Remove csurf

New views will be using the REST api not session, so this won't apply

src/routes/test/clients-test.js

@@ -356,14 +356,6 @@ describe('Clients', function () {
         resetToken: hat(256)
     };
 
-    // make csrf always succeed for testing
-    oauth2.csrf = function () {
-        return function (req, res, next) {
-            req.csrfToken = function () { return hat(256); };
-            next();
-        };
-    };
-
     function setup2(done) {
         async.series([
             setup,

src/routes/test/oauth2-test.js

@@ -204,14 +204,6 @@ describe('OAuth2', function () {
             scope: accesscontrol.SCOPE_PROFILE
         };
 
-        // make csrf always succeed for testing
-        oauth2.csrf = function () {
-            return function (req, res, next) {
-                req.csrfToken = function () { return hat(256); };
-                next();
-            };
-        };
-
         function setup(done) {
             async.series([
                 server.start,
@@ -1298,14 +1290,6 @@ describe('Password', function () {
         source: ''
     };
 
-    // make csrf always succeed for testing
-    oauth2.csrf = function () {
-        return function (req, res, next) {
-            req.csrfToken = function () { return hat(256); };
-            next();
-        };
-    };
-
     function setup(done) {
         async.series([
             server.start,