If the user is not authenticated to the "password" level when they go to change their password, use the old password to authenticate them, then change their password.

* Only check the user's authentication status with the primary once, unless there is a reason otherwise.
* Only provision the user if there is not already a cert for the email address.
* Only get the address info for an address if we have not before.

* Cleaning up required_email a TON.
* Collapsing cases so there aren't so many nesting levels.
* Adding documentation to understand the pain that is primary authentication.
* Removing license info from the tooltip - it was causing an exception when inserting into the DOM.

simplify previous commit - .well-known/browserid really doesn't need a template and must be sent with application/json content-type - issue #865

return an error to the client when we cannot contact the keysigner.  (was just leaving the connection to hang...)

update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

close #699.

* Took some code from the signup page.
* Moved the "open primary auth" window to page_helpers.
* cleanup of authenticate.js and page.js.
* convert signin to be based on a Module.

* If the user is not authenticated to "password" authentication when they select a secondary email, make them sign in.
* Updaate required_email to do its own check for the user's authentication status.
* Update the unit tests to make sure we are all kosher.

explicitly call .removeAllListeners() during http forwarding to eliminate memory leak.  closes #839 (with extreme prejudice)

explicitly call .removeAllListeners() during http forwarding to eliminate memory leak.  closes #839 (with extreme prejudice)

* Update network/user to handle two level auth.
* Update tests that check authentication status to check for correct status.
* State machine checks for the correct authentication level for an email address.

document in code where two level auth affect apis, specifically where you'll need to be password authenticated, vs. where assertion auth (with a primary address) is sufficient

* When authenticating, since we no longer generate/sync keypairs, do the sync.
* Collapse cases in required_email so things are easier.
* Remove the doSyncAndPickEmail action, no longer needed.
* Update the state machine to assume that once a user authenticates, their emails are synced.

* To user, add canSetPassword, hasSecondaries.
* Add unit tests for these functions as well as setPassword.

updated crazy verifier test to chop off last 2 chars from assertion rather than 1, due to base64 resilience that is not worth testing. Fixes #833

(loadgen) fix bug that would leave virtual users with incorrect cookies in their device contexts after a password reset (still authenticated as th old user that they split from) issue #785

(loadgen) tons of fixes to handle request failures without mucking up the local user database - issue #838, issue #785, issue #787, issue #784

staging a new acct on a session logs you out.  clear the auth'd bit on the session when this happens to prevent errors that occur when the loadgen client thinks it's authed, but the server knows its not.  issue #785