JavaScriptPlugins
diff --git a/‎.eslintignore‎
Lines changed: 0 additions & 1 deletion b/‎.eslintignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎History.md‎
Lines changed: 20 additions & 0 deletions b/‎History.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docs/client/full-api/api/accounts.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/client/full-api/api/accounts.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/client/full-api/api/passwords.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/client/full-api/api/passwords.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/client/full-api/concepts.html‎
Lines changed: 3 additions & 1 deletion b/‎docs/client/full-api/concepts.html‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎meteor‎
Lines changed: 1 addition & 1 deletion b/‎meteor‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/accounts-base/accounts_server.js‎
Lines changed: 3 additions & 8 deletions b/‎packages/accounts-base/accounts_server.js‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎packages/accounts-password/password_client.js‎
Lines changed: 7 additions & 2 deletions b/‎packages/accounts-password/password_client.js‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎packages/accounts-password/password_server.js‎
Lines changed: 124 additions & 24 deletions b/‎packages/accounts-password/password_server.js‎
Lines changed: 124 additions & 24 deletions
@@ -71,7 +71,6 @@ tools/safe-pathwatcher.js
 tools/selftest.js
 tools/service-connection.js
 tools/shell-client.js
-tools/source-map-retriever-stack.js
 tools/stats.js
 tools/test-utils.js
 tools/tropohouse.js
 
@@ -10,6 +10,24 @@
   JSON too.  #4595
 
 
+### Meteor Accounts
+
+* `loginWithPassword` now matches username or email in a case insensitive manner. If there are multiple users with a username or email only differing in case, a case sensitive match is required. #550
+* `loginWithGithub` now requests `user:email` scope by default, and attempts to fetch the user's emails. If no public email has been set, we use the primary email instead. We also store the complete list of emails. #4545
+
+
+### DDP
+
+* `sub.ready()` should return true inside that subscription's `onReady`
+  callback.  #4614
+
+### Livequery
+
+* Improved server performance by reducing overhead of processing oplog after
+  database writes. Improvements are most noticeable in case when a method is
+  doing a lot of writes on collections with plenty of active observers.  #4694
+
+
 ## in progress: v.1.1.1
 
 ### Blaze
@@ -185,6 +203,8 @@
 
 ### Other bug fixes and improvements
 
+* The `spiderable` package now reports the URL it's trying to fetch on failure.
+
 * Upgraded dependencies:
 
   - uglify-js: 2.4.20 (from 2.4.17)
 
@@ -134,6 +134,8 @@ will be logged out.
 
 {{> autoApiBox "Meteor.loginWithPassword"}}
 
+If there are multiple users with a username or email only differing in case, a case sensitive match is required. Although `createUser` won't let you create users with ambiguous usernames or emails, this could happen with existing databases or if you modify the users collection directly.
+
 This function is provided by the `accounts-password` package. See the
 [Passwords](#accounts_passwords) section below.
 
 
@@ -26,7 +26,7 @@ id.
 
 On the client, you must pass `password` and at least one of `username` or
 `email` &mdash; enough information for the user to be able to log in again
-later. On the server, you do not need to specify `password`, but the user will
+later. If there are existing users with a username or email only differing in case, `createUser` will fail. On the server, you do not need to specify `password`, but the user will
 not be able to log in until it has a password (eg, set with
 [`Accounts.setPassword`](#accounts_setpassword)).
 
 
@@ -752,7 +752,9 @@ <h2 id="usingpackages">Using packages</h2>
 app, `meteor list` and `meteor add` also search the `packages` directory at the
 top of your app. You can also use the `packages` directory to break your app
 into subpackages for your convenience, or to test packages that you might want
-to publish. See [Writing Packages](#writingpackages).
+to publish. See [Writing Packages](#writingpackages). If you wish to add
+packages outside of your app's folder structure, set the environment variable
+`PACKAGE_DIRS` to a colon-delimited list of paths.
 
