1. Give up war packaging. Let it always be a single executable uber-jar
2. Developers should be able to run the program from IDE as a Main application
3. Put the configuration inside the jar.
4. During development, the flyway can only be run manually; but in testing/production envs, the flyway should be run automatically when the system starts up.

Email verification status

As a user,

1. If I register with email/password, by default my email is not verified
2. If I register with social account, my email is verified

Email verification

As a user, I can verify my email if I registered with email/password.

Typical flow:

I can ask for a verification link to be sent to my email. After clicking it, I will be directed to a web page which tells me that the verification has been done.

Alternative flows:

1. If I registered with social account, request for a verification link will fail
2. If my email has been verified, request for a verification link will fail
3. If my email has been verified, clicking the verification link will "appear" successful
4. If my email has not been verified, and I have asked a verification link before, when I ask for this link again, the former link will be invalid.

Because v <= 2.8 has been deprecated by facebook.

Make the change according to this PR: chenjianjx/srb4jfullsample#3

Missing token/ token invalid / token expired: should use 401 + WWW-Authenticate header , not 400 . And in this case the frontend should do a login.

Insufficient scope: should use 403 + WWW-Authenticate header. In this case the frontend should not do a login

A good discussion can be found here: bshaffer/oauth2-server-php#143

Things that should be changed

• Backend code that write response
• Documentation about frontend code in readme.md

As a developer,

I can choose between two schemes concerning verification status

1. VERIFICATION_REQUIRED: Without email verified, a user can't even login. They may not be able to something else.
2. VERIFICATION_NOT_REQUIRED: Without email verification, the user can still login

To be more specific,

Currently they are returning "long", meaning the generated ID. But that's a mistake. What's really returned is the number of rows that have been inserted. So, it will always return 1.

Find the occurences of JacksonJaxbJsonProvider and replace the registration statement with

register(new JacksonJaxbJsonProvider().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false));

This can happen when a person registers himself with an email and use a social account associated with the same email

The problem was described on googleapis/google-api-java-client#1060

1. Use the class code shown on googleapis/google-api-java-client#1060
2. Add the class as impl.support.social.GoogleCustomTimeoutHttpClient
3. In FoGoogleAuthHelper.java, replace HttpTransport creation code with

HttpTransport googleHttpTransport = new ApacheHttpTransport(GoogleCustomTimeoutHttpClient.newHttpClient());

1. when I'm running a single integration test class, such a database should be created and all DDL should be created
2. when I'm running the suite of all the integration tests with maven, the same should happen and happen only once.

I should be able to do sql migration with a single maven command

1. during development of my artifact, I can run it manually
2. during deployment of my artifact, it is possible to run the migration as part of system start up -- will be done in #3

User Stories

As a staff user

• I will know the username/password from offline
• I can log into the BO site with the combination. But for the first time of log in, I have to change my password
• The BO site is a responsive html5 website, so that I can use it from a mobile device
• I can then view all the FO users in list, with pagination
• I can also view other records if the developer provide them
• I can change my password

As a DevOps

• I can use a maven command to generate a staff user's password and its encrypted version that is going to be stored in DB
• I can then create a staff user with this password by manually running some sql

As a developer

• By default the back office website is disabled.
• I can enable it by changing some configuration
• If I want to completely remove the website, it should be done easily, which means all the code shouldn't scatter

Design and Implementation

Features

• Log In
• Log out
• Change password
• See the list of FO users (password hidden)
• Disable/Enable BO site

The web page framework

• Jersey + some template solution which can do template inclusion
• Jsersey Filter to be used as session filter
• Html5 boilerplate
• No Javascript allowed
• All the nav links are in a common file, where CSS is inlined in this page file
• All the BO jersey resource endpoints are declared in a single Java class
• All the template files are put together in a single dir

Password generation

• A main class can be used for this
• Then a mvn exec plugin can be used to hook it with maven