Implement API authentication using JSON Web Tokens

[amcgee]

Also, fix some latent bugs in rendering and update the UI to reflect the authentication changes. Currently, anonymous users will always see an empty map since I've only implemented resource-level permissions.

There are currently two hard-coded users - user and admin. Both have the password 'password'.

As far as implementation: Sending a POST request to /api/login with the username (eventually email) and password will cause the server to sign a permissions object and return the signed token (JWT). This token can then be used to authenticate any API request without the need for persistent server-side session state. The tokens expire after one hour.

Next steps:

• Wire-up the 'users' resource so we can dynamically add and remove users
• Support fine-grained permissions, such as : Allow this user to edit the monitor groups resource only if they are an admin in the same account that owns the monitor.
• (maybe) Support a server-side 'logout' function. This will require that the server keep state, however - short-lived session tokens are likely sufficient.
• Support some form of re-authentication to get a new session token when the one we have will soon expire.
• Implement an API exploration page since we can no longer navigate API resources easily in a browser (the Authority: Bearer <token> header is required)

[amcgee]

NB: The initial page load requirements are getting a bit excessive and can sometimes time-out. We should investigate compiling javascript resources server-side and caching them client-side sooner than later.

Also, we should definitely move to using the minified backbone and underscore (or lodash? My personal preference) libraries.

[amcgee]

Some implementation details for the record:

• Password hash/salting is done using PKDF2 (unfortunately using SHA-1 currently since that's the only hashing algorithm node's crypto PKDF2 implementation supports). It will eventually use a random salt, currently since the passwords are pre-generated the salt is static.
• There is a pre-generated JWT secret hard-coded currently, it will eventually be collected from the server environment for production data security.