@gov-cy/govcy-express-services 1.0.0-alpha.9 → 1.1.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gov-cy/govcy-express-services",
-  "version": "1.0.0-alpha.9",
+  "version": "1.1.0",
   "description": "An Express-based system that dynamically renders services using @gov-cy/govcy-frontend-renderer and posts data to a submission API.",
   "author": "DMRID - DSF Team",
   "license": "MIT",
@@ -44,11 +44,15 @@
     "test:integration": "mocha --recursive tests/integration/**/*.test.mjs",
     "test:package": "mocha --recursive tests/package/**/*.test.mjs",
     "test:functional": "mocha --timeout 30000 --recursive tests/functional/**/*.test.mjs",
-    "test:watch": "mocha --watch --timeout 60000 tests/**/*.test.mjs"
+    "test:watch": "mocha --watch --timeout 60000 tests/**/*.test.mjs",
+    "coverage": "c8 --reporter=html --reporter=text --reporter=lcov --reporter=json-summary npm test",
+    "coverage:copy": "node -e \"try{require('fs').copyFileSync('coverage/coverage-summary.json','./coverage-summary.json')}catch(e){process.exit(0)}\"",
+    "coverage:report": "c8 report",
+    "coverage:badge": "coverage-badges --output ./coverage-badges.svg && npm run coverage:copy"
   },
   "dependencies": {
     "@gov-cy/dsf-email-templates": "^2.1.0",
-    "@gov-cy/govcy-frontend-renderer": "^1.20.0",
+    "@gov-cy/govcy-frontend-renderer": "^1.24.0",
     "axios": "^1.9.0",
     "cookie-parser": "^1.4.7",
     "dotenv": "^16.3.1",
@@ -60,8 +64,10 @@
     "puppeteer": "^24.6.0"
   },
   "devDependencies": {
+    "c8": "^10.1.3",
     "chai": "^5.2.0",
     "chai-http": "^5.1.1",
+    "coverage-badges-cli": "^2.2.0",
     "mocha": "^11.1.0",
     "mochawesome": "^7.1.3",
     "nodemon": "^3.0.2",

package/src/auth/cyLoginAuth.mjs

@@ -2,7 +2,7 @@ import * as client from 'openid-client';
 import { getEnvVariable } from '../utils/govcyEnvVariables.mjs';
 import { logger } from "../utils/govcyLogger.mjs";
 
-
+/* c8 ignore start */
 // OpenID Configuration
 const issuerUrl = getEnvVariable('CYLOGIN_ISSUER_URL');
 const clientId = getEnvVariable('CYLOGIN_CLIENT_ID');
@@ -131,3 +131,4 @@ export function getLogoutUrl(id_token_hint = '') {
 
 // Export config if needed elsewhere
 export { config };
+/* c8 ignore end */

package/src/index.mjs

@@ -24,8 +24,9 @@ import { govcyManifestHandler } from './middleware/govcyManifestHandler.mjs';
 import { govcyRoutePageHandler } from './middleware/govcyRoutePageHandler.mjs';
 import { govcyServiceEligibilityHandler } from './middleware/govcyServiceEligibilityHandler.mjs';
 import { govcyLoadSubmissionData } from './middleware/govcyLoadSubmissionData.mjs';
-import { govcyUploadMiddleware } from './middleware/govcyUpload.mjs';
-import { govcyDeleteFilePageHandler, govcyDeleteFilePostHandler } from './middleware/govcyDeleteFileHandler.mjs';
+import { govcyFileUpload } from './middleware/govcyFileUpload.mjs';
+import { govcyFileDeletePageHandler, govcyFileDeletePostHandler } from './middleware/govcyFileDeleteHandler.mjs';
+import { govcyFileViewHandler } from './middleware/govcyFileViewHandler.mjs';
 import { isProdOrStaging , getEnvVariable, whatsIsMyEnvironment } from './utils/govcyEnvVariables.mjs';
 import { logger } from "./utils/govcyLogger.mjs";
 
