With this change, existing session cookies are invalidated when the user
changes their password. This will also support a "log me out of
everywhere" button, which merely needs to update the superSessionToken
as if the password was changed.

This adds .superSessionToken to all sessions in
wsapi.authenticateSession, and checks it against the database row in
during a new checkExpiredSession() call (run for all /wsapi requests,
both GETs and POSTs).

All database methods which create an account or modify the password were
changed to also set .superSessionToken (to the current time).
updatePassword() added an 'invalidateSessions' argument so passwords can
be rehashed (when the bcrypt work factor changes) *without* invalidating
sessions. Finally, the database added a new method named
superSessionToken() to retrieve the current value, for comparison in
checkExpiredSession().

wsapi/update_password.js is changed to add a call to authenticateSession
after changing the password, to update the cookie with the new
.superSessionToken. This ensures that the user's new session works on
the next call after update_password.

Database rows that don't have a superSessionToken (created before the
code was upgraded to include this change) will not enforce
session-checking, so user sessions will not be spontaneously expired
when the server is upgraded past this revision.

implement complete_reset, stage_reset and refactor database code to support this addition, add tests

require authentication on complete_* wsapis to reduce risk now that password is provided before email verification.  issue #290 and a pre-requisite for issue #1000

  * all database functions return an err as the first param which is non-null for failure.
  * all wsapis handle database errors and return service unavailable to client.
  * stalled-mysql-test implements unit tests to verify proper failure behavior of all wsapis.
  * configuration parameter added to define max allowed time per query

update all database apis on the JSON side to interact in terms of user ids as the primary identifier rather than an email address.  first step toward migrating to userid in sessions instead of email addresses to solve issue #388 (and others like it) and pave the way for primaries

email_for_token now returns whether the user must set a password to finish adding an email to their browserid account.  also write (failing) tests for imminent changes to complete_email_addition api.  also refactor db layer, adding haveVerificationToken to move code off of emailForVerificationToken that only cares about whether a verification token exists or not.  whew.

SCHEMA CHANGE: password is now nullable in schema.  also, add .createUserWithPrimaryEmail and .emailType to db abstractoin

remove the deep __heartbeat__ checks performed from browserid (the webhead), while dbwriter should ping the database to ensure health - closes #566

move generation of ephemeral database names (used in perf/unit testing) to a higher level and out of core code.  also, emphemeral database cleanup is now a responsibility of the harness running the software (test harness, or run_locally.js).  This fixes race conditions in unit tests that restart daemons (closes #557) and simplifies running local performance tests (issue #504)

repairing load_gen - issue #504 - update pathing, alter fake_verification WSAPI to query the database rather than to use email interception (which no longer works)

reorganize browserid process - break out view serving and wsapi handling.  preparation for dbwriter split.  issue #460

implement throttling on outbound emails: don't send emails to the same address more than once per minute - issue #430

implement dynamic bcrypt work-factor update so we can scale this up or down as we seek the optimal security/performance balance

remove obsolete syncEmails functionality from persistence layer, tests, wsapi, and client libraries.  with certs the logic is much simpler and more efficient

test harness now tries to shut down gracefully.  this allows cleanup to occur (i.e. of database when running in a test mode)

find instances of console.log() and send them to the logger instead, when running under dev harness also route to console.  issue #169

add an explicit db.open() call which will provide the hook for passing configuration information into the db layer

basic testing of all db.js apis complete, also completed implementation of identitysync to check installed pubkeys.