete/123456789123456/12345678901234567890123`: 
+  - `fileid` is the `fileId` of the file uploaded by the user.
+  - `sha256` is the `sha256` of the file uploaded by the user.
+- **Headers**:
+  - **Authorization**: `Bearer <access_token>` (form user's cyLogin access token)
+  - **client-key**: `<clientKey>` (from config/env)
+  - **service-id**: `<serviceId>` (from config/env)
+  - **Accept**: `text/plain`
+
+**Example Request:**
+
+```http
+DELETE fileDelete/123456789123456/12345678901234567890123 HTTP/1.1
+Host: localhost:3002
+Authorization: Bearer eyJhbGciOi...
+client-key: 12345678901234567890123456789000
+service-id: 123
+Accept: text/plain
+Content-Type: application/json
+```
+
+**Response:**
+
+The API is expected to return a JSON response with the following structure:
+
+**When file is found and deleted:**
+
+```http
+HTTP/1.1 200 OK
+
+{
+  "ErrorCode": 0,
+  "ErrorMessage": null,
+  "Succeeded": true
+}
+```
+
+**When file is NOT found:**
+
+```http
+HTTP/1.1 404 Not Found
+
+{
+    "ErrorCode": 404,
+    "ErrorMessage": "File not found",
+    "InformationMessage": null,
+    "Data": null,
+    "Succeeded": false
+}
+```
+
 #### File uploads in the data layer
 The system uses the `fileId` and `sha256` to identify the file uploaded by the user. The file information are stored in the data layer in the following format:
 
@@ -2566,6 +2642,7 @@ TEST_SUBMISSION_PUT_API_URL=http://localhost:3002/save
 # Optional File Upload and download endpoints (test service)
 TEST_FILE_UPLOAD_API_URL=http://localhost:3002/fileUpload
 TEST_FILE_DOWNLOAD_API_URL=http://localhost:3002/fileDownload
+TEST_FILE_DELETE_API_URL=http://localhost:3002/fileDelete
 
 # Eligibility checks (optional test APIs)
 TEST_ELIGIBILITY_1_API_URL=http://localhost:3002/eligibility1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "1.0.0-alpha.18",
+  "version": "1.0.0-alpha.19",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",
@@ -51,7 +51,7 @@
   },
   "dependencies": {
     "@gov-cy/dsf-email-templates": "^2.1.0",
-    "@gov-cy/govcy-frontend-renderer": "^1.22.1",
+    "@gov-cy/govcy-frontend-renderer": "^1.23.0",
     "axios": "^1.9.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.3.1",

package/src/middleware/govcyFileDeleteHandler.mjs

@@ -2,10 +2,11 @@ import * as govcyResources from "../resources/govcyResources.mjs";
 import * as dataLayer from "../utils/govcyDataLayer.mjs";
 import { logger } from "../utils/govcyLogger.mjs";
 import { pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
-import { whatsIsMyEnvironment } from '../utils/govcyEnvVariables.mjs';
+import { whatsIsMyEnvironment, getEnvVariable, getEnvVariableBool } from '../utils/govcyEnvVariables.mjs';
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
 import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
 import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { govcyApiRequest } from "../utils/govcyApiRequest.mjs";
 import { URL } from "url";
 
 
@@ -50,7 +51,7 @@ export function govcyFileDeletePageHandler() {
             const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
 
             // If the element data is not found, return an error response
-            if (!elementData) {
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
                 return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
             }
 
@@ -80,6 +81,20 @@ export function govcyFileDeletePageHandler() {
                 ]
             };
 
