bf146c2 Merge pull request #43 from klrmn/master
cbc4fe0 fix getters

git-subtree-dir: automation-tests/browserid
git-subtree-split: bf146c230b5ea96590c25f8d55c16c57c8240744

4c10bb2 Merge pull request #42 from zacc/add_is_this_your_computer
a490f28 Add methods and test for 'is this your computer'

git-subtree-dir: automation-tests/browserid
git-subtree-split: 4c10bb2b2c46b6b56d224f52945b55c4e1c256f1

avoid running tests that require --email

Bug #2307: don't expire existing sessions when adding a secondary address

If a persona.org account is initially created with a "primary"
address (meaning an address served by a participating IdP, so
persona.org is given an assertion from that IdP as proof of ownership),
the new account will not have a password associated with it. If you then
add a "secondary" address (meaning an address *not* served by a
participating IdP, requiring an email challenge to prove ownership), you
will have to set up a password when you add the secondary. The
establishment of this password should *not* invalidate any sessions that
were set up earlier.

In Bug #2307, this manifested as the first browser (in which the
add-secondary-email operation was started, so it had the old session and
was waiting for the operation to complete, polling
/wsapi/email_addition_status all the while) receiving a "400
Unauthorized" error when the email challenge link was opened in a second
browser (which thus got a new session).

The test for this effect lives in tests/primary-then-secondary-test.js,
which need the same 2-second delay as password-update-test.js (to make
sure that the modified lastPasswordReset time was actually different
than the previous value, so the session really would be expired).

avoiding them in two ways,
* -m travis
* skip if mozwebqa.email == None

also, longer timeouts

Removing DEPLOYMENT.md per lloyd

Personaorg tests

Issue 2254 runpy enhancements

* Use termsOfService over tosURL and privacyPolicy over privacyURL
* Check for renamed/deprecated tosURL and privacyURL.
* Check for deprecated requiredEmail.
* Check for renamed loggedInUser/loggedInEmail

Fix users who enter wrong email address, cancel, enter correct email address then forgot password.

Conflicts:
	.gitignore
	ChangeLog
	lib/email.js
	package.json
	scripts/browserid.spec

* Add the notion of momentos to the state machine so that back properly works.

* Use termsOfService over tosURL and privacyPolicy over privacyURL
* Check for renamed/deprecated tosURL and privacyURL.
* Check for deprecated requiredEmail.
* Check for renamed loggedInUser/loggedInEmail

Deprecate silent option + ensure the callback is only called once for navigator.id.get with the silent: true option.

move hash update later in authenticate_user call, as session cookie must be updated for bcrypt hash update to succeed.

Since MySQL TIMESTAMP is quantized to whole seconds, also change tests
to add a 2s stall before changing the password, to make sure
lastPasswordReset gets a new value.

This honors the preceding comment about not gratuitously expiring
innocent sessions. Somehow this clause got lost as I was
merging/rebasing this function.

Specifically this should reduce the work needed by the
'authenticate_user' call by one DB read.

All wsapi operations now require the database (to update+check the
superSessionToken), so some tests that previously expected operations to
succeed without a database now expect them to fail (generally 503).

wsapi_client.js was changed to pass HTTP errors during
/wsapi/session_context back to the caller, so their response code can be
checked, rather than throwing an error (and preventing any other
assertions from being made).