If, for whatever reason, the request to fetch features data fails,
simply retry a little later (with a randomised exponential backoff).
This commit uses the [retry module](https://www.npmjs.com/package/retry)
to provide the backoff logic.

N.B. If we fail 10 times (over a period spanning between ~15 and ~30
minutes, using the defaults from the retry module) then we will simply
stop looking for new features data. There's no point burning client CPU
forever in the hope that the server reappears.

Fixes #2547.

UI tweaks for the group creation form

 * Increase the spacing between the label and the group name

 * Disable focus outline for the group name field, since
   the input has no border

 * Disable autocomplete for the group name field, since
   we are prompting for a _new_ name

Convert Chrome extension to Browserify + CommonJS modules

Push notifications of group membership changes

Server-rendered accounts forms

See linked description in GitHub issue.

It is a bit silly that we are running the Chrome extension tests
exclusively in PhantomJS rather than Chrome, but for the moment,
get the existing tests to run using the same getOwnPropertyNames()
shim that is used for the main client app tests.

It is likely that we will want to handle these events differently in
future, so split them into two separate tests.

 * Remove the logic from app-controller.coffee to focus the Public group
   on logout. This is no longer needed as the 'groups' service automatically
   updates the focused group if the previously focused group is removed.

 * Only emit the SESSION_CHANGED event on updates to the session state,
   not the initial app load, since initialization of the view is deferred
   until the session has already been loaded.

   Since the SESSION_CHANGED handler currently reloads the whole view,
   this avoids reloading the view twice on startup.

   Refactoring handling of SESSION_CHANGED to only update the relevant
   app state is left for a future refactoring.

T-105

 * Sort injected parameter names alphabetically for Angular
   services

 * Use imperative names for group events published on the 'user'
   NSQ topic

 * Avoid unnecessary dance with functools.partial() in streamer.py
   to pass the reader's topic to the message handler

This adds a new class of push notification, 'session-change'
which is broadcast to logged-in clients when changes to the user's
state, including the list of groups that they are a member of,
changes.

When the user creates or joins a group, a notification is
added to the event queue with an associated user ID
which is then broadcast via the web socket.

On the client side, the streamer service listens for the new
class of notification and triggers an update of the session
state in response.

When the user leaves a group, this may trigger an implicit change
of focus if the user was a member of the group.

T-105

Remove the 'notification' feature flag

This is deployed and toggled on everywhere, so we can simplify our code
by removing this feature flag.

Let the annotation post button resize to fit its content

Remove the 'streamer' feature flag

Remove the fixed width from the annotation post button
and let the dropdown menu's width adjust to fit its
content rather than being the same width as the button.

To avoid the menu disappearing into the left edge of
the sidebar, the menu has been re-aligned so that
it is centered underneath the button's dropdown arrow.

 * Simplify the styling used to hide the dropdown menu
   to use just the visibility property instead of
   setting pointer events to none, applying a rotation transform
   _and_ setting opacity to 0.

   I'm unclear why the combination of a transform, pointer events
   and opacity was used originally but the dropdown menus
   continue to work with the simplified styling.

T-112

Rather than flashing a message to check the user's email, display a
persistent message on the reset password form if the code has not been
prefilled.

This commit removes all of the client-side code for handling the
following forms:

- registration
- forgot password
- reset password

The login form remains, as it is of course very convenient to be able to
log into Hypothesis from the sidebar.

The code that depended on this scope variable was moved into the
ThreadController in 0e2bd59. It is no longer referenced anywhere.

https://github.com/hypothesis/h/pull/2451#discussion_r41639447

Visually truncate long bodies and quotes

Enable privacy dropdown even when saving an annotation is disabled

Introduces auto-truncation of long bodies and quotes which expand when
you click on a "More" link.

Feature flagged as 'truncate_annotations'.

 * Remove the 'line-height' property from .dropdown-menu-btn that,
   combined with default top/bottom padding for <button> elements
   was causing the button label to be vertically off-center in
   the 'Post to' button.

 * Remove duplication between .primary-action-btn and .dropdown-menu-btn

 * Use $color- variables for palette consistency in .dropdown-menu-btn

T-125

 * Implement design change to allow a user to change the privacy
   setting for an annotation even if the annotation cannot
   yet be published because no tags or text have been entered.

 * Disable the hover state for the main section of the button
   when it is disabled.

T-125

Server-rendered login form

Replace %20 with space when displaying filenames etc

Remove special-handling of pre-groups annotations

T88 - Add ability to leave groups

Add a new cancel/leave icon next to private groups
in the groups list and invoke groups.leave() when clicked.

Leaving a group invokes the as-yet-unimplemented
'POST /groups/<id>/leave' endpoint on the server.

T-88

Inline the H icon font

Fix race for session data on startup

The previous fix to use an absolute URL to the icon
font did not work in the Chrome extension because
the base path for assets was different.

The proper solution here will involve refactoring
the CSS build pipeline and possibly automatically
inlining font URLs in the process. I did not just
add a preprocessor to inline all URLs because
that would also have affected fonts in katex.min.css
and added significantly to the size of the CSS bundle.

This commit reverts back to the previous solution of
inlining just the icon font.

See #2571

Several parts of the application require access to the session data
fetched from the server when rendering. On first page load we don't have
this data (something we can fix in the future by inlining the data with
the viewer HTML) and this resulted in a race between the session data
load triggered by `checkAuthentication` (in config/identity.js) and the
query sent to the server by `WidgetController`, which needs to know the
current focused group id.

Fix this by ensuring that the first load of session data is complete
before switching views -- achieved by adding an item to the list of
dependencies passed to `$routeProvider`.

This works, but results in multiple requests for session data in quick
succession, because `checkAuthentication` runs while the view is
loading. To resolve this problem, we add a straightforward TTL check to
the `session.load()` method, and only make a new request if the data is
more than 5m old.

Session data will be overwritten as normal whenever session mutating
methods (`session.login()`, `session.logout()`) etc. are called.

Fixes #2590.

Pulling the server-side template and rendering it with swig is bound to
break if we change the way the form is rendered on the server-side (as I
am in the process of doing).

So, convert this from a sort-of-integrated test to a unit test.

Extract the WebSocket client into its own module and add tests

In preparation for adding additional push notification types,
separate out the client into its own module and add tests.

T-105

Do not show vendored PDF.js in language stats