opengovsg / formsg Goto Github PK

Problem: Prevent loss of Storage mode response data due to form admins losing secret keys. Loss of keys is expected especially over time with the form changing hands. However loss of response data undermines public confidence in the government, and could have individually significant consequences for form respondents (e.g. financial aid application).

Technical design

Design document here

Agency central key in the hands of CIO/CISO. Each new form key will be encrypted by agency’s public key and stored in agencyKey table for CIO retrieval with his private key. If agency private key is lost, have to manually contact each form owner to get private keys to re-encrypt with new agency key.

To be implemented after React rewrite

Email mode "Emails where responses will be sent" field

• When only 1 recipient email is entered, amend the toaster to turn blue instead and display "Recommended: at least 2 recipients to prevent response loss from bounced emails"

• 'Read about email reliability' link --> 'Guarding against bounces' with link https://guide.form.gov.sg/AdvancedGuide.html#how-do-i-ensure-my-form-responses-will-not-bounce

• Alert msg when there is no recipient email entered: amend the ! to be consistent with the ! icon in other toaster messages ignoring

Settings page

• Change the toaster under 'authentication' to say 'Deactivate your form to change authentication method'

Create form modal

• Create form modal > Email mode red alert-content. amend copy slightly to "...Not recommended usually, especially for high volume forms...

Activation Email mode only

• Success toaster below Activate button saying "Form activated! For high-traffic forms, AutoArchive your mailbox to prevent lost responses." Duration is preferably until user navigates away from page, but if difficult 10s is fine.

Why
Various finance related applications require verified income from MyInfo. These are likely Decimal fields.

To do

See Epic for list of Income fields and names

https://www.ndi-api.gov.sg/library/myinfo/implementation-myinfo-data

Blockers: approval

Steps to reproduce:

1. Go to any form (or this test form created for this issue https://form.gov.sg/5ebe2d79b561af00110ea58b)

2. Look at the tab title: Should be "(debug) Test form" or whatever the form title is.
   

3. Refresh the form

4. Form title changes to generic "FormSG"
   

Expected behaviour:
The title displayed in the tab should remain as the form title regardless of refresh

Speculation:
This is probably due to the redirect from the non hashbanged url https://form.gov.sg/5ebe2d79b561af00110ea58b to the hashbanged version https://form.gov.sg/#!/5ebe2d79b561af00110ea58b

Related to UI fix #124

'Save your Secret Key' modal:

Save your Secret Key

Refer to zeplin https://app.zeplin.io/project/5b29ffde48eaaf6318d01b05/screen/5f2df833d0299b1c22acd717

@mantariksh don't implement the button dropdown yet, lets just do a simple link on the word 'Email' in the info box and leave the download and copy buttons unchanged. this is because i'm not confident that having Email in the dropdown options is sufficiently prominent, but we dont have a designer this week. if needed we can update the UI later.

Email prefill

Subject: Secret Key to 'Form Title' has been shared with you
To: all collaborator emails

Dear collaborator,

I am sharing my form's secret key with you for safekeeping and backup. This is an important key that is needed to access all form responses.

Form name: 'Form Title'
Form link: form.gov.sg/2098590248
Secret key: secretkey.

All you need to do is keep this email as a record, and please do not share this key with anyone else.

Thank you for helping to safekeep my form!

Other requirements

add event so we know when link/button is clicked, and tracker so we know when emails are opened

The UI today isn't able to display network logs from webhook requests, hampering integration and debugging for downstream systems.

We should have a webhooks dashboard that allows users to examine the network response for each webhook submission.

what is needed
alert
logs for debugging
how to recover

Encapsulate the internal model representation of multiple columns into a single value exposed by ng-model by using ngModelController.

FKA https://github.com/datagovsg/formsg/issues/1943

So that respondents will not have to repeatedly verify their email if their job is to complete many form submissions at one go - repeated data submission by authorised persons only e.g.