@@ -137,7 +138,7 @@ export default function initializeGovCyExpressService(){
     requireAuth, // UNCOMMENT 
     naturalPersonPolicy, // UNCOMMENT 
     govcyServiceEligibilityHandler(true), // UNCOMMENT 
-    govcyUploadMiddleware);
+    govcyFileUpload);
   
   // 🏠 -- ROUTE: Handle route with only siteId (/:siteId or /:siteId/)
   app.get('/:siteId', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true),govcyLoadSubmissionData(),govcyPageHandler(), renderGovcyPage());
@@ -151,14 +152,17 @@ export default function initializeGovCyExpressService(){
   // ✅ -- ROUTE: Add Success Page Route (BEFORE the dynamic route)
   app.get('/:siteId/success',serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcySuccessPageHandler(), renderGovcyPage());
   
+  // 👀🗃️ -- ROUTE: View file (BEFORE the dynamic route)
+  app.get('/:siteId/:pageUrl/view-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileViewHandler());
+
   // ❌🗃️ -- ROUTE: Delete file (BEFORE the dynamic route)
-  app.get('/:siteId/:pageUrl/:elementName/delete-file', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyDeleteFilePageHandler(), renderGovcyPage());
+  app.get('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyLoadSubmissionData(), govcyFileDeletePageHandler(), renderGovcyPage());
   
   // 📝 -- ROUTE: Dynamic route to render pages based on siteId and pageUrl, using govcyPageHandler middleware
   app.get('/:siteId/:pageUrl', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyLoadSubmissionData(), govcyPageHandler(), renderGovcyPage());
   
   // ❌🗃️📥 -- ROUTE: Handle POST requests for delete file
-  app.post('/:siteId/:pageUrl/:elementName/delete-file', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyDeleteFilePostHandler());
+  app.post('/:siteId/:pageUrl/delete-file/:elementName', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(true), govcyFileDeletePostHandler());
   
   // 📥 -- ROUTE: Handle POST requests for review page. The `submit` action
   app.post('/:siteId/review', serviceConfigDataMiddleware, requireAuth, naturalPersonPolicy, govcyServiceEligibilityHandler(), govcyReviewPostHandler());

package/src/middleware/cyLoginAuth.mjs

@@ -10,6 +10,7 @@ import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
 import { errorResponse } from "../utils/govcyApiResponse.mjs"; 
 import { isApiRequest } from '../utils/govcyApiDetection.mjs';
 
+/* c8 ignore start */
 /**
  * Middleware to check if the user is authenticated. If not, redirect to the login page.
  * 
@@ -136,4 +137,5 @@ export function handleLogout() {
             res.redirect(logoutUrl);
         });
     };
-}
+}
+/* c8 ignore end */

