always run our little node HTTP proxy locally to constantly test HTTP proxy support which we'll have in production - issue #904

add outbound HTTP proxy support to browserid - requires a proxy that can forward http to https traffic - closes #904

simplify previous commit - .well-known/browserid really doesn't need a template and must be sent with application/json content-type - issue #865

return an error to the client when we cannot contact the keysigner.  (was just leaving the connection to hang...)

update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

explicitly call .removeAllListeners() during http forwarding to eliminate memory leak.  closes #839 (with extreme prejudice)

explicitly call .removeAllListeners() during http forwarding to eliminate memory leak.  closes #839 (with extreme prejudice)

document in code where two level auth affect apis, specifically where you'll need to be password authenticated, vs. where assertion auth (with a primary address) is sufficient

(loadgen) fix bug that would leave virtual users with incorrect cookies in their device contexts after a password reset (still authenticated as th old user that they split from) issue #785

(loadgen) tons of fixes to handle request failures without mucking up the local user database - issue #838, issue #785, issue #787, issue #784

staging a new acct on a session logs you out.  clear the auth'd bit on the session when this happens to prevent errors that occur when the loadgen client thinks it's authed, but the server knows its not.  issue #785

gracefully handle excessive load - all cases where bcrypt will take to long return 503, loadgen special cases 503 errors for better output.  closes #787

updated to new version of client-sessions, renamed, and re-added connect-cookie-session for example primary

SCHEMA CHANGES! update the mysql driver to support the new database apis motivated by issue #388 (identify user by userid rather than email)

update all WSAPIs now that userid rather than email is stored in session after auth.  all tests pass on JSON database driver

update all database apis on the JSON side to interact in terms of user ids as the primary identifier rather than an email address.  first step toward migrating to userid in sessions instead of email addresses to solve issue #388 (and others like it) and pave the way for primaries

changed session over to benadida's node-cookie-session with encryption and signing of the cookie, closes #416, closes #832

perform password length checking everywhere a password is updated.  complete_user_creation now requires a 'pass' arg when the acct has no password (only primary accts)

email_for_token now returns whether the user must set a password to finish adding an email to their browserid account.  also write (failing) tests for imminent changes to complete_email_addition api.  also refactor db layer, adding haveVerificationToken to move code off of emailForVerificationToken that only cares about whether a verification token exists or not.  whew.

implement a 'maximum request time' for bcrypt work.  server now fails more gracefully under backbreaking load, returning 503s to clients of the authenticate_user api.  update loadgen to be less dramatic about, but still display, 503 errors.  first part of issue #787 - a partial fix for #785 in dere too

* All unit tests pass again.
* Renaming primary_user_verified to primary_user_ready
* Adding a random_seed to the context info to fix the unit tests and the adding of the seed.
* Renamed all ejs templates to match their URL.
* Each page unit test writes the ejs template that it needs to the DOM.

* Use WinChan to open a new window to the primary.
* Add the idp_auth_complete page for the IdP to redirect back to.
* When the window closes, re-try to authenticate the user with the primary.
* Add a helper to show an error message.
* Add a WinChan mock.
* Update unit tests to handle the "need to authenticate with IdP" scenario.
* Update compression scripts for WinChan to be included on the main site.

move 'primary.js' - abstraction for interacting with primaries - down to lib/, now it's used by different processes

WSAPI CHANGES: implement auth_with_assertion wsapi.  this requires creation of a new create_account_with_assertion api on the dbwriter than cannot be externally invoked (though it still re-verifies assertions).  New mechanism added to wsapi.js to support this type of function (internal only wsapis)

implement support for verifying assertions issued by primaries for the purpose of logging into browserid

SCHEMA CHANGE: password is now nullable in schema.  also, add .createUserWithPrimaryEmail and .emailType to db abstractoin

API CHANGES: stub a new auth_with_assertion api for authenticating to browserid with assertions generated from primary issued certs, and implement a failing unit test.  now lets make it pass