Review/Audit Custom WINS form

[roslynwythe]

Overview

The website development team needs to perform a functional review/audit of the custom WINS html form and a list of pros/cons for the adoption of the new form, in order to inform the decision about whether to proceed with integration of the form into the website.

Details

• The motivation for exploring the use of the custom HTML form include:
  • Integration with the HfLA website
  • Control over form functionality such as URL validation (see ER ER from TLDL: Feasibility of validating fields on Wins Form #4185)
  • Option of developing code to dynamically generate the list of projects options in the form.
• Concerns related to the adoption of the custom HTML form include
  • Security issues related to storing submission data in the wins-form (Response) Sheet (see Security Audit of WINS form on static site #4588)
  • Most updates to the form will require skill using HTML and possibly JavaScript.
• The form https://github.com/hackforla/website/blob/gh-pages/pages/wins/wins-share-form.html was developed as a result of Create a wins form. #1060 (PR Wins works #1132). The form can be viewed and tested at https://hackforla.org/share-your-wins. The form was developed using the method outlined in articles in the Resources section. JavaScript within the form performs an AJAX request to send submitted data to the Google Sheet WinsFormSheetTest for further processing.

Action Items

• Read the WINS Admin Guide to understand the flow of WINS data.
• Audit user input validation on the form and note (? or fix) any problems.
• Compare the form questions and form field names to the live WINS form and note (? or fix) any discrepancies.
• Test the form and determine why form data is not successfully stored in the Google Sheet.
• Outline a plan for integrating the functionality in WinsFormSheetTest with Wins-form (Response) Sheet which is used to reformat the data submissions, create GitHub review issues and post json data to the Hfla repository.
• If the only secure method of hosting is on a separate Cloud-based server, answer the following questions:
  • What are the challenges for hosting and maintaining a form on a separate Cloud-based server? What skills would be required to make updates and how does the maintenance effort compare to the current Google form ? Would it be possible to develop code to dynamically populate the project list within the WINS form? If so, what is the best strategy for implementing that feature?
• As an alternative to integrating the new custom form, investigate the possibility of embedding the current Google form into the Hfla template. Refer to ER: Feasibility of and how to have all forms within an iframe #4542
• Summarize the pros and cons of adopting a custom html form in place of the current Google form.

Resources/Instructions

• WINS Admin Guide
• This issue is a result of ER: Audit of custom site Wins form and feasibility of using Google Analytics Tags with it #4390 and WINS form analysis #4577
• [WinsFormSheetTest] ??? Is this the correct Sheet? Is it safe to publish the URL?? The owner is Akib and I don't have access rights.
• custom WINS html form
• WINS page live | GitHub
• current WINS form (Google)
• How to Submit an HTML Form to Google Sheets…without Google Forms
• more current - Submit an HTML form to Google Sheets on GitHub
• From SheetMonkey - How to submit a simple HTML form to a Google Sheet using only HTML and JavaScript

[JessicaLucindaCheng]

@roslynwythe Just a suggestion for breaking down the issue. You don't have to do this if you think the issue is fine as it is.

Issue 1

Action Items

• Audit/Review the form
  • Have the various design and UX concerns raised previously been addressed?
  • Does the form submit form data to WinsFormSheetTest without sharing secrets or increased risk of malicious submissions? Is it "safe" to expose the AJAX endpoint connected to the Google Sheet? Is the Google API Key at risk?
  • Would it be possible to develop code to dynamically populate the project list within the custom WINS form?
• If the custom HTML form can be deployed securely, outline requirements for integrating the functionality in WinsFormSheetTest with Wins-form (Response) Sheet which is used to process the data submissions and create GitHub review issues and post json data to the Hfla repository
• Summarize the pros and cons of adopting a custom html form in place of the current Google form.

Issue 2

Dependency

• If Issue 1's research results in a pure HTML/JavaScript solution as not secure

Action Items

• Read the research done as part of issue 1
• Since a pure HTML/JavaScript solution is not secure, determine the feasibility of hosting the form on a Cloud-based IaaS or PaaS service such as Heroku or AWS, or a dedicated service such as SheetMonkey
  • Can we ensure that little or no cost is incurred, either from legitimate or illegitimate usage.
  • What are the challenges for maintaining a form on a host? What skills would be required to make updates and how does the maintenance effort compare to the current Google form? Would it be possible to develop code to dynamically populate the project list within the WINS form?
• If the custom HTML form can be deployed securely, outline requirements for integrating the functionality in WinsFormSheetTest with Wins-form (Response) Sheet which is used to process the data submissions and create GitHub review issues and post json data to the Hfla repository
• Summarize the pros and cons of adopting a custom html form in place of the current Google form.

Issue 3

Notes: I think looking into embedding the current Google Form would just be using an iFrame. So, I think that could just be part of the issue that results from this ER: #4542.

Action Items

• As an alternative to integrating the new custom form, investigate the possibility of embedding the current Google form into the Hfla template.

[roslynwythe]

• @JessicaLucindaCheng I agree 100% and I was thinking of a similar breakdown. I'll work on creating the additional issue right away. Thank you for mentioning ER: Feasibility of and how to have all forms within an iframe #4542 - I was not aware of that!!

[JessicaLucindaCheng]

@roslynwythe Since there will be multiple issues from the ER, you may want to make an epic out of the ER with these issues as part of it.

[roslynwythe]

Progress:

• The result of Security Audit of WINS form on static site #4588 is a DR in Decision Records on Solutions Not Implemented. The draft can be found in Security Audit of WINS form on static site #4588 (comment)
• Since the form is not secure, no further issues will be created. This issue and the related epic WINS form analysis #4577 will be closed as not planned.