ER: Audit of custom site Wins form and feasibility of using Google Analytics Tags with it

[JessicaLucindaCheng]

TLDL stands for Task List Dev Leads.

Emergent Requirement - Problem

Issue Description
This could be written as two or more issues that are part of an epic:

1. (Size: 3pt) Review/Audit and document the custom site form: https://www.hackforla.org/share-your-wins/. Also, determine the feasibility of using the custom form, including answering the following questions:

• Can the custom site form be made secure and not share secrets? If it is not possible with the custom site form, is it possible to make a new site form that is secure and does not share secrets?
• What is the feasibility of a site form? Consider how we would keep it up to date every time something new is added to Google Forms. How hard would it be to maintain a custom form compared to using the current Google form?
• How would we integrate the custom form to work with the current wins form spreadsheet and its Apps Scripts?
• Are there any additional benefits to using a custom site form over a Google form? What are the pros and cons of using a custom site form versus just using the existing Google Forms? Pros and cons should consider users of the form (people who use the formers) and maintainers (PMs for approving submissions and updating the form and developers for Apps Script maintenance).

2. (Size: 2pt) If the custom site form (or a new site form) is determined to be feasible and secure, then test adding Google Analytics tags on separate pages. This is to figure out if Google Analytics has a way to determine what wins form page people are stopping on and not completing their wins submission.

Who was involved

• @JessicaLucindaCheng
• @SAUMILDHANKAR

What happens if this is not addressed

We continue using the current Google Form for wins submissions.

Resources

• Related to ER from TLDL: Think about converting Wins Google Form to a custom form #4387
• https://www.hackforla.org/share-your-wins/
• Change Wins form to our internal "Share Your Wins" form #2246
• Adjust and standardize "Share Your Wins" form page #2021

Recommended Action Items

• Search and check
  • If an open issue exists that addresses this ER
  • If a closed issue exists that has already addressed this ER
• If an open issue doesn't exist and this ER wasn't already fixed by a closed issue, make a new issue
• Discuss with the team
• Let a Team Lead know

Potential solutions [draft]

[JessicaLucindaCheng]

From Dev/PM meeting on 2023-April-03, Bonnie suggested Rosyln (or another dev lead) connect with Cynthia Kiser to discuss why a custom HTML form is not able to be made secure and not share secrets. Then, document what is discussed in the meeting so we know the reason.

Background info: Cynthia tried making a custom site form in our Jekyll site before to try to be able to update project information but there were reasons why it couldn't be done securely and not share secrets. However, we never documented the reasons why it couldn't be done securely and not share secrets.

[JessicaLucindaCheng]

• Also, Bonnie left this comment: ER from TLDL: Think about converting Wins Google Form to a custom form #4387 (comment). This should be taken into consideration as to what issues will come out of this ER in terms of exploring the feasibility of a custom form.

@JessicaLucindaCheng See what my thoughts are re the various ways this issue could go.

1. embedding the Google form, so it appears on the page (sure we could do that). I think we already have tried the code, there may have been a reason why we stopped.
2. Making it an actual form on Jekyll. This will be a feature of the VRMS site in the future (when people become inactive it will ask them if they got jobs, etc.) and the current form works fine.
3. If there was a way to populate a form with the projects automatically, from our repo, so we didn't have to keep updating it, that would be worth looking into.

[roslynwythe]

Availability: Mon, Wed, Fri 10 -4 pm
ETA: 4/20

[roslynwythe]

@JessicaLucindaCheng Should we consider hosting the custom form on a cloud IaaS or PaaS service? The wins form is used so infrequently, perhaps we could find a free plan or one that charged strictly by usage which would be a negligible cost.

[JessicaLucindaCheng]

@roslynwythe

@JessicaLucindaCheng Should we consider hosting the custom form on a cloud IaaS or PaaS service? The wins form is used so infrequently, perhaps we could find a free plan or one that charged strictly by usage which would be a negligible cost.

I don't know. You'll have to ask Bonnie about if that is something we should think about doing.

[JessicaLucindaCheng]

@roslynwythe

@JessicaLucindaCheng Should we consider hosting the custom form on a cloud IaaS or PaaS service? The wins form is used so infrequently, perhaps we could find a free plan or one that charged strictly by usage which would be a negligible cost.

I don't know. You'll have to ask Bonnie about if that is something we should think about doing.

After thinking about it for a few days, I just had some additional thoughts on this.

• I updated number 1 in the ER above with more questions and details.
• As part of the feasibility issue, perhaps researching the feasibility of hosting the custom form on a cloud IaaS or PaaS service could be part of the feasibility research, which can include pros, cons, how difficult is it to maintain, cost, etc. This way we can present the info/propose it to Bonnie.
• Anything that is charged strictly by usage could be abused and somebody can use a bot or manually make lots of submissions, which could make the cost a lot. So, my concerns/questions are:
  • How would we prevent that from happening?
  • What safeguards would we have to put in place?
• In addition, if we were to host a custom form on a cloud IaaS and PaaS service, how much work would it take to maintain it compared to the Google Form we are currently using? Also, how easy would it be to change or update something in the form, such as adding a question by a PM or a non-developer?
• Also, is it worth it? To help answer this, the feasibility issue to research custom form would be informative. Also, we need to keep in mind Bonnie's comment about a Wins custom site forms in ER from TLDL: Think about converting Wins Google Form to a custom form #4387 (comment):

@JessicaLucindaCheng See what my thoughts are re the various ways this issue could go.