+            //contruct the warning if the file was uploaded more than once
+            const warningSameFile = {
+                element: "warning",
+                params: {
+                    text: govcyResources.staticResources.text.deleteSameFileWarning,
+                }
+            };
+
+            const showSameFileWarning = dataLayer.isFileUsedInSiteInputDataAgain(
+                req.session,
+                siteId,
+                elementData 
+            );
+
             // Construct page title
             const pageRadios = {
                 element: "radios",
@@ -88,7 +103,8 @@ export function govcyFileDeletePageHandler() {
                     name: "deleteFile",
                     legend: pageTitle,
                     isPageHeading: true,
-                    classes: "govcy-mb-6",
+                    classes: "govcy-mb-6",// only include the warning block when the file is referenced >1 times
+                    elements: showSameFileWarning ? [warningSameFile] : [],
                     items: [
                         {
                             value: "yes",
@@ -171,7 +187,7 @@ export function govcyFileDeletePageHandler() {
  * This middleware processes the post, validates the form and handles the file data layer
  */
 export function govcyFileDeletePostHandler() {
-    return (req, res, next) => {
+    return async (req, res, next) => {
         try {
             // Extract siteId and pageUrl from request
             let { siteId, pageUrl, elementName } = req.params;
@@ -198,6 +214,15 @@ export function govcyFileDeletePostHandler() {
             if (!fileInputElement) {
                 return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
             }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
             // the page base return url
             const pageBaseReturnUrl = `http://localhost:3000/${siteId}/${pageUrl}`;
 
@@ -220,13 +245,62 @@ export function govcyFileDeletePostHandler() {
 
             //if no validation errors
             if (req.body.deleteFile === "yes") {
-                //TODO: Check if fileDeleteAPIEndpoint exists and call the API to delete the file from the storage
-                // if it exists, check that the Env vars are set
-                // construct url
-                // get user
-                // call the API
+                // Try to delete the file via the delete API. 
+                // If it fails, log the error but continue to remove the file from the session
+                try {
+                    // Get the delete file configuration
+                    const deleteCfg = serviceCopy?.site?.fileDeleteAPIEndpoint;
+                    // Check if download file configuration is available
+                    if (!deleteCfg?.url || !deleteCfg?.clientKey || !deleteCfg?.serviceId) {
+                        return handleMiddlewareError(`File delete APU configuration not found`, 404, next);
+                    }
+
+                    // Environment vars
+                    const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+                    let url = getEnvVariable(deleteCfg.url || "", false);
+                    const clientKey = getEnvVariable(deleteCfg.clientKey || "", false);
+                    const serviceId = getEnvVariable(deleteCfg.serviceId || "", false);
+                    const dsfGtwKey = getEnvVariable(deleteCfg?.dsfgtwApiKey || "", "");
+                    const method = (deleteCfg?.method || "GET").toLowerCase();
+
+                    // Check if the upload API is configured correctly
+                    if (!url || !clientKey) {
+                        return handleMiddlewareError(`Missing environment variables for upload`, 404, next);
+                    }
+
+                    // Construct the URL with tag being the elementName
+                    url += `/${encodeURIComponent(elementData.fileId)}/${encodeURIComponent(elementData.sha256)}`;
+
+                    // Get the user
+                    const user = dataLayer.getUser(req.session);
+                    // Perform the delete request
+                    const response = await govcyApiRequest(
+                        method,
+                        url,
+                        {},
+                        true,
+                        user,
+                        {
+                            accept: "text/plain",
+                            "client-key": clientKey,
+                            "service-id": serviceId,
+                            ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+                        },
+                        3,
+                        allowSelfSignedCerts
+                    );
+
+                    // If not succeeded, handle error
+                    if (!response?.Succeeded) {
+                        logger.error("fileDeleteAPIEndpoint returned succeeded false");
+                    }
+
+                } catch (error) {
+                    logger.error(`fileDeleteAPIEndpoint Call failed: ${error.message}`);
+                }
                 // if succeeded all good
-                dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                // dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                dataLayer.removeAllFilesFromSite(req.session, siteId, { fileId: elementData.fileId, sha256: elementData.sha256 });
                 logger.info(`File deleted by user`, { siteId, pageUrl, elementName });
             }
             // construct the page url
@@ -239,6 +313,7 @@ export function govcyFileDeletePostHandler() {
             // redirect to the page (relative path)
             res.redirect(myUrl.pathname + myUrl.search);
         } catch (error) {
+            logger.error("Error in govcyFileDeletePostHandler middleware:", error.message);
             return next(error);  // Pass error to govcyHttpErrorHandler
         }
     };