 {{/markdown}}
 </template>
 
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-BUNDLE_VERSION=0.4.38
+BUNDLE_VERSION=0.5.0
 
 # OS Check. Put here because here is where we download the precompiled
 # bundles that are arch specific.
 
@@ -51,6 +51,8 @@ AccountsServer = function AccountsServer(server) {
   ];
 
   this._deleteSavedTokensForAllUsersOnStartup();
+
+  this._skipCaseInsensitiveChecksForTest = {};
 };
 
 Meteor._inherits(AccountsServer, AccountsCommon);
@@ -1256,21 +1258,14 @@ Ap.validateNewUser = function (func) {
   this._validateNewUserHooks.push(func);
 };
 
-// XXX Find a better place for this utility function
-// Like Perl's quotemeta: quotes all regexp metacharacters. See
-//   https://github.com/substack/quotemeta/blob/master/index.js
-var quotemeta = function (str) {
-    return String(str).replace(/(\W)/g, '\\$1');
-};
-
 // Helper function: returns false if email does not match company domain from
 // the configuration.
 Ap._testEmailDomain = function (email) {
   var domain = this._options.restrictCreationByEmailDomain;
   return !domain ||
     (_.isFunction(domain) && domain(email)) ||
     (_.isString(domain) &&
-      (new RegExp('@' + quotemeta(domain) + '$', 'i')).test(email));
+      (new RegExp('@' + Meteor._escapeRegExp(domain) + '$', 'i')).test(email));
 };
 
 // Validate new user's email or Google/Facebook/GitHub account's email
 
@@ -11,9 +11,14 @@
 /**
  * @summary Log the user in with a password.
  * @locus Client
- * @param {Object | String} user Either a string interpreted as a username or an email; or an object with a single key: `email`, `username` or `id`.
+ * @param {Object | String} user
+ *   Either a string interpreted as a username or an email; or an object with a
+ *   single key: `email`, `username` or `id`. Username or email match in a case
+ *   insensitive manner.
  * @param {String} password The user's password.
- * @param {Function} [callback] Optional callback. Called with no arguments on success, or with a single `Error` argument on failure.
+ * @param {Function} [callback] Optional callback.
+ *   Called with no arguments on success, or with a single `Error` argument
+ *   on failure.
  */
 Meteor.loginWithPassword = function (selector, password, callback) {
   if (typeof selector === 'string')
 
@@ -77,30 +77,93 @@ var checkPassword = Accounts._checkPassword;
 /// LOGIN
 ///
 
-// Users can specify various keys to identify themselves with.
-// @param user {Object} with one of `id`, `username`, or `email`.
-// @returns A selector to pass to mongo to get the user record.
-
-var selectorFromUserQuery = function (user) {
-  if (user.id)
-    return {_id: user.id};
-  else if (user.username)
-    return {username: user.username};
-  else if (user.email)
-    return {"emails.address": user.email};
-  throw new Error("shouldn't happen (validation missed something)");
-};
-
-var findUserFromUserQuery = function (user) {
-  var selector = selectorFromUserQuery(user);
-
-  var user = Meteor.users.findOne(selector);
-  if (!user)
-    throw new Meteor.Error(403, "User not found");
+// Attempts to find a user from a user query.
+// First tries to match username or email case sensitively; if that fails, it
+// tries case insensitively; but if more than one user matches the case
+// insensitive search, it returns null
+// @param query {Object} with one of `id`, `username`, or `email`.
+// @returns A user if found, else null
+var findUserFromQuery = function (query) {
+  var user = null;
+
+  if (query.id) {
+    user = Meteor.users.findOne({ _id: query.id });
+  } else {
+    var fieldName;
+    var fieldValue;
+    if (query.username) {
+      fieldName = 'username';
+      fieldValue = query.username;
+    } else if (query.email) {
+      fieldName = 'emails.address';
+      fieldValue = query.email;
+    } else {
+      throw new Error("shouldn't happen (validation missed something)");
+    }
+    var selector = {};
+    selector[fieldName] = fieldValue;
+    user = Meteor.users.findOne(selector);
+    // If user is not found, try a case insensitive lookup
+    if (!user) {
+      selector = selectorForFastCaseInsensitiveLookup(fieldName, fieldValue);
+      var candidateUsers = Meteor.users.find(selector).fetch();
+      // No match if multiple candidates are found
+      if (candidateUsers.length === 1) {
+        user = candidateUsers[0];
+      } else {
+        console.error('Found multiple users with ' + fieldName + ' = ' + fieldValue + ' only differing in case. Requiring case sensitive login.');
+      }
+    }
+  }
 
   return user;
 };
 
