Kicking off work on revamping the heatmap a little bit. This change
removes the comment tab. Clearly, something needs to be done to restore
discoverability to comments, but there seemed to be some consensus that
the comment tab was not comprehensible enough.

Additionally, I got pretty sick of the tabs bouncing around. I removed
the transitions, slimmed the tabs down a litle bit, and remade them in
pure CSS. The pure CSS has the advantage of avoiding extra network
requests to fetch the tab SVGs. Also, the SVGs contained some padding
and borders that is easier to account for if its all in the CSS.

My last commit here (https://github.com/hypothesis/h/commit/5f56d8ad0424f11e52736fd9a1f9b8c30ab0f6a1)
has broken this function for or operators, because it forgets to apply the rule.format() call
to the search terms

I.e the user field uses this to transform the username to the full user format (acct:username@domain)
And because of this the user streams were broken.

Fix #1391

There seems to be some combination of conditions which cause Firefox
to infinite loop on the $location service's watchers. Bisecting pointed
to the commit where I removed this. For now, let's slap this bandaid
on. The proper fix probably has to do with making the parameters we
pass to the iframe in its src actually do something (like validating
the origin of frames that connect to the sidebar) and then clearing the
parameters from the URL so they don't cause a reload after the initial
redirection to /viewer.

It's never called except within the AppController.

Another step toward #1207

It slows things down, especially on mobile devices and on the stream
where many annotations are loaded at once, and it doesn't add much
as it is.

Close #1119

I find the tab blinking to be too subtle to be meaningful and not
a worthy enough feature to justify more jQuery UI use or storing
an additional property on the annotation (see #1207).

If we want a feature like this we'll have to come back and revisit
it with a more critical eye.

Reply email notifications

This part of the code survived the refactoring.
In the past it has received the values in a comma separated string,
now it receives them as a list.

Also, the operator for tag search is 'and' not 'or'

If new annotation data arrives via websocket, the applyUpdates()
function processes it and injects the new annotation data into our
client-side annotation-db.

Some annotations (depending on the viewstate) are put immediately into the viewer
by adding them to the $rootScope.annotations

However, in the case of the stream page reply annotations can arrive without
their parent annotation, and because that they didn't get inserted into
the rootScope and thus never displayed

This commit fixes that, by letting these annotations inserted into
the rootScope.annotations for document viewstate (which the stream uses)

Search ui tweaks

Fix server errors in login form
Fix #1375

In the formValidate directive, previously the error would only be reset
once the form was resubmitted, this caused confusing behaviour.

Fixes #1375.

This seems to be the correct way to interact with Angular views.

This reverts commit 783d4eaee408662c620ad33b5519c3022f7a7774.

Fix the accidental introduction of a discrepancy between the auth
sheet appearance and the other card appearances. This change also
slightly narrows the stream but it comes out looking solid so here's
hoping nobody minds.

Refactoring identity and auth

Introduce a new module on the frontend called `h.identity` which
abstracts the interaction between the main application and the
authentication system using the `navigator.id` API introduced by
Mozilla as part of Persona / BrowserID. In our case, the we submit
the authentication assertion as a query parameter in our token
URL. This is designed to flexibly accommodate different auth needs
by intepreting the assertion differently and using a different
identity module to return whatever type of grant is needed depending
on the authentication mechanisms in place on the back end.

On the back end:

- Introduce a dependency on a brand new library, pyramid-oauthlib, to
  make this code cleaner and more modular.
- Simplify our session by removing multiple signin code that was not
  ever fully realized; personas are no longer explicitly maintained in
  the session by application code.
- The Pyramid SessionAuthenticationPolicy is put into place as part of
  h.auth.local. A SessionGrant is configured as the default grant type
  for integration via pyramid-oauthlib. This is what interprets the
  assertion sent in our token request. For other use cases, this might
  be a real BrowserID assertion or a session or refresh token of some
  other kind. This assertion is just the CSRF token our forms have been
  returning already.
- `h#includeme` and `h#create_app` got some superficial simplification.
- `h.api#authorize` handler for annotator-store authorizations now uses
  `request.effective_principals` instead of the session, so it doesn't
  care how the user is authenticated
  - Headers are now passed through on `Store` sub-requests so that both
  the annotator auth token and the session work for store authorizations
  which gets us close to cookie-less API auth!
  - `Consumer` class is moved into `h.auth.local`, removing the SQL
  requirement for core `h` and replacing it with just the requirement to
  register an `IConsumer` implementer.

On the front end:

- Break hypothesis.js into hypothesis.js and hypothesis-auth.js
- Move session and auth modules into this auth package
- Clean up the module dependency imports
- Add an identity module to the auth package with `navigator.id` API
- Significantly refactor `AppController`
  - Use the `identity.watch()` API to listen to login/logout from the
  active identity module
  - Clean up the login/logout state management a bit
    - Resolve a promise when the API service discovery happens
    - Stop using 'session', which becomes a detail of hypothesis-auth
  - Put much less on the scope from the controller
    - `scope.initUpdater` -> `initUpdater`
    - `scope.reloadAnnotations` -> `initStore`
    - `scope.session` -> replaced by `id`
    - Sorts and views are set in the markup
    - `AuthController` no longers needs to know about `model`, `sheet`,
    `sorts` or `views`
  - Isolate the form models
    - The auth directive now creates an isolate scope so that we're not
    leaking the form models all over the place
    - Stop using the inherited `$scope.model` means prevents submitting
    `persona` as a form parameter by accident
- blocks.pt#auth-tabs becomes auth.html
  - Easy to override with `config.override_asset()` in Pyramid
  - Keeps the forms inside the isolate scope of the auth directive
- The content of the sheet moves inside blocks.pt#auth
  - Nothing outside this knows or cares anymore that the sheet has tabs
  - Places where we want to request login use `identity.request()`
  rather than having to get at the root scope. The `authorize` event
  that this broadcasts is an internal detail of the auth pacakage.

Site report potpourri

I missed this in b67b2964b7a1fd1271be650ea02cf967fd0e17a3

Clean up scrolling and infinite stream

Simplify our efforts around scrolling and fix the scrollbars on the
stream.

- Scrollbar had crept inside the content on a previous change such
  that scroll bars for the stream were not all the way to the edge
  of the screen. Refactoring the duties of #wrapper and .content.
- Drop the mousewheel trapping. I tried and looked and researched
  and we can't do this reliably on touch or anything else. It didn't
  seem necessary or worth the dependency on jquery.mousewheel or
  even obviously a good experience. Not worth the code.
- Fix infinite scroll to use its directive element rather than the
  $window, make its code less jquery, and give it a buffer to smooth
  the experience a bit more.

Fix #1360

This change pulls the nested-reset mixin into the annotator-frame class
and then increases the specificity of the rest of the styles underneath
the frame by giving them descendent selectors of the annotator-frame.

Additionally, to avoid interfering with site styles, our stylesheet of
resets (reset.scss) is no longer included in common.scss, but imported
directly under the annotator-frame class.

Fix #1366

Close #934
Close #1031

Fix #1370

Add directive for providing saving updates to buttons 

Using transclusion allows for the directive to be set on an element
with non-trivial content and have that content nested inside the
status-button wrapper spans, but pre-bound to its lexical markup
scope.

Not sure we'll need it here, but I also wanted to see how one might
approximate 'replace' now that it's deprecated. The answer is by
not replacing but just adding the template you want after the passed
placeholder comment node.