This becomes necessary as a result of the change introduced by
mozilla/pdf.js@b1c4b85d4fb7faba2b454d02d279644244bf282b

This method has existed for a long time so hopefully this won't
cause breakage for anyone on a slightly older FF.

It is included just fine by the require statements.

Nothing has relied upon this since the Store plugin was replaced
with an angular service.

This change requires us to introduce proxyquire for stubbing modules
that have a single function as their default export, such as the
scroll-into-view module.

The scroll-into-view library has no dependency on jQuery, is a proper
CommonJS module (no need for browserify-shim), handles nesting better,
and scrolls elements into the middle of the screen.

Overal, a better experience as a developer and a user.

We work on IE10+ but not IE9. Other major browsers all support it
for a while.

URI normalisation

Share a group

Group pages show a "Login to join group" link (opens in a new tab) if
you're not logged in.
If you're logged in they show a "Click to join group" button, posts to
new join() callable that adds the user to the group.
If you're already a member they show a "Share this link to invite people" link.

The groups dropdown list has new share icon links to the group's page,
for each group.

This ensures that after logging in the token getter resolves
properly.

The auth dialog waits for the background authentication check to fail,
but it shouldn't replace that promise with its own. It is perfectly
fine for the application to proceed while the user is entering
credentials.

In particular, this makes sure that a search without any authorization
can be performed even when the firstrun flag causes the login dialog
to show.

It turns out IE10 doesn't have the URL constructor and somehow I
misinterpreted the MDN docs.

The bind polyfill still isn't needed, except by PhantomJS.

It also seems silly not to just include wgxpath without npm. Save
the browserify-ing step.

https://github.com/substack/insert-module-globals/pull/46

Function.prototype.bind is supported in every browser for a long time.
It's only needed because, oddly, PhantomJS 1.8 doesn't support it.

The window.URL constructor is supported in IE10+ and every other major
browser for a while now. It's also not supported in PhantomJS 1.8,
though. The application currently doesn't work on IE < 10 anyway so
let's just remove this for now.

This should make sure that baseURI works completely even in IE.

I had started to implement the JWT Authorization Grant here but
forgot to back out those changes before I committed to just refactoring
the existing method. This was premature and also plain wrong in the
sense that the parameters were not being passed ('params' is the key
for sending GET parameters, not 'data' -- 'data' would be a separate
argument for POST).

Switch out jschannel for frame-rpc

Simplify handling of admin permissions

Refactor auth in the client

Start to take better control over the authentication and authorization
systems of the front end.

- Remove dependency on Annotator Auth plugin. With this change,
  Annotator is completely gone from the Angular application.

- Use angular-jwt and its http interceptor to ensure that auth tokens
  are up-to-date and auth token requests block store requests.

- With the interceptor in place, it's no longer necessary to resolve
  auth before the ng-view controllers.

- Use the session directly for getting the current user. This is in
  line with what is likely to happen for groups, too, soon.

The frame-rpc module is a proper CommonJS module and it's footprint
is really tiny. Its protocol is simpler. It doesn't handle connection
and buffering, but with our onConnect callback we don't need buffering.
The connection handshake that jschannel did was so trivial it's been
re-implemented here (each side tries to connect to the other once).

We have to handle timeouts ourselves, but that's all hidden in the
bridge code. In exchange, we get a simpler API, we get rid of the
call/notify distinction in favor of just passing a callback or not
and we avoid the excess overhead of the recursion guard in the
serialization code that was giving us false positive issues with
the document title.

This is one step toward removing all the browserify-shim requiring
libraries from the injected bundle, which will eventually fix #2397.

Remove vendored assets: install from NPM

Replaces our vendored dependencies with dependencies on packages
installed from NPM. This makes it substantially easier to find out
what versions of 3rd-party packages are installed, and substantially
easier to upgrade them as and when necessary.

Libraries have been installed pinned at the version available on NPM
nearest that installed in the repository. This means:

- angular remains v1.2.28
- angular-animate was upgraded from v1.2.25 -> v1.2.28
- angular-resource was upgraded from v1.2.25 -> v1.2.28
- angular-route was upgraded from v1.2.25 -> v1.2.28
- angulartics remains v0.17.2
- bootstrap remains v3.3.5
- jquery remains v1.11.1
- jstimezonedetect remains v1.0.5
- moment remains v2.5.0
- moment-timezone remains v0.0.1
- ng-tags-input remains v2.2.0

Unfortunately, the following modules don't appear to be available on NPM
and so remain in the repository:

- angular-bootstrap
- angular-sanitize
- angular-toastr (at a version early enough)

Enable users to create groups

This commit adds a list of groups to the "topbar" when the groups
feature flag is enabled.

Limit what admins can do

Use browserify-ngannotate to provide injection annotations

Only update stream filter when we have >0 URIs

Rather than trying to keep injection annotations up-to-date manually, we
can use the computer to do it for us.

[browserify-ngannotate][1] is a browserify transform plugin that uses
[ng-annotate][2] to automatically generate injection annotations for the
Angular injector.

[1]: https://github.com/omsmith/browserify-ngannotate
[2]: https://github.com/olov/ng-annotate

The backend code in `h.streamer` assumes that the arguments to "one_of"
are either a non-empty list or a single value. Passing an empty list
causes the generation of a bogus query.

So, don't update the stream filter until we have at least one URI to
stream from.

Fixes #2257.