All wsapi operations now require the database (to update+check the
superSessionToken), so some tests that previously expected operations to
succeed without a database now expect them to fail (generally 503).

wsapi_client.js was changed to pass HTTP errors during
/wsapi/session_context back to the caller, so their response code can be
checked, rather than throwing an error (and preventing any other
assertions from being made).

API changes for public terminals/shared computers, and update all tests
to post data using JSON rather than form encoding, as the front end now does.

implement and test the prolong_session wsapi - which extends the duration of an existing session from the ephemeral duration (an hour) to full authentication session length (2 weeks) - doesn not change the start time of the session, so is a noop when invoked multiple times.  to be added to frontend code once user acknoledges ownership of device.

update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

(loadgen) when generating assertions, calculate current server time in the same manner that the webclient does - namely add a delta from session creation time to now to server time - issue #504

implement throttling on outbound emails: don't send emails to the same address more than once per minute - issue #430

server side changes for issue #329 - /csrf call is now /session_context and returns current server time - to be used to allow clients with broken clocks to generate valid assertions

move wsapi_client.js to libs/ where it can be shared by other code needing a programmatic client to the browserid WSAPI

add a 'fake verification' mechanism that can be enabled for testing via an environment variable, and will return secrets via the wsapi.  add plenty of checks to ensure this never makes it into production.

sketch a general WSAPI client library with support for multiple simultaneous connections, port include_only onto it

added CSRF protection and started moving actions that need it to POST, which automatically inherits CSRF protection. Not complete yet