package/src/middleware/govcyFileDeleteHandler.mjs

@@ -0,0 +1,320 @@
+import * as govcyResources from "../resources/govcyResources.mjs";
+import * as dataLayer from "../utils/govcyDataLayer.mjs";
+import { logger } from "../utils/govcyLogger.mjs";
+import { pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
+import { whatsIsMyEnvironment, getEnvVariable, getEnvVariableBool } from '../utils/govcyEnvVariables.mjs';
+import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
+import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { govcyApiRequest } from "../utils/govcyApiRequest.mjs";
+import { URL } from "url";
+
+
+/**
+ * Middleware to handle the delete file page.
+ * This middleware processes the delete file page, populates the question, and shows validation errors.
+ */
+export function govcyFileDeletePageHandler() {
+    return (req, res, next) => {
+        try {
+            const { siteId, pageUrl, elementName } = req.params;
+
+            // Create a deep copy of the service to avoid modifying the original
+            let serviceCopy = req.serviceData;
+
+            // ⤵️ Find the current page based on the URL
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // deep copy the page template to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // ✅ Skip this POST handler if the page's conditions evaluate to true (redirect away)
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            // Validate if the file input has a label
+            if (!fileInputElement?.params?.label) {
+                return handleMiddlewareError(`File input [${elementName}] does not have a label`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // Deep copy page title (so we don’t mutate template)
+            const pageTitle = JSON.parse(JSON.stringify(govcyResources.staticResources.text.deleteFileTitle));
+
+            // Replace label placeholders on page title
+            for (const lang of Object.keys(pageTitle)) {
+                const labelForLang = fileInputElement.params.label[lang] || fileInputElement.params.label.el || "";
+                pageTitle[lang] = pageTitle[lang].replace("{{file}}", labelForLang);
+            }
+
+
+            // Deep copy renderer pageData from
+            let pageData = JSON.parse(JSON.stringify(govcyResources.staticResources.rendererPageData));
+
+            // Handle isTesting 
+            pageData.site.isTesting = (whatsIsMyEnvironment() === "staging");
+
+            // Base page template structure
+            let pageTemplate = {
+                sections: [
+                    {
+                        name: "beforeMain",
+                        elements: [govcyResources.staticResources.elements.backLink]
+                    }
+                ]
+            };
+
+            //contruct the warning if the file was uploaded more than once
+            const warningSameFile = {
+                element: "warning",
+                params: {
+                    text: govcyResources.staticResources.text.deleteSameFileWarning,
+                }
+            };
+
+            const showSameFileWarning = dataLayer.isFileUsedInSiteInputDataAgain(
+                req.session,
+                siteId,
+                elementData 
+            );
+
+            // Construct page title
+            const pageRadios = {
+                element: "radios",
+                params: {
+                    id: "deleteFile",
+                    name: "deleteFile",
+                    legend: pageTitle,
+                    isPageHeading: true,
+                    classes: "govcy-mb-6",// only include the warning block when the file is referenced >1 times
+                    elements: showSameFileWarning ? [warningSameFile] : [],
+                    items: [
+                        {
+                            value: "yes",
+                            text: govcyResources.staticResources.text.deleteYesOption
+                        },
+                        {
+                            value: "no",
+                            text: govcyResources.staticResources.text.deleteNoOption
+                        }
+                    ]
+
+                }
+            };
+            //-------------
+
+            // Construct submit button
+            const formElement = {
+                element: "form",
+                params: {
+                    action: govcyResources.constructPageUrl(siteId, `${pageUrl}/delete-file/${elementName}`, (req.query.route === "review" ? "review" : "")),
+                    method: "POST",
+                    elements: [
+                        pageRadios,
+                        {
+                            element: "button",
+                            params: {
+                                type: "submit",
+                                text: govcyResources.staticResources.text.continue
+                            }
+                        },
+                        govcyResources.csrfTokenInput(req.csrfToken())
+                    ]
+                }
+            };
+
+            // --------- Handle Validation Errors ---------
+            // Check if validation errors exist in the request
+            const validationErrors = [];
+            let mainElements = [];
+            if (req?.query?.hasError) {
+                validationErrors.push({
+                    link: '#deleteFile-option-1',
+                    text: govcyResources.staticResources.text.deleteFileValidationError
+                });
+                mainElements.push(govcyResources.errorSummary(validationErrors));
+                formElement.params.elements[0].params.error = govcyResources.staticResources.text.deleteFileValidationError;
+            }
+            //--------- End Handle Validation Errors ---------
+
+            // Add elements to the main section, the H1, summary list, the submit button and the JS
+            mainElements.push(formElement);
+            // Append generated summary list to the page template
+            pageTemplate.sections.push({ name: "main", elements: mainElements });
+
+            //if user is logged in add he user bane section in the page template
+            if (dataLayer.getUser(req.session)) {
+                pageTemplate.sections.push(govcyResources.userNameSection(dataLayer.getUser(req.session).name)); // Add user name section
+            }
+
+            //prepare pageData
