Share a group

Group pages show a "Login to join group" link (opens in a new tab) if
you're not logged in.
If you're logged in they show a "Click to join group" button, posts to
new join() callable that adds the user to the group.
If you're already a member they show a "Share this link to invite people" link.

The groups dropdown list has new share icon links to the group's page,
for each group.

This ensures that after logging in the token getter resolves
properly.

The auth dialog waits for the background authentication check to fail,
but it shouldn't replace that promise with its own. It is perfectly
fine for the application to proceed while the user is entering
credentials.

In particular, this makes sure that a search without any authorization
can be performed even when the firstrun flag causes the login dialog
to show.

It turns out IE10 doesn't have the URL constructor and somehow I
misinterpreted the MDN docs.

The bind polyfill still isn't needed, except by PhantomJS.

It also seems silly not to just include wgxpath without npm. Save
the browserify-ing step.

https://github.com/substack/insert-module-globals/pull/46

Function.prototype.bind is supported in every browser for a long time.
It's only needed because, oddly, PhantomJS 1.8 doesn't support it.

The window.URL constructor is supported in IE10+ and every other major
browser for a while now. It's also not supported in PhantomJS 1.8,
though. The application currently doesn't work on IE < 10 anyway so
let's just remove this for now.

This should make sure that baseURI works completely even in IE.

I had started to implement the JWT Authorization Grant here but
forgot to back out those changes before I committed to just refactoring
the existing method. This was premature and also plain wrong in the
sense that the parameters were not being passed ('params' is the key
for sending GET parameters, not 'data' -- 'data' would be a separate
argument for POST).

Switch out jschannel for frame-rpc

Simplify handling of admin permissions

Refactor auth in the client

Start to take better control over the authentication and authorization
systems of the front end.

- Remove dependency on Annotator Auth plugin. With this change,
  Annotator is completely gone from the Angular application.

- Use angular-jwt and its http interceptor to ensure that auth tokens
  are up-to-date and auth token requests block store requests.

- With the interceptor in place, it's no longer necessary to resolve
  auth before the ng-view controllers.

- Use the session directly for getting the current user. This is in
  line with what is likely to happen for groups, too, soon.

The frame-rpc module is a proper CommonJS module and it's footprint
is really tiny. Its protocol is simpler. It doesn't handle connection
and buffering, but with our onConnect callback we don't need buffering.
The connection handshake that jschannel did was so trivial it's been
re-implemented here (each side tries to connect to the other once).

We have to handle timeouts ourselves, but that's all hidden in the
bridge code. In exchange, we get a simpler API, we get rid of the
call/notify distinction in favor of just passing a callback or not
and we avoid the excess overhead of the recursion guard in the
serialization code that was giving us false positive issues with
the document title.

This is one step toward removing all the browserify-shim requiring
libraries from the injected bundle, which will eventually fix #2397.

Remove vendored assets: install from NPM

Replaces our vendored dependencies with dependencies on packages
installed from NPM. This makes it substantially easier to find out
what versions of 3rd-party packages are installed, and substantially
easier to upgrade them as and when necessary.

Libraries have been installed pinned at the version available on NPM
nearest that installed in the repository. This means:

- angular remains v1.2.28
- angular-animate was upgraded from v1.2.25 -> v1.2.28
- angular-resource was upgraded from v1.2.25 -> v1.2.28
- angular-route was upgraded from v1.2.25 -> v1.2.28
- angulartics remains v0.17.2
- bootstrap remains v3.3.5
- jquery remains v1.11.1
- jstimezonedetect remains v1.0.5
- moment remains v2.5.0
- moment-timezone remains v0.0.1
- ng-tags-input remains v2.2.0

Unfortunately, the following modules don't appear to be available on NPM
and so remain in the repository:

- angular-bootstrap
- angular-sanitize
- angular-toastr (at a version early enough)

Enable users to create groups

This commit adds a list of groups to the "topbar" when the groups
feature flag is enabled.

Limit what admins can do

Use browserify-ngannotate to provide injection annotations

Only update stream filter when we have >0 URIs

Rather than trying to keep injection annotations up-to-date manually, we
can use the computer to do it for us.

[browserify-ngannotate][1] is a browserify transform plugin that uses
[ng-annotate][2] to automatically generate injection annotations for the
Angular injector.

[1]: https://github.com/omsmith/browserify-ngannotate
[2]: https://github.com/olov/ng-annotate

The backend code in `h.streamer` assumes that the arguments to "one_of"
are either a non-empty list or a single value. Passing an empty list
causes the generation of a bogus query.

So, don't update the stream filter until we have at least one URI to
stream from.

Fixes #2257.

Update to the latest packaging changes of the anchoring helper modules
that now specify a browser field and browserify transforms in their
package.json files. This bypasses the UMD wrapper of these modules,
saving bytes and avoiding the need to wrap them with browserify-shim.

Even when used as a CommonJS module, angular installs itself globally.
Rather than fight this in our tests, just leverage it. The mocks module
also installs itself under angular.mock. Therefore, none of the require
statements for angular or angular-mocks are necessary.

It turns out we don't need Sinon-Chai because we only use the assert
interface. According to the Sinon-Chai docs:

    For assert interface there is no need for this library.

Instead, we just install the assertions into the assert object.

There's no reason to have these methods have a different name in the
guest as the host. The implementation should be opaque.

Reload annotations on auth change

Just because the user has permission to read an annotation does not
imply that it should still be visible under the current search after
the authentication change. An example of this is when a NIPSA flagged
user logs out but has public annotations visible.

Two front-end fixes