Introduce a new module on the frontend called `h.identity` which
abstracts the interaction between the main application and the
authentication system using the `navigator.id` API introduced by
Mozilla as part of Persona / BrowserID. In our case, the we submit
the authentication assertion as a query parameter in our token
URL. This is designed to flexibly accommodate different auth needs
by intepreting the assertion differently and using a different
identity module to return whatever type of grant is needed depending
on the authentication mechanisms in place on the back end.

On the back end:

- Introduce a dependency on a brand new library, pyramid-oauthlib, to
  make this code cleaner and more modular.
- Simplify our session by removing multiple signin code that was not
  ever fully realized; personas are no longer explicitly maintained in
  the session by application code.
- The Pyramid SessionAuthenticationPolicy is put into place as part of
  h.auth.local. A SessionGrant is configured as the default grant type
  for integration via pyramid-oauthlib. This is what interprets the
  assertion sent in our token request. For other use cases, this might
  be a real BrowserID assertion or a session or refresh token of some
  other kind. This assertion is just the CSRF token our forms have been
  returning already.
- `h#includeme` and `h#create_app` got some superficial simplification.
- `h.api#authorize` handler for annotator-store authorizations now uses
  `request.effective_principals` instead of the session, so it doesn't
  care how the user is authenticated
  - Headers are now passed through on `Store` sub-requests so that both
  the annotator auth token and the session work for store authorizations
  which gets us close to cookie-less API auth!
  - `Consumer` class is moved into `h.auth.local`, removing the SQL
  requirement for core `h` and replacing it with just the requirement to
  register an `IConsumer` implementer.

On the front end:

- Break hypothesis.js into hypothesis.js and hypothesis-auth.js
- Move session and auth modules into this auth package
- Clean up the module dependency imports
- Add an identity module to the auth package with `navigator.id` API
- Significantly refactor `AppController`
  - Use the `identity.watch()` API to listen to login/logout from the
  active identity module
  - Clean up the login/logout state management a bit
    - Resolve a promise when the API service discovery happens
    - Stop using 'session', which becomes a detail of hypothesis-auth
  - Put much less on the scope from the controller
    - `scope.initUpdater` -> `initUpdater`
    - `scope.reloadAnnotations` -> `initStore`
    - `scope.session` -> replaced by `id`
    - Sorts and views are set in the markup
    - `AuthController` no longers needs to know about `model`, `sheet`,
    `sorts` or `views`
  - Isolate the form models
    - The auth directive now creates an isolate scope so that we're not
    leaking the form models all over the place
    - Stop using the inherited `$scope.model` means prevents submitting
    `persona` as a form parameter by accident
- blocks.pt#auth-tabs becomes auth.html
  - Easy to override with `config.override_asset()` in Pyramid
  - Keeps the forms inside the isolate scope of the auth directive
- The content of the sheet moves inside blocks.pt#auth
  - Nothing outside this knows or cares anymore that the sheet has tabs
  - Places where we want to request login use `identity.request()`
  rather than having to get at the root scope. The `authorize` event
  that this broadcasts is an internal detail of the auth pacakage.

I missed this in b67b2964b7a1fd1271be650ea02cf967fd0e17a3

Clean up scrolling and infinite stream

Simplify our efforts around scrolling and fix the scrollbars on the
stream.

- Scrollbar had crept inside the content on a previous change such
  that scroll bars for the stream were not all the way to the edge
  of the screen. Refactoring the duties of #wrapper and .content.
- Drop the mousewheel trapping. I tried and looked and researched
  and we can't do this reliably on touch or anything else. It didn't
  seem necessary or worth the dependency on jquery.mousewheel or
  even obviously a good experience. Not worth the code.
- Fix infinite scroll to use its directive element rather than the
  $window, make its code less jquery, and give it a buffer to smooth
  the experience a bit more.

Fix #1360

Fix #1370

Add directive for providing saving updates to buttons 

Using transclusion allows for the directive to be set on an element
with non-trivial content and have that content nested inside the
status-button wrapper spans, but pre-bound to its lexical markup
scope.

Not sure we'll need it here, but I also wanted to see how one might
approximate 'replace' now that it's deprecated. The answer is by
not replacing but just adding the template you want after the passed
placeholder comment node.

This adds loading/success messages to a button for use with async
actions such as changing account information.

Search callback routing cleanup

The filtered copy list was not assigned back to the variable and
accidently we were comparing the value.length instead of the filter.terms.length
to check whether all tags have matched or not.

Improve usability of sheet tabs

This unifies the stream and page_search query parameter usage. Both now
use the 'q' parameter. Additionally, the search string is passed to
`simpleSearch` directive and the `QueryParser` instead of an object
with a "query" or "q" key.

The clump of conditionals in the route update event handler is removed.
Instead, the viewer and page search redirect to one another and the
stream can be totally ignorant of the involvement of the location.

The views are updated to use ?q= for /u and /t shortcuts.

Remove the drop shadow from the highlight states

Previously the active tab would be red, which could be confused with our
red anchor text and make the other tab look disabled. The new design
makes all text gray but adds an "active" border below the button.

Simplified search

Update from error styles based on feedback

Based on feedback from Dan that the plain red text is hard to
distinguish from hyper-links.

Tweak the HTML and CSS of the new search input.

Besides the line height hack for FF kill the rest of the px related
calculation and do everything in nice, pretty ems.

The trick used here was designed to honor the font setting in a user's
browser by assuming a typical default of 16px and computing the base
font size in ems relative to that.

The problem is that even if everything is sized in ems there are
sometimes aggressive user agent styles that complicate things by
restoring the system font. It turns out it fixes the various things
I've noticed in my FF this way.

This may fix the text issue displayed in FF with custom display
settings.

https://github.com/hypothesis/h/pull/1326#issuecomment-50655944

 * Remove the background color.
 * Borders and icon darken when the input is in focus.
 * Adds the placeholder text back.