This honors the preceding comment about not gratuitously expiring
innocent sessions. Somehow this clause got lost as I was
merging/rebasing this function.

Specifically this should reduce the work needed by the
'authenticate_user' call by one DB read.

With this change, existing session cookies are invalidated when the user
changes their password. This will also support a "log me out of
everywhere" button, which merely needs to update the superSessionToken
as if the password was changed.

This adds .superSessionToken to all sessions in
wsapi.authenticateSession, and checks it against the database row in
during a new checkExpiredSession() call (run for all /wsapi requests,
both GETs and POSTs).

All database methods which create an account or modify the password were
changed to also set .superSessionToken (to the current time).
updatePassword() added an 'invalidateSessions' argument so passwords can
be rehashed (when the bcrypt work factor changes) *without* invalidating
sessions. Finally, the database added a new method named
superSessionToken() to retrieve the current value, for comparison in
checkExpiredSession().

wsapi/update_password.js is changed to add a call to authenticateSession
after changing the password, to update the cookie with the new
.superSessionToken. This ensures that the user's new session works on
the next call after update_password.

Database rows that don't have a superSessionToken (created before the
code was upgraded to include this change) will not enforce
session-checking, so user sessions will not be spontaneously expired
when the server is upgraded past this revision.

This includes an error-handling argument to the callback.

perform rigorous validation on all API parameters, cleanup redundancy in sanitize.js and validate.js - issue #1526

Signed-off-by: Lloyd Hilaiel <lloyd@hilaiel.com>

The `static` process has been added to handle cachable resources and views, so
code relevant to serving those resources has been removed from `browserid`.

The `router` heartbeat now depends on both `browserid` and `static` processes being ok.
`router` now forwards wsapi writes to `dbwriter`, reads to `browserid`, and errors on unkown
or internal wsapi requests. The wsapi setup for `browserid` no longer handles forwards, though
some wsapi operations may trigger a forward to `dbwriter`.

Change browserid.org urls to persona.org, introduce static.login.persona.org for all static resources.

Fix globals in wsapi.js that seemed to be created unintentionally and fix the modules that depended on implicit globals

update the http_forward module to allow global request timeouts to be set, use this to implement a 15s upper bound on requests for declaration of support in development.  This should fix unit tests

add a ping wsapi that's registered on all daemons and does a light weight test of database health - closes #1324

at authentication time, if the user has not confirmed ownership of a computer, set a shorter auth period.

Adding disable_locale_check flag to skipping warnings for en-US without gettext files. Fixes Issue#1055

  * all database functions return an err as the first param which is non-null for failure.
  * all wsapis handle database errors and return service unavailable to client.
  * stalled-mysql-test implements unit tests to verify proper failure behavior of all wsapis.
  * configuration parameter added to define max allowed time per query

vary session cookie name by public_url when public_url is not browserid.org - this addresses issues which affect testing with IE when cookies are set for both, diresworb.org and dev.diresworb.org.  closes #296.

don't require the user to sign in with a password as a side effect of using a primary email address.  closes #1049

update wsapi to return a body of 'Bad Request: no cookie' when a CSRF check fails because no cookie was sent from the client - issue #835, issue #1056

fix dbwriter crash on stage_email call.  move 'langContext' geration into a central location.  closes #936

updated to new version of client-sessions, renamed, and re-added connect-cookie-session for example primary

update all WSAPIs now that userid rather than email is stored in session after auth.  all tests pass on JSON database driver

changed session over to benadida's node-cookie-session with encryption and signing of the cookie, closes #416, closes #832

perform password length checking everywhere a password is updated.  complete_user_creation now requires a 'pass' arg when the acct has no password (only primary accts)

WSAPI CHANGES: implement auth_with_assertion wsapi.  this requires creation of a new create_account_with_assertion api on the dbwriter than cannot be externally invoked (though it still re-verifies assertions).  New mechanism added to wsapi.js to support this type of function (internal only wsapis)