close #650

more issue #598 - add test and fix for other places where exceptions leak out of JWCrypto and cause 500 errors rather than 200 failure responses.

create a test which reveals that the verifier considers assertions that have expired to still be valid (with expiry upto two minutes in the past)

tests to reproduce and fixes for wildy invalid assertions posted to the verifier.  closes #598 and closes #605

certs issued by anyone other than the verifier should fail until primary support is implemented.  closes #645

add a (failing) verifier test of an assertion signed by a cert issued by someone other than the trusted domain.

better input validation on audience.  accept even more forms of input (domain:port) and do the best we can to validate.  closes #642

the verifier is more helpful if you leave off content-type headers, also did you know we support application/json?  closes #643

add tests to verify that we allow verification request parameters to ride in the path, or in the content body.  wierd, but it's our contract, let's test it!  Also, add test of misset content-type

implement basic verifier unit tests.  These will prevent regression on issue #467, and can grow to address issue #598

(loadgen) when generating assertions, calculate current server time in the same manner that the webclient does - namely add a delta from session creation time to now to server time - issue #504

(loadgen) add -u option that allows one to specify a numeric range which will make load testing with a large database possible - issue #504

on a hard connection error during http forwarding, don't end the client reqeust, instead let the client formulate the error code and message

(loadgen) rename prepare.js to common.js as it holds common processes used by multiple different activities - issue #504

auto-fix PATH for uglifyjs, and exit on errors

* Use [].slice instead of [].splice
* Set a charset in the sample RP.

workaround bug in node 0.4.x - res.getHeader() throws an exception when invoked after a response is set, even though you're not mutating the response.  instead use the _headers map.

find uglifycss using : because node_modules/.bin is prepended to the path we don't need to express paths - this allows you to invoke scripts/compress.sh from any directory

* Adding javascript-extensions to the tests so that PhantomJS can run.
* Adding a test runner for PhantomJS to run the unit tests.

issue #635

* Removing StealJS from the build system, compressing the files manually.
* Removing the stealjs dependency from the unit tests.
* Removing funcunit, dialog/scripts, steal, jsmvc
* Updating the unit tests to use the current version of QUnit.
* Updated a lot of test to asyncTest and removed the stop().

issue #634

close #625

rework the authenticate_user api - now it is read only (will run on webheads) and will call over to dbwriter if and when bcrypt password update is in play.  This shifts the majority of authentication compute cost over to webheads from secure webheads - closes #560

* Remove the state machine from the dialog module.
* Add unit tests for the state machine.
* The state machine has the ability to cancel any stage and go to the previous stage.
* All cancel_* messages are now "cancel_stage" for uniformity.
* Update all unit tests to create then start their modules.