Remove cookie auth related code

Update docstrings in response to CR feedback. In particular, document
parameter and return types more clearly.

This is now obsolete since login always happens in a popup window.

Add missing page index bounds check

Strip unknown query params when generating Internet Archive embed URLs

Add OAuth client registration steps to developer docs

These tests previously existed for the cookie-based auth but needed to
be re-implemented following the switch-over to OAuth.

These dependencies are no longer used following the removal of the
legacy cookie auth and JWT-based API tokens.

After OAuth tokens are changed by another tab, a `session.load()` call
is needed to actually fetch an updated profile.

The `store.profile.read` operation which fetches the profile is done in
a loop until it succeeds, on the basis that network requests may fail if
connectivity is intermittent. The `update` step should always succeed
however, so move it out of the loop.

This token is not fetched from the service or sent to any requests to
the service when using OAuth.

This was only used when using cookie-based authentication

This commit removes several tests that are still relevant for OAuth,
such as caching of profile data. These will be re-implemented in a
subsequent commit.

Remove the runtime switching between cookie and OAuth authentication.

As long as we are using Yarn as the official way to manage exact
versions of the client, ignore npm v5+ lockfiles in the source tree.

The client uses Yarn rather than `npm` for package management. Having
the npm v5 lockfile present creates opportunities for the npm and Yarn
lockfiles to disagree on which versions of packages to install.

This happened with 'babelify' (v6.x in the npm lockfile, v7.x in Yarn).

When anchoring an annotation with a position and a quote selector, if
the position selector fails, then PDF anchoring searches page contents
starting with those pages nearest the position.

If the position selector's `start` offset was greater than the length of
the PDF's text, `prioritizePages` would try to fetch the text of page
indexes beyond the valid range, causing PDF.js to throw an exception and
quote anchoring to fail.

Fix this by adding a missing bounds check.

This is a partial fix for #558. It fixes anchoring of one of two test
annotations on that page. The other fails due to differences in the
extracted text between the HTML and PDF versions of the article.

Internet Archive details pages may include params in the query string
as well as "start" and "end" params in the path. In that case invalid
URLs were being generated.

Use a more robust approach to generating embed URLs and add some missing
test cases. Any unrecognized query params are ignored when generating
the embed URLs.

Add comments to clarify several issues raised during PR #554.

Also add a missing test case and a small cleanup for the function.

The conversion of start time and end time path params into query string
params is still not particularly robust but it is good enough for us to
do some initial testing in production.

embed internet archive videos

Send search URIs to other frames by postMessage()

Add support for receiving postMessage() requests from other windows or
frames and responding by sending the list of search URIs that the client
is using for the current document to search the Hypothesis API for
annotations.

This can be used by our LTI app to get the search URIs when the student
submits an assignment. The app needs the search URIs to later search the
API for the student's annotations.

Make re-fetching of annotations when the logged-in user ID changes work with OAuth