Removed X-Forwarded header handling from the application code and
documented how to setup the servlet container and reverse proxy to
handle those.

The link property of Facebook Oauth profiles no longer has a consistent
value across logins and will be completly removed in future versions of
Facebook's Graph API.

We generate a link in the old format from the id for backwards
compatibility.

The public CORS config was always overriden by the more generic config.
Credentials are no longer allowed to be sent with default CORS config.

Setting 'security.cors.origins' did not have any effect since the the
configuration was overriden by the default path settings.

This fixes a regression caused by a change in CouchDB4J 0.8 introduced
in commit 1eaebde0. CouchDB4J 0.8+
always defaults to `reduce=false` as long as grouping is not enabled.

Always set `creationTime` on session creation. Sessions with invalid
timestamps might otherwise be deleted by the scheduled cleanup.

Fixes a regression introduced with commit
dd749370.

Refs arsnova#85
Refs !16

Fixes a regression introduced with commit
d74ef999.

Refs arsnova#85
Refs !25

Fixes a regression introduced with commit
7207bad9.

Fixes arsnova#84

Since we do not use a SecurityFilter, the previously visited page is not
saved in the session.

This improves/fixes compatibility with third-party OAuth APIs.

Consistently prioritize the `api.path` setting before falling back to
`servletContext.getContextPath()`.

Daniel Gerhardt authored 7 years ago and Daniel Gerhardt committed 7 years ago

This should massively reduce the time needed for session creation.
Additionally, the `Transactional` annotation has been removed because
it did not have any effect in this case.

Log level for DB logging was overriden by the fallbacki value in some
cases.

Add messages to exceptions and slightly refactor exception handling.

Exceptions are now always passed to the logger. The logger decides based
on configuration whether and how they are logged. Logging messages were
adjusted for consistency.

Execption messages in API responses is disabled by default because they
can contain sensitive data. The config property
`api.expose-exception-messages` has been added and is described in the
developer documentation.

Error responses now expose exception details.

Exeption handling was broken by
56fe085e (GH-27).

Readd an empty constructor for deserialization with Jackson. It was
accidentally removed a part of a code clean up in commit
685695a6.