Simplify the "auth" service and remove the dependency on the
"session" service. This will make it possible to introduce a "store" =>
"session" dependency in future in order to support fetching the user's
profile from the access token-authenticated /api/profile endpoint
instead of the cookie-authenticated /app endpoint.

The 'auth' service depended on 'session' for three things:

 - Being able to call `session.load()` in order to retrieve a CSRF
   token. This token is not needed for the `GET /api/token` endpoint
   following https://github.com/hypothesis/h/pull/4322

 - Calling `session.logout()`. This is fixed by removing the
   `auth.logout()` endpoint and changing the caller to call
   `session.logout()` directly instead. `session.logout()` in turn
   calls `auth.clearCache()` to clear cached API tokens.

 - Determining the current user ID in order to invalidate
   the cached token when that changes. The logic to clear the
   cache has instead been moved to the session service.

This commit also adds additional tests for session logout.