• referral forms
• logging of assets
• test result reporting

maybe:

• include session id when creating transaction object, look up before creating new transaction
• if transaction exists, prefill verified email field(s) and indicate verified
• refresh to clear fields or detect field edits to reset fields in transaction object
• on Thank You page, also show ~ "If you are done submitting forms, please close your browser tab to end this session securely"
• transaction has 4h expiry currently, ideally OTP verification has closer to 1h expiry similar to SPCP

optionally:

• allow user to check Remember me for next submission on frontend, which is by default unchecked
• if Remember me is checked in submission, session Id is saved to transaction obj. if it is not checked, session id is updated to null.
• Remember me is also checked by default on the next submission

Follow up from https://github.com/datagovsg/formsg/pull/2433

• form_field.isFutureOnly key was retained in release https://github.com/datagovsg/formsg/pull/2429 for backward compatibility
• to remove form_field.isFutureOnly after 31 Aug 2020

What the admin sees:
confirmation message: "This will transfer all the forms you own to 'email address'. You will be removed as a collaborator and lose access to the forms you previously owned.

What should happen:

• For all forms on which admin is Owner, replace ownership with new admin
• Not touching editor and read-only roles for now
• Log all replacements

See Epic for list of fields and names

FKA https://github.com/datagovsg/formsg/issues/2104

Babel should be transpiling code to be ES5 / IE11-compatible. Currently IE11 is specified as a target browser in .babelrc file, yet Object.values was not transpiled.

Additionally - check if polyfills from polyfills.js are being added by babel e.g. whatwg-fetch

@mantariksh said: I investigated this for a while today but didn't get very far. Tried using the useBuiltIns option for Babel but it didn't help. I'm pretty sure the polyfills are being imported though, both from inspection of bundle.js and the fact that downloading storage mode attachments works in IE11 (hence fetch is definitely working). I'm setting this aside for now to work on other things.

Give users the ability to remove themselves from collaborator lists of forms

Currently only the form owner can remove a collaborator; this is slightly more inconvenient during events such as handing over administration of a form than if collaborators had the ability to remove themselves.

Proposed solution to add a bin next to own name for Editors and Read-only to remove oneself.

Confirmation modal: "You will be removed as a collaborator and will lose access to this form. You cannot undo this." buttons: "Remove me" and "Cancel"

Table style fields on Email mode often need to be split to column after data collation into an Excel sheet. However we use a comma delimiter that makes this difficult. Excel 365 splits to column whether or not the comma delimiter is followed by a space.

Storage mode uses ; delimiter:

To discuss: backwards compatibility

Fka https://github.com/datagovsg/formsg/issues/2500

Top requested feature from form respondents (est. 10%).

A few ideas for save draft:

1. Encrypt data and store it in a new collection, with private key in form link, e.g. form.gov.sg/<form_id>/<draft_id>

2. Download a file with draft response data in it and upload again to restore (does not touch server, key concern is feasibility & UX on mobile devices)

3. Save it to local storage (non-ideal, but simple to implement)

Prior discussion at https://github.com/datagovsg/formsg/issues/2063

Fka https://github.com/datagovsg/formsg/issues/2365

Discussion https://docs.google.com/document/d/1ccgdAHuyiJqyE_Ivrw_89bmowSIFrkx7wFHSoIAcvIg/edit#heading=h.b964ml7wikjb

Migrate the field validators in src/app/utils/field-validation to TypeScript.

As these validators affect email submissions directly, take care to keep existing logic and unit tests intact - and expand on them if necessary.

GET requests should not be state changing as per the REST specifications. Also, twitter.

@liangyuanruo modify as appropriate for open sourcing

Context: https://docs.google.com/document/d/1ccgdAHuyiJqyE_Ivrw_89bmowSIFrkx7wFHSoIAcvIg/edit#heading=h.uiemkcyycfco

1. change 'NRIC' field to say 'NRIC/FIN'

2. IE11 storage mode Save your Secret Key modal download buttons are misaligned in desktop view

This will help ensure that functionality introduced also works in staging-alt

Mongoose models with methods:

• form.server.model (@karrui)
• sms_count.server.model (already done)
• verification.server.model (@mantariksh)

Whilst refactoring, more instance/static methods may start to be inlined in the schema from the controllers/services, and this issue should be updated to include those models.

