The "users" entry is now a dictionary mapping user names to
passwords and permissions.  In order to allow for wildcards,
there is a new type of password, the wildcard password, and
an extra array called "fallback-users".

The field "allow-anonymous" no longer exists, this is now
the default behaviour.  The field "allow-subgroups" has been
renamed to "auto-subgroups".

We provide backwards compatibility for group definition files,
but not for the config.json file, where the old "admin" array
is simply ignored.

We'd sometimes return "Internal server error" on authentication
failures.  This should be gone now.

There was a typo that prevented tokens with less than two days
validity.

We now support or reasonable values for proxyURL, such as "http:"
or "/galene".

We broke WHIP when we introduced splitPath.  Thanks to Tim Panton.

We were already ignoring files starting with colon.

Keep a redirect for backwards compatibility.

Use it for parsing special paths instead of ad hoc code.

If the WHIP session is not authenticated, then the only thing
preventing an attacker from DELETEing the session is the session
URL.  Since client ids are known, obfuscate the id before using
it in the session URL.

A token with no "sub" field is now treated just like one with an
empty "sub".  In addition, all times are treated with a slack of 5s.

Also use Duration.Abs.

We used to have unbounded channels embedded within rtpconn
and webClient.  Make the structure explicit and testable.

This may happen if we're running over plain HTTP.
Thanks to kovmir.