Knowledge Base

Form builder configuration

Last Modified:
10 Dec 2018
User Level:
Administrator

Description

Forms are stored on a dedicated form bank server, which your TERMINALFOUR installation connects to using authentication. Form submissions are all handled through the same form bank server. TERMINALFOUR has a number of form bank servers located around the world and you need to connect to the form bank for your country. The Form Builder FAQ page has further details on the server architecture and security.

Form bank connection

To configure the Form Builder, go to System administration > System settings > Form builder

Current status

Displays the status; Connected or Disconnected.

Form bank URL

Enter the URL for the form bank server, as provided to you by TERMINALFOUR and click the Authenticate button 

Once you have authenticated your form bank connection, all forms will be saved to your form bank. The public form is pulled from form bank and all data submitted by a form is sent to the form bank.

reCAPTCHA Settings

Introduced in 8.2.10. Display a Google reCAPTCHA on forms.

ItemDescription
Enable reCAPTCHA Slide to enable
Site key Sets the Google reCAPTCHA site key
Secret key  Sets the Google reCAPTCHA secret key
Enforcement Check to show reCAPTCHA on all forms. If unchecked it will only be shown on forms where it has been explicitly set

Display of reCAPTCHA on forms

When creating a new form or editing an existing form, the display of the reCAPTCHA field will change, depending on the settings.

1. reCAPTCHA is disabled

The reCAPTCHA button is not visible.

2. reCAPTCHA is enabled and not enforced

The reCAPTCHA button is visible under advanced inputs when selecting fields.
The reCAPTCHA field can be added to the form, once only.
The reCAPTCHA field, if added will be positioned before the submit /reset buttons and it is not possible to move it.
It is possible to delete the reCAPTCHA field.

3. reCAPTCHA is enabled and enforced

The reCAPTCHA field is positioned before the submit /reset buttons and it is not possible to move it.
It is not possible to delete the reCAPTCHA field.
The reCAPTCHA button is visible under advanced inputs, but is not clickable.

4. After switching off enforcement

Forms that had a reCAPTCHA explicitly added before enforcement was enabled will still have a reCAPTCHA field.
Forms that had a reCAPTCHA because enforcement was enabled will not have a reCAPTCHA field.

reCAPTCHA FAQ

How many reCAPTCHA key pairs can be added?

One reCAPTCHA key pair can be added.

How can I add more than one domain?

Multiple domains can be added to one site key in Google. Please include the domain of the Form bank URL when configuring the Google reCAPTCHA.

Which users can configure the reCAPTCHA?

Administrator users can configure the reCAPTCHA at System administration > System settings > Form builder.

Can a reCAPTCHA be shared?

Sharing is not required as only one reCAPTCHA is configured per installation.

Can the Google site type be specified?

The site type reCAPTCHA v2 is used. The following Site types are not supported: Invisible reCAPTCHA, reCAPTCHA Android, reCAPTCHA V1 - Unsupported.

How is the widget rendered?

The widget is explicitly rendered.

Do I need to specify the language code?

There is no need to set the language code as Google will set the language based on the user's browser.

How do I ensure reCAPTCHA is set on all forms?

Administrator users can configure "enforcement" so that the reCAPTCHA will show on all forms. This is configured at System administration > System settings > Form builder.

Where on the form will the reCAPTCHA be displayed?

It will be displayed before the Submit button in all cases. It is not possible to reorder the position of the reCAPTCHA.

How is the reCAPTCHA response processed?

The response is verified via an API request to https://www.google.com/recaptcha/api/siteverify.

What logic is applied to the "hostname" data in the API response?

The logic is based on the "success" property in the API response.

  1. If the "success" response is true, the response token is set as a value in the submission so it can be submitted.
  2. If the "success" response is false, the user is brought the the failure error message / page specified for the form. No response token is sent so the submission is not submitted. The API request error code can be seen in the POST request, via the developer console.

Security and Authentication

When you connect to the form bank server, TERMINALFOUR creates a key pair. The private key is saved locally in a password protected Java key store. The public key is sent to the form bank server.

Connection to the form bank from the public is via HTTPS (SSL) only, this avoids fallback, removing the possibility of "man in the middle (MitM)" attacks on the public forms.

Form submissions are saved with 2 phase encryption using RSA and AES, this means that the submitted forms can only be unlocked using the private key.

Our Form Builder FAQ page has further details on the server architecture and security.

To prevent against spam, a Cross-Site Request Forgery (CSRF) token is used to guarantee one time form submissions. When the form is requested, the browser is given a token. The form can only be submitted once with the token and before the token expires.

Scheduled Task

After linking to the form bank server, TERMINALFOUR will automatically create a scheduled task to download form submissions into your instance of TERMINALFOUR.

For versions prior to 8.1.6, the scheduled task will need to be created manually in the Task scheduler.