+            pageData.site = serviceCopy.site;
+            pageData.pageData.title = pageTitle;
+
+            // Attach processed page data to the request
+            req.processedPage = {
+                pageData: pageData,
+                pageTemplate: pageTemplate
+            };
+            logger.debug("Processed delete file page data:", req.processedPage);
+            next();
+        } catch (error) {
+            return next(error); // Pass error to govcyHttpErrorHandler
+        }
+    };
+}
+
+
+/**
+ * Middleware to handle delete file post form processing
+ * This middleware processes the post, validates the form and handles the file data layer
+ */
+export function govcyFileDeletePostHandler() {
+    return async (req, res, next) => {
+        try {
+            // Extract siteId and pageUrl from request
+            let { siteId, pageUrl, elementName } = req.params;
+
+            // get service data
+            let serviceCopy = req.serviceData;
+
+            // 🔍 Find the page by pageUrl
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // Deep copy pageTemplate to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // Check if the page has conditions and apply logic
+            const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            if (conditionResult.result === false) {
+                logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+                return res.redirect(govcyResources.constructPageUrl(siteId, conditionResult.redirect));
+            }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // the page base return url
+            const pageBaseReturnUrl = `http://localhost:3000/${siteId}/${pageUrl}`;
+
+            //check if input `deleteFile` has a value
+            if (!req?.body?.deleteFile ||
+                (req.body.deleteFile !== "yes" && req.body.deleteFile !== "no")) {
+                logger.debug("⛔️ No deleteFile value provided on POST — skipping form save and redirecting:", req.body);
+                //construct the page url with error 
+                let myUrl = new URL(pageBaseReturnUrl + `/delete-file/${elementName}`);
+                //check if the route is review
+                if (req.query.route === "review") {
+                    myUrl.searchParams.set("route", "review");
+                }
+                //set the error flag
+                myUrl.searchParams.set("hasError", "1");
+
+                //redirect to the same page with error summary (relative path)
+                return res.redirect(govcyResources.constructErrorSummaryUrl(myUrl.pathname + myUrl.search));
+            }
+
+            //if no validation errors
+            if (req.body.deleteFile === "yes") {
+                // Try to delete the file via the delete API. 
+                // If it fails, log the error but continue to remove the file from the session
+                try {
+                    // Get the delete file configuration
+                    const deleteCfg = serviceCopy?.site?.fileDeleteAPIEndpoint;
+                    // Check if download file configuration is available
+                    if (!deleteCfg?.url || !deleteCfg?.clientKey || !deleteCfg?.serviceId) {
+                        return handleMiddlewareError(`File delete APU configuration not found`, 404, next);
+                    }
+
+                    // Environment vars
+                    const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+                    let url = getEnvVariable(deleteCfg.url || "", false);
+                    const clientKey = getEnvVariable(deleteCfg.clientKey || "", false);
+                    const serviceId = getEnvVariable(deleteCfg.serviceId || "", false);
+                    const dsfGtwKey = getEnvVariable(deleteCfg?.dsfgtwApiKey || "", "");
+                    const method = (deleteCfg?.method || "GET").toLowerCase();
+
+                    // Check if the upload API is configured correctly
+                    if (!url || !clientKey) {
+                        return handleMiddlewareError(`Missing environment variables for upload`, 404, next);
+                    }
+
+                    // Construct the URL with tag being the elementName
+                    url += `/${encodeURIComponent(elementData.fileId)}/${encodeURIComponent(elementData.sha256)}`;
+
+                    // Get the user
+                    const user = dataLayer.getUser(req.session);
+                    // Perform the delete request
+                    const response = await govcyApiRequest(
+                        method,
+                        url,
+                        {},
+                        true,
+                        user,
+                        {
+                            accept: "text/plain",
+                            "client-key": clientKey,
+                            "service-id": serviceId,
+                            ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+                        },
+                        3,
+                        allowSelfSignedCerts
+                    );
+
+                    // If not succeeded, handle error
+                    if (!response?.Succeeded) {
+                        logger.error("fileDeleteAPIEndpoint returned succeeded false");
+                    }
+
+                } catch (error) {
+                    logger.error(`fileDeleteAPIEndpoint Call failed: ${error.message}`);
+                }
+                // if succeeded all good
+                // dataLayer.storePageDataElement(req.session, siteId, pageUrl, elementName, "");
+                dataLayer.removeAllFilesFromSite(req.session, siteId, { fileId: elementData.fileId, sha256: elementData.sha256 });
+                logger.info(`File deleted by user`, { siteId, pageUrl, elementName });
+            }
+            // construct the page url
+            let myUrl = new URL(pageBaseReturnUrl);
+            //check if the route is review
+            if (req.query.route === "review") {
+                myUrl.searchParams.set("route", "review");
+            }
+
+            // redirect to the page (relative path)
+            res.redirect(myUrl.pathname + myUrl.search);
+        } catch (error) {
+            logger.error("Error in govcyFileDeletePostHandler middleware:", error.message);
+            return next(error);  // Pass error to govcyHttpErrorHandler
+        }
+    };
+}

