@gov-cy/govcy-express-services 1.0.0-alpha.2 → 1.0.0-alpha.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "1.0.0-alpha.2",
+  "version": "1.0.0-alpha.20",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",
@@ -44,22 +44,29 @@
     "test:integration": "mocha --recursive tests/integration/**/*.test.mjs",
     "test:package": "mocha --recursive tests/package/**/*.test.mjs",
     "test:functional": "mocha --timeout 30000 --recursive tests/functional/**/*.test.mjs",
-    "test:watch": "mocha --watch --timeout 60000 tests/**/*.test.mjs"
+    "test:watch": "mocha --watch --timeout 60000 tests/**/*.test.mjs",
+    "coverage": "c8 --reporter=html --reporter=text --reporter=lcov --reporter=json-summary npm test",
+    "coverage:report": "c8 report",
+    "coverage:badge": "coverage-badges --output ./coverage-badges.svg"
   },
   "dependencies": {
     "@gov-cy/dsf-email-templates": "^2.1.0",
-    "@gov-cy/govcy-frontend-renderer": "^1.18.0",
+    "@gov-cy/govcy-frontend-renderer": "^1.24.0",
     "axios": "^1.9.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "express-session": "^1.17.3",
+    "form-data": "^4.0.4",
+    "multer": "^2.0.2",
     "openid-client": "^6.3.4",
     "puppeteer": "^24.6.0"
   },
   "devDependencies": {
+    "c8": "^10.1.3",
     "chai": "^5.2.0",
     "chai-http": "^5.1.1",
+    "coverage-badges-cli": "^2.2.0",
     "mocha": "^11.1.0",
     "mochawesome": "^7.1.3",
     "nodemon": "^3.0.2",

package/src/auth/cyLoginAuth.mjs

@@ -2,7 +2,7 @@ import * as client from 'openid-client';
 import { getEnvVariable } from '../utils/govcyEnvVariables.mjs';
 import { logger } from "../utils/govcyLogger.mjs";
 
-
+/* c8 ignore start */
 // OpenID Configuration
 const issuerUrl = getEnvVariable('CYLOGIN_ISSUER_URL');
 const clientId = getEnvVariable('CYLOGIN_CLIENT_ID');
@@ -131,3 +131,4 @@ export function getLogoutUrl(id_token_hint = '') {
 
 // Export config if needed elsewhere
 export { config };
+/* c8 ignore end */

package/src/index.mjs

@@ -24,6 +24,9 @@ import { govcyManifestHandler } from './middleware/govcyManifestHandler.mjs';
 import { govcyRoutePageHandler } from './middleware/govcyRoutePageHandler.mjs';
 import { govcyServiceEligibilityHandler } from './middleware/govcyServiceEligibilityHandler.mjs';
 import { govcyLoadSubmissionData } from './middleware/govcyLoadSubmissionData.mjs';
+import { govcyFileUpload } from './middleware/govcyFileUpload.mjs';
+import { govcyFileDeletePageHandler, govcyFileDeletePostHandler } from './middleware/govcyFileDeleteHandler.mjs';
+import { govcyFileViewHandler } from './middleware/govcyFileViewHandler.mjs';
 import { isProdOrStaging , getEnvVariable, whatsIsMyEnvironment } from './utils/govcyEnvVariables.mjs';
 import { logger } from "./utils/govcyLogger.mjs";
 
@@ -128,6 +131,14 @@ export default function initializeGovCyExpressService(){
 
   // 📝 -- ROUTE: Serve manifest.json dynamically for each site
   app.get('/:siteId/manifest.json', serviceConfigDataMiddleware, govcyManifestHandler());
+
+  // 🗃️ -- ROUTE: Handle POST requests for file uploads for a page. 
+  app.post('/apis/:siteId/:pageUrl/upload', 
+    serviceConfigDataMiddleware, 
+    requireAuth, // UNCOMMENT 
+    naturalPersonPolicy, // UNCOMMENT 
+    govcyServiceEligibilityHandler(true), // UNCOMMENT 
+    govcyFileUpload);
   
   // 🏠 -- ROUTE: Handle route with only siteId (/:siteId or /:siteId/)
   app.get('/:siteId', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true),govcyLoadSubmissionData(),govcyPageHandler(), renderGovcyPage());
@@ -141,16 +152,24 @@ export default function initializeGovCyExpressService(){
   // ✅ -- ROUTE: Add Success Page Route (BEFORE the dynamic route)
   app.get('/:siteId/success',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcySuccessPageHandler(), renderGovcyPage());
   