1. embedding the Google form, so it appears on the page (sure we could do that). I think we already have tried the code, there may have been a reason why we stopped.
2. Making it an actual form on Jekyll. This will be a feature of the VRMS site in the future (when people become inactive it will ask them if they got jobs, etc.) and the current form works fine.
3. If there was a way to populate a form with the projects automatically, from our repo, so we didn't have to keep updating it, that would be worth looking into.

[roslynwythe]

@JessicaLucindaCheng thank you for your comments.
Progress:

• Issue Review/Audit Custom WINS form #4556 has been written. It is still a bit wordy and I do have questions (below).
• I believe I've located the Google Sheet and code used for accepting the GET request from JavaScript and storing the submitted data from the custom form. It is WinsFormSheetTest and is owned by Akib Rhast and I have only view rights, so I don't think I can examine project properties or grant permissions. I contacted Akib on Slack and asked if he would be willing to transfer ownership to HfLA website Admin, just like the Wins-form (Response) Sheet. Also, I'm not 100% comfortable publicly listing the URL of sensitive Google Apps Script, just because they may provide useful info for hackers; please advise is that safe?

Questions:

• Should the result of Review/Audit Custom WINS form #4556 be a DR or simply comments in the issue (or in this ER) ?
• Would size 3 pt be Complexity Large or Extra Large?
• I don't understand this comment and I'm not sure if it represents an alternative or just the current implementation:
  Making it an actual form on Jekyll. This will be a feature of the VRMS site in the future (when people become inactive it will ask them if they got jobs, etc.) and the current form works fine.

Availability:
2 hrs per day except Saturday

ETA: 5/3

[JessicaLucindaCheng]

@roslynwythe

• I believe I've located the Google Sheet and code used for accepting the GET request from JavaScript and storing the submitted data from the custom form. It is WinsFormSheetTest and is owned by Akib Rhast and I have only view rights, so I don't think I can examine project properties or grant permissions. I contacted Akib on Slack and asked if he would be willing to transfer ownership to HfLA website Admin, just like the Wins-form (Response) Sheet. Also, I'm not 100% comfortable publicly listing the URL of sensitive Google Apps Script, just because they may provide useful info for hackers; please advise is that safe?

Ans: Will it be in the HfLA website Admin Google Drive? If yes and since you are not comfortable listing the link, you could provide instructions for a dev lead (Merge Team and Technical Leads) on how they can give a developer access.

Questions:

• Should the result of Review/Audit Custom WINS form #4556 be a DR or simply comments in the issue (or in this ER)?

Ans: We definitely should put it somewhere in the wiki so we can refer to it later. I'm thinking either

1. In a decision record, we can add a Research section on the bottom with all the research. Thus, the decision and the research are all on the same wiki page. This may require

• the developer to write up the research,
• then discuss it with PM(s) and dev leads together,
• then once the PM(s) and dev leads make a decision, the developer writes up the decision section of the Decision Record

OR

2. The research could go into the wiki as its own page. Then, once PM(s) and dev lead(s) together make a decision on it, a decision record can be made for the final decision and a link back to the wiki page and the issue.

• Would size 3 pt be Complexity Large or Extra Large?

Ans:

• I would put Extra Large.
• Also, I just put size: 3pt as a suggestion. If you feel it's some other pt value, you can use that instead.
• In addition, if you feel the issue can be broken down into smaller issues (like Medium or Large complexity issues), feel free to do that as well. I made a suggestion here: Review/Audit Custom WINS form #4556 (comment)

• I don't understand this comment and I'm not sure if it represents an alternative or just the current implementation:
  Making it an actual form on Jekyll. This will be a feature of the VRMS site in the future (when people become inactive it will ask them if they got jobs, etc.) and the current form works fine.

Ans: I think she means the current implementation, which sounds like it may not be worth it unless "there was a way to populate a form with the projects automatically, from our repo, so we didn't have to keep updating it, that would be worth looking into."

[roslynwythe]

Progress

• Initially Review/Audit Custom WINS form #4556 was written as a Large or Extra Large Issue that encompassed all aspects of the Review (functional, design, security) as well as providing a strategy for integration of the Google Sheet WinsFormSheetTest with Wins-form (Response) and outlining strategy for enhancing the form to dynamically generate the list of project options.
• Later it was decided to split off analysis of the security concerns into issue Security Audit of WINS form on static site #4588. The security concern is that secrets are exposed when the form makes the HTTP request to the WinsFormSheetTest (which is deployed as a web app i.e, an HTTP endpoint) which stores the submitted form data.

[roslynwythe]

Progress:

• The result of Security Audit of WINS form on static site #4588 is a DR in Decision Records on Solutions Not Implemented. The draft can be found in Security Audit of WINS form on static site #4588 (comment)
• Since the form is not secure, no further issues will be created. This issue and the related epic WINS form analysis #4577 will be closed as not planned.