package/src/middleware/{govcyUpload.mjs → govcyFileUpload.mjs}

@@ -13,7 +13,7 @@ const upload = multer({
 
 
 
-export const govcyUploadMiddleware = [
+export const govcyFileUpload = [
     upload.single('file'), // multer parses the uploaded file and stores it in req.file
 
     async function govcyUploadHandler(req, res) {

package/src/middleware/govcyFileViewHandler.mjs

@@ -0,0 +1,161 @@
+import { getPageConfigData } from "../utils/govcyLoadConfigData.mjs";
+import { evaluatePageConditions } from "../utils/govcyExpressions.mjs";
+import { getEnvVariable, getEnvVariableBool } from "../utils/govcyEnvVariables.mjs";
+import { ALLOWED_FILE_MIME_TYPES } from "../utils/govcyConstants.mjs";
+import { govcyApiRequest } from "../utils/govcyApiRequest.mjs";
+import * as dataLayer from "../utils/govcyDataLayer.mjs";
+import { logger } from '../utils/govcyLogger.mjs';
+import { handleMiddlewareError } from "../utils/govcyUtils.mjs";
+import { isMagicByteValid, pageContainsFileInput } from "../utils/govcyHandleFiles.mjs";
+
+export function govcyFileViewHandler() {
+    return async (req, res, next) => {
+        try {
+            const { siteId, pageUrl, elementName } = req.params;
+
+            // Create a deep copy of the service to avoid modifying the original
+            let serviceCopy = req.serviceData;
+
+            // Get the download file configuration
+            const downloadCfg = serviceCopy?.site?.fileDownloadAPIEndpoint;
+            // Check if download file configuration is available
+            if (!downloadCfg?.url || !downloadCfg?.clientKey || !downloadCfg?.serviceId) {
+                return handleMiddlewareError(`File download APU configuration not found`, 404, next);
+            }
+
+            // Environment vars
+            const allowSelfSignedCerts = getEnvVariableBool("ALLOW_SELF_SIGNED_CERTIFICATES", false);
+            let url = getEnvVariable(downloadCfg.url || "", false);
+            const clientKey = getEnvVariable(downloadCfg.clientKey || "", false);
+            const serviceId = getEnvVariable(downloadCfg.serviceId || "", false);
+            const dsfGtwKey = getEnvVariable(downloadCfg?.dsfgtwApiKey || "", "");
+            const method = (downloadCfg?.method || "GET").toLowerCase();
+
+            // Check if the upload API is configured correctly
+            if (!url || !clientKey) {
+                return handleMiddlewareError(`Missing environment variables for upload`, 404, next);
+            }
+
+
+            // ⤵️ Find the current page based on the URL
+            const page = getPageConfigData(serviceCopy, pageUrl);
+
+            // deep copy the page template to avoid modifying the original
+            const pageTemplateCopy = JSON.parse(JSON.stringify(page.pageTemplate));
+
+            // ----- Conditional logic comes here
+            // ✅ Skip this POST handler if the page's conditions evaluate to true (redirect away)
+            // const conditionResult = evaluatePageConditions(page, req.session, siteId, req);
+            // if (conditionResult.result === false) {
+            //     logger.debug("⛔️ Page condition evaluated to true on POST — skipping form save and redirecting:", conditionResult);
+            //     return handleMiddlewareError(`Page condition evaluated to true on POST — skipping form save and redirecting`, 404, next);
+            // }
+
+            // Validate the field: Only allow delete if the page contains a fileInput with the given name
+            const fileInputElement = pageContainsFileInput(pageTemplateCopy, elementName);
+            if (!fileInputElement) {
+                return handleMiddlewareError(`File input [${elementName}] not allowed on this page`, 404, next);
+            }
+
+            //check the reference number
+            const referenceNo = dataLayer.getSiteLoadDataReferenceNumber(req.session, siteId);
+            if (!referenceNo) {
+                return handleMiddlewareError(`Missing submission reference number`, 404, next);
+            }
+
+            //get element data 
+            const elementData = dataLayer.getFormDataValue(req.session, siteId, pageUrl, elementName)