+  // 👀🗃️ -- ROUTE: View file (BEFORE the dynamic route)
+  app.get('/:siteId/:pageUrl/view-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileViewHandler());
+
+  // ❌🗃️ -- ROUTE: Delete file (BEFORE the dynamic route)
+  app.get('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileDeletePageHandler(), renderGovcyPage());
+  
   // 📝 -- ROUTE: Dynamic route to render pages based on siteId and pageUrl, using govcyPageHandler middleware
   app.get('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyLoadSubmissionData(), govcyPageHandler(), renderGovcyPage());
   
+  // ❌🗃️📥 -- ROUTE: Handle POST requests for delete file
+  app.post('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyFileDeletePostHandler());
+  
   // 📥 -- ROUTE: Handle POST requests for review page. The `submit` action
   app.post('/:siteId/review', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyReviewPostHandler());
   
   // 👀📥 -- ROUTE: Handle POST requests (Form Submissions) based on siteId and pageUrl, using govcyFormsPostHandler middleware
   app.post('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyFormsPostHandler());
   
-  
   // post for /:siteId/review
   
   // 🔹 Catch 404 errors (must be after all routes)

package/src/middleware/cyLoginAuth.mjs

@@ -7,7 +7,10 @@
 import { getLoginUrl, handleCallback, getLogoutUrl } from '../auth/cyLoginAuth.mjs';
 import { logger } from "../utils/govcyLogger.mjs";
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { errorResponse } from "../utils/govcyApiResponse.mjs"; 
+import { isApiRequest } from '../utils/govcyApiDetection.mjs';
 
+/* c8 ignore start */
 /**
  * Middleware to check if the user is authenticated. If not, redirect to the login page.
  * 
@@ -17,6 +20,12 @@ import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
  */
 export function requireAuth(req, res, next) {
     if (!req.session.user) {
+        if (isApiRequest(req)) {
+            const err = new Error("Unauthorized: user not authenticated");
+            err.status = 401;
+            return next(err);
+        }
+
         // Store the original URL before redirecting to login
         req.session.redirectAfterLogin = req.originalUrl;
         return res.redirect('/login');
@@ -128,4 +137,5 @@ export function handleLogout() {
             res.redirect(logoutUrl);
         });
     };
-}
+}
+/* c8 ignore end */

package/src/middleware/govcyCsrf.mjs

@@ -1,5 +1,8 @@
 
 import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { errorResponse } from '../utils/govcyApiResponse.mjs';
+import { isApiRequest } from '../utils/govcyApiDetection.mjs';
+
 /**
  * Middleware to handle CSRF token generation and validation.
  * 
@@ -14,7 +17,18 @@ export function govcyCsrfMiddleware(req, res, next) {
   }
 
   req.csrfToken = () => req.session.csrfToken;
-
+  
+  if (
+    req.method === 'POST' &&
+    req.headers['content-type']?.includes('multipart/form-data') &&
+    isApiRequest(req)) {
+    const tokenFromHeader = req.get('X-CSRF-Token');
+    // UNCOMMENT
+    if (!tokenFromHeader || tokenFromHeader !== req.session.csrfToken) {
+      return res.status(400).json(errorResponse(403, 'Invalid CSRF token'));
+    }
+    return next();
+  } 
   // Check token on POST requests
   if (req.method === 'POST') {
     const tokenFromBody = req.body._csrf;

