Form builder configuration
- Last Modified:
- 10 Dec 2018
- User Level:
Forms are stored on a dedicated form bank server, which your TERMINALFOUR installation connects to using authentication. Form submissions are all handled through the same form bank server. TERMINALFOUR has a number of form bank servers located around the world and you need to connect to the form bank for your country. The Form Builder FAQ page has further details on the server architecture and security.
Form bank connection
To configure the Form Builder, go to System administration > System settings > Form builder
Displays the status; Connected or Disconnected.
Form bank URL
Enter the URL for the form bank server, as provided to you by TERMINALFOUR and click the Authenticate button
Once you have authenticated your form bank connection, all forms will be saved to your form bank. The public form is pulled from form bank and all data submitted by a form is sent to the form bank.
Introduced in 8.2.10. Display a Google reCAPTCHA on forms.
|Enable reCAPTCHA||Slide to enable|
|Site key||Sets the Google reCAPTCHA site key|
|Secret key||Sets the Google reCAPTCHA secret key|
|Enforcement||Check to show reCAPTCHA on all forms. If unchecked it will only be shown on forms where it has been explicitly set|
Display of reCAPTCHA on forms
1. reCAPTCHA is disabled
The reCAPTCHA button is not visible.
2. reCAPTCHA is enabled and not enforced
The reCAPTCHA button is visible under advanced inputs when selecting fields.
The reCAPTCHA field can be added to the form, once only.
The reCAPTCHA field, if added will be positioned before the submit /reset buttons and it is not possible to move it.
It is possible to delete the reCAPTCHA field.
3. reCAPTCHA is enabled and enforced
The reCAPTCHA field is positioned before the submit /reset buttons and it is not possible to move it.
It is not possible to delete the reCAPTCHA field.
The reCAPTCHA button is visible under advanced inputs, but is not clickable.
4. After switching off enforcement
Forms that had a reCAPTCHA explicitly added before enforcement was enabled will still have a reCAPTCHA field.
Forms that had a reCAPTCHA because enforcement was enabled will not have a reCAPTCHA field.
How many reCAPTCHA key pairs can be added?
One reCAPTCHA key pair can be added.
How can I add more than one domain?
Multiple domains can be added to one site key in Google. Please include the domain of the Form bank URL when configuring the Google reCAPTCHA.
Which users can configure the reCAPTCHA?
Administrator users can configure the reCAPTCHA at System administration > System settings > Form builder.
Can a reCAPTCHA be shared?
Sharing is not required as only one reCAPTCHA is configured per installation.
Can the Google site type be specified?
The site type reCAPTCHA v2 is used. The following Site types are not supported: Invisible reCAPTCHA, reCAPTCHA Android, reCAPTCHA V1 - Unsupported.
How is the widget rendered?
The widget is explicitly rendered.
Do I need to specify the language code?
There is no need to set the language code as Google will set the language based on the user's browser.
How do I ensure reCAPTCHA is set on all forms?
Administrator users can configure "enforcement" so that the reCAPTCHA will show on all forms. This is configured at System administration > System settings > Form builder.
Where on the form will the reCAPTCHA be displayed?
It will be displayed before the Submit button in all cases. It is not possible to reorder the position of the reCAPTCHA.
How is the reCAPTCHA response processed?
The response is verified via an API request to https://www.google.com/recaptcha/api/siteverify.
What logic is applied to the "hostname" data in the API response?
The logic is based on the "success" property in the API response.
- If the "success" response is true, the response token is set as a value in the submission so it can be submitted.
- If the "success" response is false, the user is brought the the failure error message / page specified for the form. No response token is sent so the submission is not submitted. The API request error code can be seen in the POST request, via the developer console.
Security and Authentication
When you connect to the form bank server, TERMINALFOUR creates a key pair. The private key is saved locally in a password protected Java key store. The public key is sent to the form bank server.
Connection to the form bank from the public is via HTTPS (SSL) only, this avoids fallback, removing the possibility of "man in the middle (MitM)" attacks on the public forms.
Form submissions are saved with 2 phase encryption using RSA and AES, this means that the submitted forms can only be unlocked using the private key.
Our Form Builder FAQ page has further details on the server architecture and security.
To prevent against spam, a Cross-Site Request Forgery (CSRF) token is used to guarantee one time form submissions. When the form is requested, the browser is given a token. The form can only be submitted once with the token and before the token expires.
After linking to the form bank server, TERMINALFOUR will automatically create a scheduled task to download form submissions into your instance of TERMINALFOUR.
For versions prior to 8.1.6, the scheduled task will need to be created manually in the Task scheduler.