package/src/resources/govcyResources.mjs

@@ -123,7 +123,7 @@ export const staticResources = {
         },
         deleteFileTitle : {
             en: "Are you sure you want to delete the file \"{{file}}\"? ",
-            el: "Είστε σίγουροι ότι θέλετε να διαγράψετε το αρχείο \"{{file}}\";",
+            el: "Σίγουρα θέλετε να διαγράψετε το αρχείο \"{{file}}\";",
             tr: "Are you sure you want to delete the file \"{{file}}\"? "
         },
         deleteYesOption: {
@@ -145,6 +145,11 @@ export const staticResources = {
             en: "View file",
             el: "Προβολή αρχείου",
             tr: "View file"
+        },
+        deleteSameFileWarning: {
+            en: "Υou have uploaded the same file more than once in this application. If you delete it, it will be deleted from all places in the application.",
+            el: "Έχετε ανεβάσει το αρχείο αυτό και σε άλλα σημεία της αίτησης. Αν το διαγράψετε, θα διαγραφεί από όλα τα σημεία.",
+            tr: "Υou have uploaded the same file more than once in this application. If you delete it, it will be deleted from all places in the application."
         }
     },
     //remderer sections

package/src/utils/govcyDataLayer.mjs

@@ -102,7 +102,7 @@ export function storePageData(store, siteId, pageUrl, formData) {
 export function storePageDataElement(store, siteId, pageUrl, elementName, value) {
     // Ensure session structure is initialized
     initializeSiteData(store, siteId, pageUrl);
-    
+
     // Store the element value
     store.siteData[siteId].inputData[pageUrl].formData[elementName] = value;
 }
@@ -191,11 +191,11 @@ export function storeSiteSubmissionData(store, siteId, submissionData) {
     // let rawData = getSiteInputData(store, siteId);
     // Store the submission data
     store.siteData[siteId].submissionData = submissionData;
-      
+
     // Clear validation errors from the session
     store.siteData[siteId].inputData = {};
     // Clear presaved/temporary save data
-    store.siteData[siteId].loadData = {}; 
+    store.siteData[siteId].loadData = {};
 
 }
 
@@ -208,7 +208,7 @@ export function storeSiteSubmissionData(store, siteId, submissionData) {
  * @param {object} result - API response
  */
 export function storeSiteEligibilityResult(store, siteId, endpointKey, result) {
-    
+
     initializeSiteData(store, siteId); // Ensure the structure exists
 
     if (!store.siteData[siteId].eligibility) store.siteData[siteId].eligibility = {};
@@ -244,7 +244,7 @@ export function getSiteEligibilityResult(store, siteId, endpointKey, maxAgeMs =
  */
 export function getPageValidationErrors(store, siteId, pageUrl) {
     const validationErrors = store?.siteData?.[siteId]?.inputData?.[pageUrl]?.validationErrors || null;
-    
+
     if (validationErrors) {
         // Clear validation errors from the session
         delete store.siteData[siteId].inputData[pageUrl].validationErrors;
@@ -275,7 +275,7 @@ export function getPageData(store, siteId, pageUrl) {
  */
 export function getSiteSubmissionErrors(store, siteId) {
     const validationErrors = store?.siteData?.[siteId]?.submissionErrors || null;
-    
+
     if (validationErrors) {
         // Clear validation errors from the session
         delete store.siteData[siteId].submissionErrors;
@@ -294,7 +294,7 @@ export function getSiteSubmissionErrors(store, siteId) {
  */
 export function getSiteData(store, siteId) {
     const inputData = store?.siteData?.[siteId] || {};
-    
+
     if (inputData) {
         return inputData;
     }
@@ -311,7 +311,7 @@ export function getSiteData(store, siteId) {
  */
 export function getSiteInputData(store, siteId) {
     const inputData = store?.siteData?.[siteId]?.inputData || {};
-    
+
     if (inputData) {
         return inputData;
     }
@@ -328,7 +328,7 @@ export function getSiteInputData(store, siteId) {
  */
 export function getSiteLoadData(store, siteId) {
     const loadData = store?.siteData?.[siteId]?.loadData || {};
-    
+
     if (loadData) {
         return loadData;
     }
@@ -344,9 +344,9 @@ export function getSiteLoadData(store, siteId) {
  * @returns {string|null} The reference number or null if not available
  */
 export function getSiteLoadDataReferenceNumber(store, siteId) {
-  const ref = store?.siteData?.[siteId]?.loadData?.referenceValue;
+    const ref = store?.siteData?.[siteId]?.loadData?.referenceValue;
 