package/src/middleware/govcyFileDeleteHandler.mjs

@@ -0,0 +1,320 @@
+import * as govcyResources from "../resources/govcyResources.mjs";
+import * as dataLayer from "../utils/govcyDataLayer.mjs";
+import { logger } from "../utils/govcyLogger.mjs";
+import { pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
+import { whatsIsMyEnvironment, getEnvVariable, getEnvVariableBool } from '../utils/govcyEnvVariables.mjs';
+import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
+import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { govcyApiRequest } from "../utils/govcyApiRequest.mjs";
+import { URL } from "url";
+
+
+/**
+ * Middleware to handle the delete file page.
+ * This middleware processes the delete file page, populates the question, and shows validation errors.
+ */
+export function govcyFileDeletePageHandler() {
+    return (req, res, next) => {
+        try {
+            const { siteId, pageUrl, elementName } = req.params;
+
+            // Create a deep copy of the service to avoid modifying the original
+            let serviceCopy = req.serviceData;
+
+            // ⤵️ Find the current page based on the URL
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // deep copy the page template to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // ✅ Skip this POST handler if the page's conditions evaluate to true (redirect away)
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            // Validate if the file input has a label
+            if (!fileInputElement?.params?.label) {
+                return handleMiddlewareError(`File input [${elementName}] does not have a label`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // Deep copy page title (so we don’t mutate template)
+            const pageTitle = JSON.parse(JSON.stringify(govcyResources.staticResources.text.deleteFileTitle));
+
+            // Replace label placeholders on page title
+            for (const lang of Object.keys(pageTitle)) {
+                const labelForLang = fileInputElement.params.label[lang] || fileInputElement.params.label.el || "";
+                pageTitle[lang] = pageTitle[lang].replace("{{file}}", labelForLang);
+            }
+
+
+            // Deep copy renderer pageData from
+            let pageData = JSON.parse(JSON.stringify(govcyResources.staticResources.rendererPageData));
+
+            // Handle isTesting 
+            pageData.site.isTesting = (whatsIsMyEnvironment() === "staging");
+
+            // Base page template structure
+            let pageTemplate = {
+                sections: [
+                    {
+                        name: "beforeMain",
+                        elements: [govcyResources.staticResources.elements.backLink]
+                    }
+                ]
+            };
+
+            //contruct the warning if the file was uploaded more than once
+            const warningSameFile = {
+                element: "warning",
+                params: {
+                    text: govcyResources.staticResources.text.deleteSameFileWarning,
+                }
+            };
+
+            const showSameFileWarning = dataLayer.isFileUsedInSiteInputDataAgain(
+                req.session,
+                siteId,
+                elementData 
+            );
+
+            // Construct page title
+            const pageRadios = {
+                element: "radios",
+                params: {
+                    id: "deleteFile",
+                    name: "deleteFile",
+                    legend: pageTitle,
+                    isPageHeading: true,
+                    classes: "govcy-mb-6",// only include the warning block when the file is referenced >1 times
+                    elements: showSameFileWarning ? [warningSameFile] : [],
+                    items: [
+                        {
+                            value: "yes",
+                            text: govcyResources.staticResources.text.deleteYesOption
+                        },
+                        {
+                            value: "no",
+                            text: govcyResources.staticResources.text.deleteNoOption
+                        }
+                    ]
+
+                }
+            };
+            //-------------
+
+            // Construct submit button
+            const formElement = {
+                element: "form",
+                params: {
+                    action: govcyResources.constructPageUrl(siteId, `${pageUrl}/delete-file/${elementName}`, (req.query.route === "review" ? "review" : "")),
+                    method: "POST",
+                    elements: [
+                        pageRadios,
+                        {
+                            element: "button",
+                            params: {
+                                type: "submit",
+                                text: govcyResources.staticResources.text.continue
+                            }
+                        },
+                        govcyResources.csrfTokenInput(req.csrfToken())
+                    ]
+                }
+            };
+
+            // --------- Handle Validation Errors ---------
+            // Check if validation errors exist in the request
+            const validationErrors = [];
+            let mainElements = [];
+            if (req?.query?.hasError) {
+                validationErrors.push({
+                    link: '#deleteFile-option-1',
+                    text: govcyResources.staticResources.text.deleteFileValidationError
+                });
+                mainElements.push(govcyResources.errorSummary(validationErrors));
+                formElement.params.elements[0].params.error = govcyResources.staticResources.text.deleteFileValidationError;
+            }
+            //--------- End Handle Validation Errors ---------
+
+            // Add elements to the main section, the H1, summary list, the submit button and the JS
+            mainElements.push(formElement);
+            // Append generated summary list to the page template
+            pageTemplate.sections.push({ name: "main", elements: mainElements });
+
+            //if user is logged in add he user bane section in the page template
+            if (dataLayer.getUser(req.session)) {
+                pageTemplate.sections.push(govcyResources.userNameSection(dataLayer.getUser(req.session).name)); // Add user name section
+            }
+
+            //prepare pageData
+            pageData.site = serviceCopy.site;
+            pageData.pageData.title = pageTitle;
+
+            // Attach processed page data to the request
+            req.processedPage = {
+                pageData: pageData,
+                pageTemplate: pageTemplate
+            };
+            logger.debug("Processed delete file page data:", req.processedPage);
+            next();
+        } catch (error) {
+            return next(error); // Pass error to govcyHttpErrorHandler
+        }
+    };
+}
+
+
+/**
+ * Middleware to handle delete file post form processing
+ * This middleware processes the post, validates the form and handles the file data layer
+ */
+export function govcyFileDeletePostHandler() {
+    return async (req, res, next) => {
+        try {
+            // Extract siteId and pageUrl from request
+            let { siteId, pageUrl, elementName } = req.params;
+
+            // get service data
+            let serviceCopy = req.serviceData;
+
+            // 🔍 Find the page by pageUrl
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // Deep copy pageTemplate to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // Check if the page has conditions and apply logic
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // the page base return url
+            const pageBaseReturnUrl = `http://localhost:3000/${siteId}/${pageUrl}`;
+
+            //check if input `deleteFile` has a value
+            if (!req?.body?.deleteFile ||
+                (req.body.deleteFile !== "yes" && req.body.deleteFile !== "no")) {
+                logger.debug("⛔️ No deleteFile value provided on POST — skipping form save and redirecting:", req.body);
+                //construct the page url with error 
+                let myUrl = new URL(pageBaseReturnUrl + `/delete-file/${elementName}`);
+                //check if the route is review
+                if (req.query.route === "review") {
+                    myUrl.searchParams.set("route", "review");
+                }
+                //set the error flag
+                myUrl.searchParams.set("hasError", "1");
+
+                //redirect to the same page with error summary (relative path)
+                return res.redirect(govcyResources.constructErrorSummaryUrl(myUrl.pathname + myUrl.search));
+            }
+
+            //if no validation errors
+            if (req.body.deleteFile === "yes") {
+                // Try to delete the file via the delete API. 
+                // If it fails, log the error but continue to remove the file from the session
+                try {
+                    // Get the delete file configuration
+                    const deleteCfg = serviceCopy?.site?.fileDeleteAPIEndpoint;
+                    // Check if download file configuration is available
+                    if (!deleteCfg?.url || !deleteCfg?.clientKey || !deleteCfg?.serviceId) {
+                        return handleMiddlewareError(`File delete APU configuration not found`, 404, next);
+                    }
+
+                    // Environment vars
+                    const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+                    let url = getEnvVariable(deleteCfg.url || "", false);
+                    const clientKey = getEnvVariable(deleteCfg.clientKey || "", false);
+                    const serviceId = getEnvVariable(deleteCfg.serviceId || "", false);
+                    const dsfGtwKey = getEnvVariable(deleteCfg?.dsfgtwApiKey || "", "");
+                    const method = (deleteCfg?.method || "GET").toLowerCase();
+
+                    // Check if the upload API is configured correctly
+                    if (!url || !clientKey) {
+                        return handleMiddlewareError(`Missing environment variables for upload`, 404, next);
+                    }
+
+                    // Construct the URL with tag being the elementName
+                    url += `/${encodeURIComponent(elementData.fileId)}/${encodeURIComponent(elementData.sha256)}`;
+
+                    // Get the user
+                    const user = dataLayer.getUser(req.session);
+                    // Perform the delete request
+                    const response = await govcyApiRequest(
+                        method,
+                        url,
+                        {},
+                        true,
+                        user,
+                        {
+                            accept: "text/plain",
+                            "client-key": clientKey,
+                            "service-id": serviceId,
+                            ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+                        },
+                        3,
+                        allowSelfSignedCerts
+                    );
+
+                    // If not succeeded, handle error
+                    if (!response?.Succeeded) {
+                        logger.error("fileDeleteAPIEndpoint returned succeeded false");
+                    }
+
+                } catch (error) {
+                    logger.error(`fileDeleteAPIEndpoint Call failed: ${error.message}`);
+                }
+                // if succeeded all good
+                // dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                dataLayer.removeAllFilesFromSite(req.session, siteId, { fileId: elementData.fileId, sha256: elementData.sha256 });
+                logger.info(`File deleted by user`, { siteId, pageUrl, elementName });
+            }
+            // construct the page url
+            let myUrl = new URL(pageBaseReturnUrl);
+            //check if the route is review
+            if (req.query.route === "review") {
+                myUrl.searchParams.set("route", "review");
+            }
+
+            // redirect to the page (relative path)
+            res.redirect(myUrl.pathname + myUrl.search);
+        } catch (error) {
+            logger.error("Error in govcyFileDeletePostHandler middleware:", error.message);
+            return next(error);  // Pass error to govcyHttpErrorHandler
+        }
+    };
+}

