Fetching the API route directory is currently the responsibility of the
API client ("store") service. The "store" service makes authenticated
API calls and therefore depends on the "auth" service.

This means that we cannot use the API route directory or the page links
returned from `/api/links` in the auth service itself, as this would
introduce a circular dependency.

Factoring out the responsibility for fetching the `/api` and
`/api/links` endpoints into a separate service which does not use
authentication provides a way to resolve this problem.

It also makes testing some aspects of handling these endpoints, such as
caching and auto-retry if the HTTP request fails, a little easier.

Deprecate openLoginForm setting and make a no-op when using OAuth

Reload tokens and profile when stored tokens are changed by another client instance

Remove logic to refresh access token before it expires.

When using OAuth clicking "Log In" triggers a pop-up window which
requires user interaction in most browsers. Therefore the
"openLoginForm" option cannot be respected when using OAuth and would be
annoying anyway.

Fixes #515

Auth codes can only be used once, so clear the code just before
performing token exchange to ensure that it is not reused later.

With this change, logins are automatically synced across different tabs
in the same browser session.

Listen for "storage" events that are emitted when another client
refreshes access/refresh tokens and reload them when that occurs.

Refresh tokens now have a much longer lifetime [1] than access tokens,
therefore it is no longer necessary to refresh them before the access
token expires.

Instead the token is refreshed on-demand when an API request is made if
the access token has expired at that point.

[1] https://github.com/hypothesis/h/pull/4623

Implement logout when using OAuth

Use the service's OAuth token revocation endpoint [1] to revoke access
and refresh tokens when the user logs out.

[1] https://github.com/hypothesis/h/pull/4620

When using cookie-based auth, login / logout happens via HTTP requests
made by the "session" service and the auth service has to be explicitly
notified afterwards via `auth.clearCache()`.

When using OAuth-based auth on the other hand, login / logout happens
through the auth service itself, so there is no need to ask the auth
service to clear cached credentials afterwards.

Implement logging out in the OAuth authorization service when using a
first-party account.

This currently just causes any credentials cached in memory or local
storage to be forgotten and the user's profile to be reloaded. Once a
token revocation endpoint is available, the "Log out" button could also
trigger that as well.

Use correct request params when exchanging auth code for tokens

HTML5 Audio elements

Made changes suggested in code review:
https://github.com/hypothesis/client/pull/508#pullrequestreview-53812970
.

Tiny fix to the test to account for URLs that may have had uppercase
letters (the audio embed converts to lowercase to account for links to
.MP3 files rather than .mp3)

Fixed tests for audio elements.

Some API URLs are created by resolving relative URLs against the API
root. For this to work properly, the root URL has to include a trailing
slash.

The omission of this in the documentation caused confusion for eLife
devs.

The two most recent client releases failed to publish automatically
because the latest tags had not been fetched prior to running
`git describe` to check whether the git ref was a tag.

I'm not sure exactly what changed and why this used to work before,
but add an explicit `git fetch --tags` step.

eg. See https://jenkins.hypothes.is/job/client/job/master/483/

Remove the view switcher component

Since the h service now supports authorization codes rather than faking
them with JWT grant tokens, use the appropriate request parameters in
the call to exchange the auth code for tokens.

Remove the (feature-flagged) view switcher component.

We missed the chance to strike while the iron was hot on this one -
neither Dawa or I have time anymore to work on further design
iterations. I don't want to have dead code living behind a feature flag
so I'm removing it. The code will still be in git if we ever want to
revive it. Perhaps these tabs can be re-designed as part of a larger
re-design of the sidebar in the future.

I'll leave the GitHub issue about the usability issues with the existing
selection tabs open: https://github.com/hypothesis/product-backlog/issues/327

For the record the main remaining issues with this were:

1. An undesirable visual popping happens when the view switcher loads on
pages that have a lot of annotations. This also happens with the
existing selection tabs but is arguably more visible with the view
switcher.

2. When there are only two tabs (no orphans) the visual design of the
tabs doesn't make it as immediately obvious which is the currently
selected tab. The other tab may be mistaken for the selected one.

The TODO list was here:

https://github.com/hypothesis/product-backlog/issues/327#issuecomment-311073581

The pull requests for this view switcher were:

https://github.com/hypothesis/client/pull/429
https://github.com/hypothesis/client/pull/481
https://github.com/hypothesis/client/pull/482
https://github.com/hypothesis/product-backlog/issues/327

Adding ADR for ePub support

Adding onLayoutChange documentation

More cleaning up of the media-embedder tests

Cleaned up media-embedder tests

Added media-embedder tests for .mp3, .ogg, .wav files