Previously https://github.com/datagovsg/formsg/issues/2529

All builds are failing with the following error:

CredentialsError: Missing credentials in config, if using

We need to configure Localstack such that it works without us having to expose our AWS secrets to all branches.

This issue would cover files/folders in src/app/utils, except field-validation.

During the migration, also consider whether it makes sense for some of these utility functions to be refactored into instance or static methods in the mongoose schema e.g. getQuestionFromField in question.js.

• attachment (@mantariksh)
• autoreply-pdf (@karrui done in MailService refactor)
• constants (@karrui)
• custom-errors (@arshadali172 )
• date (@arshadali172 )
• encryption (@mantariksh)
• permission-levels (@arshadali172 )
• question (@karrui)
• render-promise (@mantariksh)
• request (@karrui)
• response (@karrui)
• sns (@mantariksh) (done with Bounce collection)
• beta-permissions (@karrui)

Bigger folders

• field-validation in #7

Fka https://github.com/datagovsg/formsg/issues/2536

Background

Checkbox is the next most popular limited-choice field after those supported by logic - at 6.8% of all occurrences it is about as popular as Yes/No. The checkbox field serves unique use cases where admins want respondents to be able to select up to n choices, instead of just one choice.

Currently it is not feasible to set a logic condition for a respondent's choices having included a particular value.

• the logic-based workaround is very unwieldy, you would have to ask about each choice as its own individual question, at the expense of respondent UX
• more likely you would just do away with logic, and just issue a text-based prompt to respondents to answer a further question if it is applicable to them, especially if you have lots of checkbox options

Discuss

'includes' enum for checkbox fieldType

Review if calendar usability is fine on mobile. If ok, can close

#2078 is done, but mobile view might not be as optimised. Understand mobile design is here (https://zpl.io/blYnMXD), but it seems a bit squeezy for fat fingers, especially on an iphone 7 screen.

Circles are cut off, might want to fix this first (update from @jonathangohjy that circles are no longer cut off)

problem

today, the admin needs to collect some info in the attachments but does not know how many actual attachments the respondent has to submit.
e.g. Submit screenshots of your error. Its one error, but could be 1, 2, 3, 4 screenshots.

despite this, only one attachment can be uploaded per field.

this means that if respondent has multiple attachments (pictures for example), they will need to zip them up before uploading. this is too difficult on mobile, and mobile is 75% of respondents.

constraints

• Emails have limit of 7mb attachments over entire form, Storage mode has limit of 20mb attachments.
• mobile (75%) respondents would probably not be able to zip

research @wing-yiu

• forms with multiple attachment fields that are sprinkled throughout the form, not clustered together
• forms with attachment fields hidden by logic

what we want

for the respondent

• upload as many attachments as needed, but keep within the size limit
• be informed at point of upload if the size limit has been reached, so they dont fill in other fields before submission fails

for the admin

• be able to communicate that they want different kinds of attachments, subject to logic if necessary

possible design

• multiple uploads enabled for attachment field
• continue to have multiple attachment fields anyway, to support logic, communication of different types of attachments, and form admin flexibility
• each attachment field when clicked will show progress toward the size limit, similar to our design for attachment field config today

These would be the services located in src/app/services, please tag yourselves next to the service if you're working on it.

• form (@karrui)
• mail (@karrui)
• sms (already done)
• verification (@mantariksh)
• webhooks (@arshadali172)
• myinfo (@mantariksh)

Web hooks today has a high chance of failure, e.g. if receiving server does not return success. Improve web hook's reliability through a few possible ways:

1. Retry on failure, thus maintaining a queue
2. Report on UI which entries failed, so users can download the delta and manually recover

To be clear, this should be an external queue such as SQS, not an in-memory queue.

