test harness now tries to shut down gracefully.  this allows cleanup to occur (i.e. of database when running in a test mode)

move secrets.js up to the libs/ dir.  it's useful that all code that uses random strings routes through the same abstraction so that we can later improve a single function.  a central location makes this (more) obvious.

move /csrf to /wsapi/csrf.  add /wsapi path to cookies, as all other requests should have aggressive cache headers.  Only create a csrf token when the client asks for it.  issue #173

add logging to CSRF token generation, and rather than throwing an exception when a mismatch is detected, log an error and return a bad request to the client (seems like a better fit than 'not authorized'). issue #173

remove dead code.  we moved from cookie-sessions to connect-cookie-sessions.  we shouldn't have references to the former, and the latter does not throw exceptions when invalid cookies are encountered, so we don't need exception handling there.

find instances of console.log() and send them to the logger instead, when running under dev harness also route to console.  issue #169

rather than imposing restrictions on structure of logged objects we should make all required fields proper parameters that are obvious upon inspection of the signature of the log function. issue #168

switched to connect-cookie-session which looks a lot better, will probably require people logging back in, can't do anything about that.

rework deployment configuration (using less of the express mechanism) so that configuration options are available at all levels

rework deployment configuration (using less of the express mechanism) so that configuration options are available at all levels

add an explicit db.open() call which will provide the hook for passing configuration information into the db layer