move secrets.js up to the libs/ dir.  it's useful that all code that uses random strings routes through the same abstraction so that we can later improve a single function.  a central location makes this (more) obvious.

add a 'fake verification' mechanism that can be enabled for testing via an environment variable, and will return secrets via the wsapi.  add plenty of checks to ensure this never makes it into production.

lazy fetch csrf tokens in dialog immediately before a post request which requires them.  fixes csrf race condition in beta and dev

The request was assuming XML, which caused jQuery to blow its top since the response was not valid XML.  If we set the response to HTML, we can set the CSRF token directly from the response, without using response.body.

issue #177

fix manage page, now we explicitly call /wsapi/csrf so that the page itself can be cached. issue #74

move /csrf to /wsapi/csrf.  add /wsapi path to cookies, as all other requests should have aggressive cache headers.  Only create a csrf token when the client asks for it.  issue #173

add logging to CSRF token generation, and rather than throwing an exception when a mismatch is detected, log an error and return a bad request to the client (seems like a better fit than 'not authorized'). issue #173

remove dead code.  we moved from cookie-sessions to connect-cookie-sessions.  we shouldn't have references to the former, and the latter does not throw exceptions when invalid cookies are encountered, so we don't need exception handling there.

logging setup is moved into app.js for the browserid server (now common between test and prod envs).  remove it from the run.js harness

find instances of console.log() and send them to the logger instead, when running under dev harness also route to console.  issue #169

rather than imposing restrictions on structure of logged objects we should make all required fields proper parameters that are obvious upon inspection of the signature of the log function. issue #168

test fix - always stop the database.  This prevents tests from hanging when you manually target mysql for all tests

improve CTA for users new to browserid.  closes #150 (maybe others won't agree with my solution.  let's try)

For tests, instrument `email.js` so that one may register an interceptor
function which will be invoked rather than attempting to send email.

closes #88.

add a type tag to a logging statement so this important log message doesn't raise a runtime error rather than making it to disk.  related to issue #168