+
+            // If the element data is not found, return an error response
+            if (!elementData || !elementData?.sha256 || !elementData?.fileId) {
+                return handleMiddlewareError(`File input [${elementName}] data not found on this page`, 404, next);
+            }
+
+            // Construct the URL with tag being the elementName
+            url += `/${encodeURIComponent(referenceNo)}/${encodeURIComponent(elementData.fileId)}/${encodeURIComponent(elementData.sha256)}`;
+
+            // Get the user
+            const user = dataLayer.getUser(req.session);
+            // Perform the upload request
+            const response = await govcyApiRequest(
+                method,
+                url,
+                {},
+                true,
+                user,
+                {
+                    accept: "text/plain",
+                    "client-key": clientKey,
+                    "service-id": serviceId,
+                    ...(dsfGtwKey !== "" && { "dsfgtw-api-key": dsfGtwKey })
+                },
+                3,
+                allowSelfSignedCerts
+            );
+
+            // If not succeeded, handle error
+            if (!response?.Succeeded) {
+                return handleMiddlewareError(`fileDownloadAPIEndpoint returned succeeded false`, 500, next);
+            }
+
+            // Check if the response contains the expected data
+            if (!response?.Data?.contentType || !response?.Data?.fileName || !response?.Data?.base64) {
+                return handleMiddlewareError(`fileDownloadAPIEndpoint - Missing contentType, fileName or base64 in response data`, 500, next);
+            }
+
+            // Get filename
+            const filename = response?.Data?.fileName || "filename";
+            const fallbackFilename = asciiFallback(filename);
+            const utf8Filename = encodeRFC5987(filename);
+
+            // Decode base64 to binary
+            const fileBuffer = Buffer.from(response.Data.base64, 'base64');
+
+            // file type checks
+            // 1. Check declared mimetype
+            if (!ALLOWED_FILE_MIME_TYPES.includes(response?.Data?.contentType)) {
+                return handleMiddlewareError(`fileDownloadAPIEndpoint - Invalid file type (MIME not allowed)`, 500, next);
+            }
+
+            // 2. Check actual file content (magic bytes) matches claimed MIME type
+            if (!isMagicByteValid(fileBuffer, response?.Data?.contentType)) {
+                return handleMiddlewareError(`fileDownloadAPIEndpoint - Invalid file type (magic byte mismatch)`, 500, next);
+            }
+
+            // Check if Buffer is empty
+            if (!fileBuffer || fileBuffer.length === 0) {
+                return handleMiddlewareError(`fileDownloadAPIEndpoint - File is empty or invalid`, 500, next);
+            }
+            // Send the file to the browser
+            res.type(response?.Data?.contentType);
+            res.setHeader(
+                'Content-Disposition',
+                `inline; filename="${fallbackFilename}"; filename*=UTF-8''${utf8Filename}`
+            );
+            res.send(fileBuffer);
+
+        } catch (error) {
+            logger.error("Error in govcyViewFileHandler middleware:", error.message);
+            return next(error); // Pass the error to the next middleware
+        }
+    };
+}
+
+//------------------------------------------------------------------------------
+// Helper functions
+// rfc5987 encoding for filename*
+function encodeRFC5987(str) {
+    return encodeURIComponent(str)
+        .replace(/['()*]/g, c => '%' + c.charCodeAt(0).toString(16).toUpperCase())
+        .replace(/%(7C|60|5E)/g, (m, p) => '%' + p); // | ` ^
+}
+
+// ASCII fallback for old browsers
+function asciiFallback(str) {
+    return str
+        .replace(/[^\x20-\x7E]/g, '')     // strip non-ASCII
+        .replace(/[/\\?%*:|"<>]/g, '-')   // reserved chars
+        .replace(/[\r\n]/g, ' ')          // drop newlines
+        .replace(/"/g, "'")               // no quotes
+        || 'download';
+}