-  return typeof ref === 'string' && ref.trim() !== '' ? ref : null;
+    return typeof ref === 'string' && ref.trim() !== '' ? ref : null;
 }
 
 
@@ -359,9 +359,9 @@ export function getSiteLoadDataReferenceNumber(store, siteId) {
  */
 export function getSiteSubmissionData(store, siteId) {
     initializeSiteData(store, siteId); // Ensure the structure exists
-    
+
     const submission = store?.siteData?.[siteId]?.submissionData || {};
-    
+
     if (submission) {
         return submission;
     }
@@ -388,7 +388,7 @@ export function getFormDataValue(store, siteId, pageUrl, elementName) {
  * @param {object} store The session store 
  * @returns The user object from the store or null if it doesn't exist.
  */
-export function getUser(store){
+export function getUser(store) {
     return store.user || null;
 }
 
@@ -396,3 +396,181 @@ export function clearSiteData(store, siteId) {
     delete store?.siteData[siteId];
 }
 
+/**
+ * Check if a file reference is used in more than one place (field) across the site's inputData.
+ *
+ * A "file reference" is an object like:
+ *   { sha256: "abc...", fileId: "xyz..." }
+ *
+ * Matching rules:
+ *  - If both fileId and sha256 are provided, both must match.
+ *  - If only one is provided, we match by that single property.
+ *
+ * Notes:
+ *  - Does NOT mutate the session.
+ *  - Safely handles missing site/pages.
+ *  - If a form field is an array (e.g., multiple file inputs), each item is checked.
+ *
+ * @param {object} store   The session object (e.g., req.session)
+ * @param {string} siteId  The site identifier
+ * @param {object} params  { fileId?: string, sha256?: string }
+ * @returns {boolean}      true if the file is found in more than one place, else false
+ */
+export function isFileUsedInSiteInputDataAgain(store, siteId, { fileId, sha256 } = {}) {
+    // If neither identifier is provided, we cannot match anything
+    if (!fileId && !sha256) return false;
+
+    // Ensure session structure is initialized
+    initializeSiteData(store, siteId);
+
+    // Site input data: session.siteData[siteId].inputData
+    const site = store?.siteData?.[siteId]?.inputData;
+    if (!site || typeof site !== 'object') return false;
+
+    let hits = 0; // how many fields across the site reference this file
+
+    // Loop all pages under the site
+    for (const pageKey of Object.keys(site)) {
+        const formData = site[pageKey]?.formData;
+        if (!formData || typeof formData !== 'object') continue;
+
+        // Loop all fields on the page
+        for (const [_, value] of Object.entries(formData)) {
+            if (value == null) continue;
+
+            // Normalize to an array to also support multi-value fields (e.g., multiple file inputs)
+            const candidates = Array.isArray(value) ? value : [value];
+
+            for (const candidate of candidates) {
+                // We only consider objects that look like file references
+                if (
+                    candidate &&
+                    typeof candidate === 'object' &&
+                    'fileId' in candidate &&
+                    'sha256' in candidate
+                ) {
+                    const idMatches = fileId ? candidate.fileId === fileId : true;
+                    const shaMatches = sha256 ? candidate.sha256 === sha256 : true;
+
+                    if (idMatches && shaMatches) {
+                        hits += 1;
+                        // As soon as we see it in more than one place, we can answer true
+                        if (hits > 1) return true;
+                    }
+                }
+            }
+        }
+    }
+
+    // If we get here, it was used 0 or 1 times
+    return false;
+}
+
+
+/**
+ * Remove (replace with "") file values across ALL pages of a site,
+ * matching a specific fileId and/or sha256.
