update wsapi_client to return errors in the standard node convention.  update all clients.  fix several areas in loadgen where we were not properly handling errors.  improve informational output of loadgen failures.  closes #838 - helps with issue #784 - closes #785

(loadgen) when generating assertions, calculate current server time in the same manner that the webclient does - namely add a delta from session creation time to now to server time - issue #504

implement throttling on outbound emails: don't send emails to the same address more than once per minute - issue #430

server side changes for issue #329 - /csrf call is now /session_context and returns current server time - to be used to allow clients with broken clocks to generate valid assertions

move wsapi_client.js to libs/ where it can be shared by other code needing a programmatic client to the browserid WSAPI

add a 'fake verification' mechanism that can be enabled for testing via an environment variable, and will return secrets via the wsapi.  add plenty of checks to ensure this never makes it into production.

sketch a general WSAPI client library with support for multiple simultaneous connections, port include_only onto it

added CSRF protection and started moving actions that need it to POST, which automatically inherits CSRF protection. Not complete yet