Added scope support. The majority of this work was done by @sybeck2k in #15 and #17. The resulting API, consisting primarily of a new grantScopes hook, is documented in the README. Additionally, there is now a res.sendUnauthorized() call you can use to send an error to the client when it tries to access things outside its scope. For more details on this, check out the cc-with-scopes example.
Changed the signature of all the hooks. All hooks now take arguments in the form (credentials, req, cb), or (token, req, cb) for authenticateToken. The contents of credentials depend on the flow being used and the stage of authentication and/or authorization the token request is in. The req object contains the client request, as requested in #18. The end result is to allow more flexible authentication or authorization processes, e.g. based on GeoIP or based on a combination of client and resource owner credentials. See individual hook documentation for more details.
The authenticateToken hook no longer automatically sets clientId or username properties. You no longer need to call back with the client ID or username; instead simply call back with true, and set any such properties yourself. This allows more flexibility in the names chosen (see e.g. #13), and allows setting any additional relevant properties—such as scopes, for example.