Explicitly update vinyl-fs's graceful-fs dependency to v3.0.11.

graceful-fs v3.0.8 had a dependency on an internal Node module which no
longer exists in Node v7.

See https://github.com/gulpjs/gulp/issues/1843

Adding client metric tracking for interactions with annotations

In preparation for adding a profile update endpoint, the name of the
route for fetching the profile was renamed to 'profile.read'.

See https://github.com/hypothesis/h/commit/a3d45a4a4abb5b7b6f899eade5186820340a545c

Verify userid after connecting to WebSocket

Listen for the 'whoyouare' reply to the 'whoami' request sent after the
WebSocket connects and log a warning if the userid does not match the
logged-in user for any reason.

Show annotation counts on page.

Show annotation count on the page, so that users don't have to open to sidebar to know how many annotations are in the page.

Fixes: https://github.com/hypothesis/product-backlog/issues/129

Use access token to authenticate WebSocket connections

* master:
  Remove auth => session dependency

Exchange access token and fetch profile via API when a grant token is provided

 * Clarify that the service list augments rather than replaces the
   default list which consists of the public Hypothesis service.

 * Document the keys of objects in the _services_ array

Send a "whoami" request [1] after connecting to query the authenticated
user ID for the WS connection.

This makes it easy to check that authentication for the WS worked as
expected by inspecting the frames of the connection in the devtools.

[1] http://h.readthedocs.io/en/latest/realtime/#whoami

Supply the access token to the WebSocket via a query param.

This method is used to send the token because the WebSocket constructor
does not allow setting custom headers. See
https://github.com/hypothesis/product-backlog/issues/154 for context.

An alternative that was tried initially was embedding a username and
password in the URL via `wss://user:password@host/` syntax but that
turned out not to be supported by IE/Edge and required the server to fail
the initial request with a 401 response.

Fixes hypothesis/product-backlog#126

* master:

Remove auth => session dependency

 * Start the clock just _before_ the access token exchange
   occurs, otherwise the client will incorrectly add the delay between
   the server sending the token and the client receiving it to the
   expiry timestamp.

 * Use performance.now() instead of Date.now() so that expiry checks
   are not affected by system clock changes.

   performance.now() is supported on IE >= 10 and all modern browsers.

These tests stub the $http service rather than relying on the mock
$httpBackend from Angular mocks because that makes it easier to work
with native Promises.

When the user is on a page using 3rd party accounts but is not logged
in, they will not have an access token.

In this case, the 'authority' argument provides a way for the service to
determine which authority-specific groups and preferences should be
included in the returned profile.

Document the 'services' config param which the host page may provide to
the client.

Implement access token and profile retrieval for embedders of the client
that provide an OAuth grant token as part of the client's configuration.

For a page embedding Hypothesis configured to use a 3rd-party account,
the start up flow for the client is:

 1. Read service configuration from 'services' array in settings

 2. Exchange grant token from service config for an access token
    using the `POST /api/token` endpoint

 3. Fetch profile data using `GET /api/profile` endpoint

On startup, the app reads the service config and then switches between
either the cookie-based auth implementation or the OAuth-based auth
implementation.

In future, the cookie-based auth implementation will be removed in favor
of OAuth-based auth for first-party accounts as well.

Simplify the "auth" service and remove the dependency on the
"session" service. This will make it possible to introduce a "store" =>
"session" dependency in future in order to support fetching the user's
profile from the access token-authenticated /api/profile endpoint
instead of the cookie-authenticated /app endpoint.

The 'auth' service depended on 'session' for three things:

 - Being able to call `session.load()` in order to retrieve a CSRF
   token. This token is not needed for the `GET /api/token` endpoint
   following https://github.com/hypothesis/h/pull/4322

 - Calling `session.logout()`. This is fixed by removing the
   `auth.logout()` endpoint and changing the caller to call
   `session.logout()` directly instead. `session.logout()` in turn
   calls `auth.clearCache()` to clear cached API tokens.

 - Determining the current user ID in order to invalidate
   the cached token when that changes. The logic to clear the
   cache has instead been moved to the session service.

This commit also adds additional tests for session logout.

Add Firefox to valid keys

Explicitly add Authorization header to API requests

Only import known config params from the host page

Testing code that mixes native promises with $q promises (eg. as
returned by $http methods) is a PITA in tests because in that
environment:

 1. Native promises behave as usual - resolving on the next tick

 2. $q promises do not resolve until a digest is triggered explicitly.

As a result, causing a promise pipeline involving both types of promises
to fully execute is tricky.

Sticking to `$q` promises for the moment means that
`$httpBackend.flush()` will synchronously flush any resolved promises
and HTTP requests.

In future we can replace this crap with plain fetch() as part of
extracting the Hypothesis API client as a separate entity from the
client.

Add analytics tracking

The previous method of importing config params allowed the host page to
override any configuration parameter provided by the service hosting the
client's app.html file, potentially introducing vulnerabilities.

This PR limits the client to importing only config parameters from a
whitelist. This also has the benefit of clearly documenting all the
parameters that can come from the host page in one place in the code.

Add Google Analytics if settings supply it