Fix two recent regressions with authentication. The first is the lack
of form error reporting. The second is the issue that ongoing highlight
mode switches and edits don't proceed after login.

- Unify all the interceptors related to sessioning. The interceptor for
  flash messages, csrf, and extracting the model from the session view
  responses is now all in session.coffee. This is better because it
  means other requests that don't return data in the same format aren't
  processed by these interceptors. It also makes it clearer which data
  the interceptors are processing; the CSRF interceptor may have been
  broken because the flash interceptor was discarding the data outside
  the model object.
- The CSRF interceptor was also not returning a rejected promise on
  errors. This mistake caused the errors not to be propagated to the
  Auth form controller. Fix #1266.
- The interaction between the Auth controller, session model changes,
  and scope resets is improved. The timeouts on the auth sheet are
  fixed so that they don't lose the ongoing mode switches and edits
  when the sheet is closed. Fix #1214.