+ *
+ * Matching rules:
+ *  - If BOTH fileId and sha256 are provided, a file object must match BOTH.
+ *  - If ONLY fileId is provided, match on fileId.
+ *  - If ONLY sha256 is provided, match on sha256.
+ *
+ * Scope:
+ *  - Operates on every page under store.siteData[siteId].inputData.
+ *  - Shallow traversal of formData:
+ *      • Direct fields: formData[elementId] = { fileId, sha256, ... }
+ *      • Arrays: [ {fileId...}, {sha256...}, "other" ] → ["", "", "other"] (for matches)
+ *
+ * Side effects:
+ *  - Mutates store.siteData[siteId].inputData[*].formData in place.
+ *  - Intentionally returns nothing.
+ *
+ * @param {object} store - The data-layer store.
+ * @param {string} siteId - The site key under store.siteData to modify.
+ * @param {{ fileId?: string|null, sha256?: string|null }} match - Identifiers to match.
+ *   Provide at least one of fileId/sha256. If both are given, both must match.
+ */
+export function removeAllFilesFromSite(
+    store,
+    siteId,
+    { fileId = null, sha256 = null } = {}
+) {
+    // Ensure session structure is initialized
+    initializeSiteData(store, siteId);
+    // --- Guard rails ---------------------------------------------------------
+
+    // Nothing to remove if neither identifier is provided.
+    if (!fileId && !sha256) return;
+
+    // Per your structure: dig under .inputData for the site's pages.
+    const site = store?.siteData?.[siteId]?.inputData;
+    if (!site || typeof site !== "object") return;
+
+    // --- Helpers -------------------------------------------------------------
+
+    // Is this value a "file-like" object (has fileId and/or sha256)?
+    const isFileLike = (v) =>
+        v &&
+        typeof v === "object" &&
+        (Object.prototype.hasOwnProperty.call(v, "fileId") ||
+            Object.prototype.hasOwnProperty.call(v, "sha256"));
+
+    // Does a file-like object match the provided criteria?
+    const isMatch = (obj) => {
+        if (!isFileLike(obj)) return false;
+
+        // Strict when both are given
+        if (fileId && sha256) {
+            return obj.fileId === fileId && obj.sha256 === sha256;
+        }
+        // Otherwise match whichever was provided
+        if (fileId) return obj.fileId === fileId;
+        if (sha256) return obj.sha256 === sha256;
+
+        return false;
+    };
+
+    // --- Main traversal over all pages --------------------------------------
+
+    for (const page of Object.values(site)) {
+        // Each page should be an object with a formData object
+        const formData =
+            page &&
+                typeof page === "object" &&
+                page.formData &&
+                typeof page.formData === "object"
+                ? page.formData
+                : null;
+
+        if (!formData) continue; // skip content-only pages, etc.
+
+        // For each field on this page…
+        for (const key of Object.keys(formData)) {
+            const val = formData[key];
+
+            // Case A: a single file object → replace with "" if it matches.
+            if (isMatch(val)) {
+                formData[key] = "";
+                continue;
+            }
+
+            // Case B: an array → replace ONLY the matching items with "".
+            if (Array.isArray(val)) {
+                let changed = false;
+                const mapped = val.map((item) => {
+                    if (isMatch(item)) {
+                        changed = true;
+                        return "";
+                    }
+                    return item;
+                });
+                if (changed) formData[key] = mapped;
+            }
+
+            // Note: If you later store file-like objects deeper in nested objects,
+            // add a recursive visitor here (with cycle protection / max depth).
+        }
+    }
+}
+