Fight the proliferation of csrf nonsense

I had tried to remove it, thinking the `csrf` one wasn't used because
`identity` used `csrf_token` but unfortunately the `session` module
still used `csrf` and deleted it from the model during the response
transform. Instead, let the `csrf` value stick to the model to be
available on session object and mark the `csrf_token` value as the
deprecated one in the backend. Support for that will drop further in
the future.

h/static/scripts/auth/identity.coffee

@@ -27,7 +27,7 @@ identityFactory = [
         if loggedInUser is null
           if persona
             loggedInUser = persona
-            onlogin?(session.csrf_token)
+            onlogin?(session.csrf)
           else
             onmatch?()
         else if loggedInUser
@@ -36,14 +36,14 @@ identityFactory = [
               onmatch?()
             else
               loggedInUser = persona
-              onlogin?(session.csrf_token)
+              onlogin?(session.csrf)
           else
             loggedInUser = null
             onlogout?()
         else
           if persona
             loggedInUser = persona
-            onlogin?(session.csrf_token)
+            onlogin?(session.csrf)
           else
             loggedInUser = null
             onlogout?()

h/static/scripts/auth/session.coffee

@@ -81,7 +81,6 @@ class SessionProvider
         # Capture the cross site request forgery token without cookies.
         # If cookies are blocked this is our only way to get it.
         csrfToken = model.csrf
-        delete model.csrf
 
         # Return the model
         model