Blocked by #1210

Fka https://github.com/datagovsg/formsg/issues/2112

Discussion https://docs.google.com/document/d/1ccgdAHuyiJqyE_Ivrw_89bmowSIFrkx7wFHSoIAcvIg/edit#heading=h.uzyh5pif9vqm

Blocked by #19

Why

• V3 has a lot more MyInfo fields
• By July 2020 user-provided fields will no longer be pre-filled (this might affect our code)
• MyInfo claims v3 has better security posture

To do

• Switch to Person API
• Deprecate old MyInfo fields by changing them to regular fields. see epic for list.

Epic here

MyInfo V3 Migration Guide.pdf

prior discussion: https://github.com/datagovsg/formsg/issues/1392

Users occasionally find the site offline, but a refresh always loads FormSG successfully. Our logs also do not seem to pinpoint the cause of failure.

TODO: Take time out to re-examine the logs carefully. One known incident was at 2020-07-01 at 6.38.00 PM and was reported by Talitha.

Currently users of Storage Mode are forced to choose between creating attachment fields and using webhooks. This issue aims to bridge this gap so that there is feature parity between Storage Mode and email mode.

Use cases

• 10k/year feedback channel

Prior discussion here: https://github.com/datagovsg/formsg/issues/2346

To remove href. Copy can simply say "Your form is too large. Reduce the number of fields or options, or contact us via our guide: https://guide.form.gov.sg"

Problem
Currently users have to individually download attachments on the corresponding response view in FormSG. The exported csv shows filename. If users receive a high volume of responses and every one of them has an attachment, individually downloading attachments is going to be a pain in the ass.

How do we make attachment downloads more convenient for users, and best support whatever they need to do with attachments after?

Why users have to download attachments rather than just viewing them

For common use cases like applications, users often need to bring up attachments again or send them to other parties for downstream stages of the process.
e.g. need to bring up CV and personal statement again if applicant is shortlisted through later rounds

Immediate implementation

summary: https://docs.google.com/document/d/1nzUHQDzo4WBA67xdy0a3A3nJLCeKVSzjzPtJebtS9xQ/edit#heading=h.ypu06omk303h

1. Previous discussions were halted because downloading all attachments within x date range in 1 zip file was not technically feasible.

2. Alternative was to have browser download 1 zip file (per response) at a time, but would not be a great UX, as user has to click twice (unzip, then open folder) just to access each response's attachments.

Do we have a better option than option 2?

Screens
https://app.zeplin.io/project/5b29ffde48eaaf6318d01b05/dashboard?seid=5f87c5ed5cf4fc4b800abbde

Longer term

• Look at Zendesk extension
• Explore service worker and saving to disk

Fka https://github.com/datagovsg/formsg/issues/1984 for context

wontfix due to react rewrite? if so can close @liangyuanruo

Why

This is particularly useful for us to quickly alert user if their form is rejecting submissions due to bounced emails. Wouldn't be able to reach out via email since their mailbox is full.

More and more forms that are high stakes will be on FormSG (e.g. P1 registration next week), and for any issues we want to notify users immediately through a call, as users aren't reading emails all the time.

Design

https://app.zeplin.io/project/5b29ffde48eaaf6318d01b05?sid=5f1656f5d426c69dee81504e&sid=5f1656f63e0e752eff76503b&sid=5f1656f5b8fd637ed258ce82&sid=5f1656f5013cfd9cd7b9ec99&sid=5f1656f6fbff438dfe044d4a&sid=5f1656f6b8fd637ed258ce96&sid=5f1656f5013cfd9cd7b9ec6b&ref=slack

Frontend

• use a small modal (background visible) instead of a full-page one like in the mockup
• modal opens on login until user has entered an emergency contact number.
• modal can be closed (X in top right as with our other modals)
• modal copy (take note as different from mockup)
  Emergency mobile number
  We will only contact you in case of urgent issues with your form. You can change this number later in your user settings.

Backend

• Emergency # is a key in user collection

Create a new bounces collection where each document has a 48hr TTL and has the following fields:

• formId: ObjectId
• hasAlarmed: boolean: whether an alarm has been sent
• bounces: Array<{ emailAddress: string, hasBounced: boolean }>: whether an email has bounced.

