* Update the "stage_user" and "stage_email" to take a password where appropriate.
* Remove pass from calls to "complete_user_creation" and "complete_email_addition"
* Update database drivers to set the account password where appropriate.
* Update unit tests.

fix backend unit tests that were failing due to increased input parameter checking on site arguments to stage_user

implement and test the prolong_session wsapi - which extends the duration of an existing session from the ephemeral duration (an hour) to full authentication session length (2 weeks) - doesn not change the start time of the session, so is a noop when invoked multiple times.  to be added to frontend code once user acknoledges ownership of device.

fix unit tests - autenticate_user and cert_key now require a boolean 'ephemeral' value which will affect duration of authentication and certificate validity respectively.

update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

perform password length checking everywhere a password is updated.  complete_user_creation now requires a 'pass' arg when the acct has no password (only primary accts)

rework the authenticate_user api - now it is read only (will run on webheads) and will call over to dbwriter if and when bcrypt password update is in play.  This shifts the majority of authentication compute cost over to webheads from secure webheads - closes #560

implement update_password api - prerequsite for frontend code of issue #114 and for moving the bulk of bcrypt compute work over to webheads which is issue #560

fix race condition between token request and waiting for token, was causing test hangs.  closes #530

fix race condition between token request and waiting for token, was causing test hangs.  closes #530

server side changes for issue #329 - /csrf call is now /session_context and returns current server time - to be used to allow clients with broken clocks to generate valid assertions

WSAPI CHANGES in preparation for new UX flows, specifically where you provide a password AFTER verifying emails.

  * stage_user no longer takes a password
  * after calling stage_user, you can poll status with user_creation_status
  * instead of 'prove_email_ownership', you call 'complete_user_creation' and provide a password
  * add_email is now 'stage_email'
  * after calling stage_email, you can poll status with email_addition_status
  * instead of 'prove_email_ownership', you call 'complete_email_addition' and provide a password
  * stage_* and complete_* calls are POST
  * *_status calls succeed continuously (not only once)

For tests, instrument `email.js` so that one may register an interceptor
function which will be invoked rather than attempting to send email.

closes #88.