package/src/middleware/govcyPDFRender.mjs

@@ -6,6 +6,7 @@ import { logger } from "../utils/govcyLogger.mjs";
  * Middleware function to render PDFs using the GovCy Frontend Renderer.
  * This function takes the processed page data and template, and generates the final PDF response.
  */
+/* c8 ignore start */
 export function govcyPDFRender() {
     return async (req, res) => {
         try {
@@ -29,4 +30,5 @@ export function govcyPDFRender() {
             res.status(500).send('Unable to generate PDF at this time.');
         }
     };
-}
+}
+/* c8 ignore end */

package/src/middleware/govcyPageHandler.mjs

@@ -53,11 +53,7 @@ export function govcyPageHandler() {
             element.params.method = "POST";
             // ➕ Add CSRF token
             element.params.elements.push(govcyResources.csrfTokenInput(req.csrfToken()));
-            // // ➕ Add siteId and pageUrl to form data
-            // element.params.elements.push(govcyResources.siteAndPageInput(siteId, pageUrl, req.globalLang));
-            // ➕ Add govcyFormsJs script to the form
-            element.params.elements.push(govcyResources.staticResources.elements["govcyFormsJs"]);
-
+            
             // 🔍 Find the first button with `prototypeNavigate`
             const button = element.params.elements.find(subElement =>
               // subElement.element === "button" && subElement.params.prototypeNavigate

package/src/middleware/govcyPageRender.mjs

@@ -1,4 +1,5 @@
 import { govcyFrontendRenderer } from "@gov-cy/govcy-frontend-renderer";
+import * as govcyResources from "../resources/govcyResources.mjs";
 
 /**
  * Middleware function to render pages using the GovCy Frontend Renderer.
@@ -6,8 +7,17 @@ import { govcyFrontendRenderer } from "@gov-cy/govcy-frontend-renderer";
  */
 export function renderGovcyPage() {
     return (req, res) => {
+        const afterBody = {
+            name: "afterBody",
+            elements: [ 
+                govcyResources.staticResources.elements["govcyLoadingOverlay"],
+                govcyResources.staticResources.elements["govcyFormsJs"]
+            ]
+        };
+        // Initialize the renderer
         const renderer = new govcyFrontendRenderer();
         const { processedPage } = req;
+        processedPage.pageTemplate.sections.push(afterBody);
         const html = renderer.renderFromJSON(processedPage.pageTemplate, processedPage.pageData);
         res.send(html);
     };