Depends u-wave/core#187

• Now supports using HttpOnly cookies (not accessible with client js = more secure)
• Use passport for authentication; means we can add different authentication methods more easily. Do GET /auth/strategies to list available methods
• Add Google social signin (configure using config.auth.google)
• One-time-use random authentication tokens for the socket, instead of sending the JWT. Do GET /auth/socket to get a socket token; one is also included in GET /now for convenience. In the future this will allow to associate sockets with (WIP) u-wave-core sessions.
• Add logout endpoint; necessary for HttpOnly cookies sessions. It can also be used by non-cookie users for fast-track signout (instantly removes their authed websocket connection instead of first turning it into a LostConnection)
• Transform WebSocket connections back to GuestConnections when the user signs out; clients no longer need to reconnect manually to sign out of the socket.

Need to add ability to match social logins with existing accounts. A single user can already have multiple Authentications so it should not be very difficult; maybe, if req.user is already available when you social-login, we add the authentication to the existing user.