Don't delete cached OAuth access token

Add examples in docs for sidebar trigger and annotation count display.

When using OAuth (the host page provides an embedded grant token) don't
call auth.clearCache() on session update. The authorized user never
changes when using OAuth with a grant token embedded in the page, and
the oauth-auth service's clearCache() is a no-op anyway, so there is no
point in calling clearCache() here.

This fixes an issue that, when the client is embedded on a partner site
using third-party auth:

1. The client reads grant token that the client embeds in their page
   from the page
2. The oauth-auth service sends a grant token request, receives back an
   access token which it caches
3. session.js calls oauth-auth's clearCache(), which deletes the access
   token
4. The next time the access token is needed the oauth-auth sends a
   second grant token request, with the same grant token, and gets a
   second access token

So two grant token requests are sent, when only one was needed, because
the cached access token is deleted unnecessarily.

The fix is to make clearCache() in oauth-auth a no-op for now. For now
it never makes sense for oauth-auth to clear its cached access token.
OAuth is currently only used when the client is embedded in partner
sites and the grant token is embedded in the page by the client. Since
the grant token never changes, there's never any reason to clear the
access token and request a new one using the same grant token again (you
would just be requesting a new access token for the same user account).

Set initial annotation counts to 0 because annotation counters are not…

Remove unused SESSION_CHANGED event

Set initial annotation counts to 0 because annotation counters are not updated if a page has no annotations.

Minify production build and fix prod build in non-ES6 browsers

Ensure that NODE_ENV is set to 'production' when building the client for
release and thereby ensure that the JS and CSS is minified.

We are not currently transpiling client code using Babel, so this
doesn't work with our minifier or older browsers.

This event was fired by the `session` service but not listen for by any
other module.

Use new profile update endpoint for dismissing sidebar tutorial

Explicitly update vinyl-fs's graceful-fs dependency to v3.0.11.

graceful-fs v3.0.8 had a dependency on an internal Node module which no
longer exists in Node v7.

See https://github.com/gulpjs/gulp/issues/1843

Make `store.profile` an object containing `read` in preperation for the
upcoming changes where we will use the update profile endpoint for
updating a user's preferences.

Adding client metric tracking for interactions with annotations

In preparation for adding a profile update endpoint, the name of the
route for fetching the profile was renamed to 'profile.read'.

See https://github.com/hypothesis/h/commit/a3d45a4a4abb5b7b6f899eade5186820340a545c

Verify userid after connecting to WebSocket

Listen for the 'whoyouare' reply to the 'whoami' request sent after the
WebSocket connects and log a warning if the userid does not match the
logged-in user for any reason.

Show annotation counts on page.

Show annotation count on the page, so that users don't have to open to sidebar to know how many annotations are in the page.

Fixes: https://github.com/hypothesis/product-backlog/issues/129

Use access token to authenticate WebSocket connections

* master:
  Remove auth => session dependency

Exchange access token and fetch profile via API when a grant token is provided

 * Clarify that the service list augments rather than replaces the
   default list which consists of the public Hypothesis service.

 * Document the keys of objects in the _services_ array

Send a "whoami" request [1] after connecting to query the authenticated
user ID for the WS connection.

This makes it easy to check that authentication for the WS worked as
expected by inspecting the frames of the connection in the devtools.

[1] http://h.readthedocs.io/en/latest/realtime/#whoami

Supply the access token to the WebSocket via a query param.

This method is used to send the token because the WebSocket constructor
does not allow setting custom headers. See
https://github.com/hypothesis/product-backlog/issues/154 for context.

An alternative that was tried initially was embedding a username and
password in the URL via `wss://user:password@host/` syntax but that
turned out not to be supported by IE/Edge and required the server to fail
the initial request with a 401 response.

Fixes hypothesis/product-backlog#126

* master:

Remove auth => session dependency

 * Start the clock just _before_ the access token exchange
   occurs, otherwise the client will incorrectly add the delay between
   the server sending the token and the client receiving it to the
   expiry timestamp.

 * Use performance.now() instead of Date.now() so that expiry checks
   are not affected by system clock changes.

   performance.now() is supported on IE >= 10 and all modern browsers.