SCHEMA CHANGES! update the mysql driver to support the new database apis motivated by issue #388 (identify user by userid rather than email)

update all WSAPIs now that userid rather than email is stored in session after auth.  all tests pass on JSON database driver

update all database apis on the JSON side to interact in terms of user ids as the primary identifier rather than an email address.  first step toward migrating to userid in sessions instead of email addresses to solve issue #388 (and others like it) and pave the way for primaries

changed session over to benadida's node-cookie-session with encryption and signing of the cookie, closes #416, closes #832

perform password length checking everywhere a password is updated.  complete_user_creation now requires a 'pass' arg when the acct has no password (only primary accts)

email_for_token now returns whether the user must set a password to finish adding an email to their browserid account.  also write (failing) tests for imminent changes to complete_email_addition api.  also refactor db layer, adding haveVerificationToken to move code off of emailForVerificationToken that only cares about whether a verification token exists or not.  whew.

implement a 'maximum request time' for bcrypt work.  server now fails more gracefully under backbreaking load, returning 503s to clients of the authenticate_user api.  update loadgen to be less dramatic about, but still display, 503 errors.  first part of issue #787 - a partial fix for #785 in dere too

* All unit tests pass again.
* Renaming primary_user_verified to primary_user_ready
* Adding a random_seed to the context info to fix the unit tests and the adding of the seed.
* Renamed all ejs templates to match their URL.
* Each page unit test writes the ejs template that it needs to the DOM.

* Use WinChan to open a new window to the primary.
* Add the idp_auth_complete page for the IdP to redirect back to.
* When the window closes, re-try to authenticate the user with the primary.
* Add a helper to show an error message.
* Add a WinChan mock.
* Update unit tests to handle the "need to authenticate with IdP" scenario.
* Update compression scripts for WinChan to be included on the main site.

move 'primary.js' - abstraction for interacting with primaries - down to lib/, now it's used by different processes

WSAPI CHANGES: implement auth_with_assertion wsapi.  this requires creation of a new create_account_with_assertion api on the dbwriter than cannot be externally invoked (though it still re-verifies assertions).  New mechanism added to wsapi.js to support this type of function (internal only wsapis)

implement support for verifying assertions issued by primaries for the purpose of logging into browserid

SCHEMA CHANGE: password is now nullable in schema.  also, add .createUserWithPrimaryEmail and .emailType to db abstractoin

API CHANGES: stub a new auth_with_assertion api for authenticating to browserid with assertions generated from primary issued certs, and implement a failing unit test.  now lets make it pass

SCHEMA CHANGE: add a bit to the email table describing whether emails are primary or secondary, update list_emails wsapi to return this, augment unit tests

changed generate to use nodejs crypto, added weakgenerate, added async support for generate, and added tests

implement a more generic mechanism to enable local testing and development of primary support - allow SHIMMED_PRIMARIES to be provided which stuffs a auth url, provisioning url, and public key in our cache

implement 'address_info' wsapi that returns information about an email's current status.  who vouches for it, and if it's a secondary, is the email address known

implement a more generic mechanism to enable local testing and development of primary support - allow SHIMMED_PRIMARIES to be provided which stuffs a auth url, provisioning url, and public key in our cache

implement 'address_info' wsapi that returns information about an email's current status.  who vouches for it, and if it's a secondary, is the email address known

implement graceful shutdown of bcrypt compute processes.  fix bcrypt.get_rounds (was throwing an exception)