When we receive a bounce notification via webhook notifications, retrieve the document by finding the correct form ID. For each email in the list of bounced emails, set the corresponding hasBounced to true. If all the hasBounced are true and hasAlarmed is false, send an alarm write a log message and set hasAlarmed to true. CloudWatch should monitor the log message and trigger an alert if necessary

If the list of email recipients is different from the bounces array, update the bounces array.

If an email was successfully received, set hasBounced to false for the corresponding email.

README.md and docs/DEPLOYMENT_SETUP.md should be updated with the documentation for the env vars IS_LOGIN_BANNER, SITE_BANNER_CONTENT and ADMIN_BANNER_CONTENT and how they are prioritised with respect to the other banner env vars.

The login flow appears unnecessarily complex today as we need 3 network calls for a 2-step login

1. call to /checkuser to make sure that the email is valid on the "Get Started" page
2. call to /sendotp to request for an OTP, which checks the user's email again
3. call to /verifyotp to login

We could potentially simplify by combining the first two steps into one API call.

Typecasting (such as typing as any, or to an interface) may be inevitable when some dependencies of the file that is being converted to Typescript is not in Typescript yet, and thus may not be emitting the correct types.

This issue is a holder issue to mark those forced typecastings in the application with an issue number so we can delete them in one shot after a majority of the backend has been migrated.

Our approach to end-to-end tests is not proactive, but reactive: we write new tests whenever we encounter a bug which caused a rollback. This helps to ensure old bugs do not pop up again, but does not protect us against future bugs. Instead, we should be actively extending our test coverage to ensure that we test as many features as possible whenever we make code changes.

In my opinion, the biggest gap in our e2e tests is coverage of the form editing dashboard. We have no tests which cover editing of forms via the Build, Logic and Settings tabs. While former 2006 and former 2034 extended the coverage of submissions-related testing, they still rely on modifying the Forms collection directly, instead of manually creating a new form to submit.

I suggest the following roadmap to move forward with this:

• Refactor: create a centralised resource of Selectors for the various buttons and controls in the admin dashboard. Continued reliance on data-test attributes will quickly become unsustainable and hard to debug as we expand the number of form controls we are testing.
• Change the createForm function used in all the submissions tests to manually create the given forms using the admin dashboard, instead of adding them directly to the database.
• Change the addLogic function used in the logic-related submissions tests to manually create the given logic using the Logic tab.
• Unite the admin and submissions fixtures into actual end-to-end tests which manually create forms, activate them and submit them
• Add a test for a form with MyInfo fields
• Add tests for all the controls in the Settings tab, including typing in the various inputs and expecting them to be either reverted or updated upon blur
• #5930
• Add tests for other parts of the app (Share tab, Billing, examples etc). This is a low priority since these other parts seem to be stable.

Formerly https://github.com/datagovsg/formsg/issues/2367

Discuss: https://docs.google.com/document/d/1ccgdAHuyiJqyE_Ivrw_89bmowSIFrkx7wFHSoIAcvIg/edit#heading=h.3yyjhp4t1w9m

To avoid situations where the form is very long, but they only find out at the very end that they need to refresh.

copy "Error: cannot connect to reCAPTCHA. Please check your internet connectivity or try submitting on another device."

Context

https://docs.google.com/document/d/1ccgdAHuyiJqyE_Ivrw_89bmowSIFrkx7wFHSoIAcvIg/edit#heading=h.5e6nn5rywygk

Blockers

Email blast to all SP form admins

Blocked by #28

Aim: make it easier to navigate to individual attachment for download

Feature: searchbar for single submissionId on the responses tab

Zeplin: https://app.zeplin.io/project/5b29ffde48eaaf6318d01b05/screen/5f2b713ca4a638880b1ddcdb

• searchbar placeholder should be Search by reference no.
• also change 'Ref no.' to 'Reference No.'
• note comments on zeplin
• dont include the filter button
• may include the black bar in no-result view pending pearly

can we add a GA event so we know how often submissionIds get searched? @liangyuanruo