Fix path traversal vulnerability

[rcowsill]

The first commit moves the tutorial routes out of routes/index.js and into a separate router. This is to avoid cluttering the top-level route setup with the tutorial routing code. The tutorial is effectively a microsite alongside the main application, so it seems reasonable to split it out like this.

The second commit replaces the /tutorial/:page route with individual routes for each page.

Currently the set of allowed pages is just listed explicitly. I considered generating the page list from the filesystem or using HenrikJoreteg/semi-static, but that would require moving the templates around to avoid serving the layout template.

Fixes #232