implement dynamic bcrypt work-factor update so we can scale this up or down as we seek the optimal security/performance balance

WSAPI CHANGES: All server responses are now objects, makes some funky browsers happy and prevents certain attacks.  closes #217 closes #325

  * /wsapi/have_email now returns { email_known: <boolean> }
  * /wsapi/stage_user now returns { success: <boolean> }
  * /wsapi/user_creation_status now returns { status: <string> }
  * /wsapi/complete_user_creation now returns { status: <boolean> }
  * /wsapi/stage_email now returns { success: <boolean> }
  * /wsapi/email_addition_status now returns { success: <boolean> }
  * /wsapi/complete_email_addition now returns { success: <boolean> }
  * /wsapi/authenticate_user now returns { success: <boolean> }
  * /wsapi/remove_email now returns { success: <boolean> }
  * /wsapi/account_cancel now returns { success: <boolean> }
  * /wsapi/logout now returns { success: <boolean> }

Finally, introduced middleware to ensure that resp.json() is not called with anything other than an object.

issue #329 - fold am_authed call into session_context to minimize network requests.  update browserid-network.js abstraction to shield higher level code from these changes (higher level code doesn't know/care whether a network function maps onto zero, one, or more wsapi calls)

server side changes for issue #329 - /csrf call is now /session_context and returns current server time - to be used to allow clients with broken clocks to generate valid assertions

SCHEMA CHANGE: add index to emails table.  we do a couple queries that look up email by user which are a table scan at the moment.  this change fixes.  closes #209

ensure users must authenticate every week (issue #309).  Also, move all magic numbers out of implementation and into the configuration abstraction.

WSAPI CHANGES in preparation for new UX flows, specifically where you provide a password AFTER verifying emails.

  * stage_user no longer takes a password
  * after calling stage_user, you can poll status with user_creation_status
  * instead of 'prove_email_ownership', you call 'complete_user_creation' and provide a password
  * add_email is now 'stage_email'
  * after calling stage_email, you can poll status with email_addition_status
  * instead of 'prove_email_ownership', you call 'complete_email_addition' and provide a password
  * stage_* and complete_* calls are POST
  * *_status calls succeed continuously (not only once)

remove obsolete syncEmails functionality from persistence layer, tests, wsapi, and client libraries.  with certs the logic is much simpler and more efficient

purge all notion of 'pubkey' from json persistence layer, drastically simplifying the database structure

fix porting bug in mysql driver.  For stageEmail, the INSERT query errantly included references to 'pubkey'

now that jwcrypto is a node module, we shall change the way that we include it (ie jwcrypto/vep rather than by relative path)