Allow reading and modifying description files, in a manner
that aligns with the needs of the API.

The "stats.json" file is moved under "galene-api", where the rest
of the API will live.

The "users" entry is now a dictionary mapping user names to
passwords and permissions.  In order to allow for wildcards,
there is a new type of password, the wildcard password, and
an extra array called "fallback-users".

The field "allow-anonymous" no longer exists, this is now
the default behaviour.  The field "allow-subgroups" has been
renamed to "auto-subgroups".

We provide backwards compatibility for group definition files,
but not for the config.json file, where the old "admin" array
is simply ignored.

We'd sometimes return "Internal server error" on authentication
failures.  This should be gone now.

There was a typo that prevented tokens with less than two days
validity.

We now support or reasonable values for proxyURL, such as "http:"
or "/galene".

We broke WHIP when we introduced splitPath.  Thanks to Tim Panton.

We were already ignoring files starting with colon.

Keep a redirect for backwards compatibility.

Use it for parsing special paths instead of ad hoc code.

If the WHIP session is not authenticated, then the only thing
preventing an attacker from DELETEing the session is the session
URL.  Since client ids are known, obfuscate the id before using
it in the session URL.