added conformance tests.

tests should now pass
updated to jwcrypto that has proper callback delay guarantees and removed unnecessary setTimeouts

Updated all calls to jwcrypto to use the more intuitive API. Fixed a front-end test that was failing due to true asynchronicity of jwcrypto.

* Update the "stage_user" and "stage_email" to take a password where appropriate.
* Remove pass from calls to "complete_user_creation" and "complete_email_addition"
* Update database drivers to set the account password where appropriate.
* Update unit tests.

fixed check for site parameter, it should be an origin not a domain, and fixed all tests accordingly. Was careful not to screw up the verifier tests that are testing for old parameters to the verifier.

fix unit tests - autenticate_user and cert_key now require a boolean 'ephemeral' value which will affect duration of authentication and certificate validity respectively.

fix unit tests failing under travis-ci: for verifier tests, use impossible domain names for bogus resources that are never supposed to exist. closes #1197

update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

updated crazy verifier test to chop off last 2 chars from assertion rather than 1, due to base64 resilience that is not worth testing. Fixes #833

update verifier tests to use a real domain that doesn't have primary support for one of the negative tests.  network timeouts make tests run painfully slow.

more issue #598 - add test and fix for other places where exceptions leak out of JWCrypto and cause 500 errors rather than 200 failure responses.

create a test which reveals that the verifier considers assertions that have expired to still be valid (with expiry upto two minutes in the past)

tests to reproduce and fixes for wildy invalid assertions posted to the verifier.  closes #598 and closes #605

add a (failing) verifier test of an assertion signed by a cert issued by someone other than the trusted domain.

better input validation on audience.  accept even more forms of input (domain:port) and do the best we can to validate.  closes #642

the verifier is more helpful if you leave off content-type headers, also did you know we support application/json?  closes #643

add tests to verify that we allow verification request parameters to ride in the path, or in the content body.  wierd, but it's our contract, let's test it!  Also, add test of misset content-type

implement basic verifier unit tests.  These will prevent regression on issue #467, and can grow to address issue #598

rework the authenticate_user api - now it is read only (will run on webheads) and will call over to dbwriter if and when bcrypt password update is in play.  This shifts the majority of authentication compute cost over to webheads from secure webheads - closes #560

fix race condition between token request and waiting for token, was causing test hangs.  closes #530

fix race condition between token request and waiting for token, was causing test hangs.  closes #530

server side changes for issue #329 - /csrf call is now /session_context and returns current server time - to be used to allow clients with broken clocks to generate valid assertions

WSAPI CHANGES in preparation for new UX flows, specifically where you provide a password AFTER verifying emails.

  * stage_user no longer takes a password
  * after calling stage_user, you can poll status with user_creation_status
  * instead of 'prove_email_ownership', you call 'complete_user_creation' and provide a password
  * add_email is now 'stage_email'
  * after calling stage_email, you can poll status with email_addition_status
  * instead of 'prove_email_ownership', you call 'complete_email_addition' and provide a password
  * stage_* and complete_* calls are POST
  * *_status calls succeed continuously (not only once)

For tests, instrument `email.js` so that one may register an interceptor
function which will be invoked rather than attempting to send email.

closes #88.