package/src/middleware/govcyFileUpload.mjs

@@ -0,0 +1,36 @@
+import multer from 'multer';
+import { logger } from '../utils/govcyLogger.mjs';
+import { successResponse, errorResponse } from '../utils/govcyApiResponse.mjs';
+import { ALLOWED_MULTER_FILE_SIZE_MB } from "../utils/govcyConstants.mjs";
+import { handleFileUpload } from "../utils/govcyHandleFiles.mjs";
+
+// Configure multer to store the file in memory (not disk) and limit the size to 10MB
+const upload = multer({
+    storage: multer.memoryStorage(),
+    limits: { fileSize: ALLOWED_MULTER_FILE_SIZE_MB * 1024 * 1024 } // 10MB
+});
+
+
+
+
+export const govcyFileUpload = [
+    upload.single('file'), // multer parses the uploaded file and stores it in req.file
+
+    async function govcyUploadHandler(req, res) {
+        const result = await handleFileUpload({
+            service: req.serviceData,
+            store: req.session,
+            siteId: req.params.siteId,
+            pageUrl: req.params.pageUrl,
+            elementName: req.body?.elementName,
+            file: req.file
+        });
+
+        if (result.status !== 200) {
+            logger.error("Upload failed", result);
+            return res.status(result.status).json(errorResponse(result.dataStatus, result.errorMessage || 'File upload failed'));
+        }
+
+        return res.json(successResponse(result.data));
+    }
+];