+
+// Generates a MongoDB selector that can be used to perform a fast case
+// insensitive lookup for the given fieldName and string. Since MongoDB does
+// not support case insensitive indexes, and case insensitive regex queries
+// are slow, we construct a set of prefix selectors for all permutations of
+// the first 4 characters ourselves. We first attempt to matching against
+// these, and because 'prefix expression' regex queries do use indexes (see
+// http://docs.mongodb.org/v2.6/reference/operator/query/regex/#index-use),
+// this has been found to greatly improve performance (from 1200ms to 5ms in a
+// test with 1.000.000 users).
+var selectorForFastCaseInsensitiveLookup = function (fieldName, string) {
+  // Performance seems to improve up to 4 prefix characters
+  var prefix = string.substring(0, Math.min(string.length, 4));
+  var orClause = _.map(generateCasePermutationsForString(prefix),
+    function (prefixPermutation) {
+      var selector = {};
+      selector[fieldName] =
+        new RegExp('^' + Meteor._escapeRegExp(prefixPermutation));
+      return selector;
+    });
+  var caseInsensitiveClause = {};
+  caseInsensitiveClause[fieldName] =
+    new RegExp('^' + Meteor._escapeRegExp(string) + '$', 'i')
+  return {$and: [{$or: orClause}, caseInsensitiveClause]};
+}
+
+// Generates permutations of all case variations of a given string.
+var generateCasePermutationsForString = function (string) {
+  var permutations = [''];
+  for (var i = 0; i < string.length; i++) {
+    var ch = string.charAt(i);
+    permutations = _.flatten(_.map(permutations, function (prefix) {
+      var lowerCaseChar = ch.toLowerCase();
+      var upperCaseChar = ch.toUpperCase();
+      // Don't add unneccesary permutations when ch is not a letter
+      if (lowerCaseChar === upperCaseChar) {
+        return [prefix + ch];
+      } else {
+        return [prefix + lowerCaseChar, prefix + upperCaseChar];
+      }
+    }));
+  }
+  return permutations;
+}
+
 // XXX maybe this belongs in the check package
 var NonEmptyString = Match.Where(function (x) {
   check(x, String);
@@ -147,7 +210,9 @@ Accounts.registerLoginHandler("password", function (options) {
   });
 
 
-  var user = findUserFromUserQuery(options.user);
+  var user = findUserFromQuery(options.user);
+  if (!user)
+    throw new Meteor.Error(403, "User not found");
 
   if (!user.services || !user.services.password ||
       !(user.services.password.bcrypt || user.services.password.srp))
@@ -211,7 +276,9 @@ Accounts.registerLoginHandler("password", function (options) {
     password: passwordValidator
   });
 
-  var user = findUserFromUserQuery(options.user);
+  var user = findUserFromQuery(options.user);
+  if (!user)
+    throw new Meteor.Error(403, "User not found");
 
   // Check to see if another simultaneous login has already upgraded
   // the user record to bcrypt.
@@ -672,7 +739,7 @@ Meteor.methods({verifyEmail: function (token) {
         {_id: user._id,
          'emails.address': tokenRecord.address},
         {$set: {'emails.$.verified': true},
-         $pull: {'services.email.verificationTokens': {token: token}}});
+         $pull: {'services.email.verificationTokens': {address: tokenRecord.address}}});
 
       return {userId: user._id};
     }
@@ -715,7 +782,40 @@ var createUser = function (options) {
   if (email)
     user.emails = [{address: email, verified: false}];
 
-  return Accounts.insertUserDoc(options, user);
+  // Check if there is no other user with a username or email only differing
+  // in case.
+  var performCaseInsensitiveCheck = function () {
+    // Some tests need the ability to add users with the same case insensitive
+    // username or email, hence the _skipCaseInsensitiveChecksForTest check
+
+    if (username &&
+      !_.has(Accounts._skipCaseInsensitiveChecksForTest, username) &&
+      Meteor.users.find(selectorForFastCaseInsensitiveLookup(
+        "username", username)).count() > 1) {
+          throw new Meteor.Error(403, "Username already exists.");
+    }
+
+    if (email &&
+      !_.has(Accounts._skipCaseInsensitiveChecksForTest, email) &&
+      Meteor.users.find(selectorForFastCaseInsensitiveLookup(
+        "emails.address", email)).count() > 1) {
+        throw new Meteor.Error(403, "Email already exists.");
+    }
+  }
+
+  // Perform a case insensitive check before insert
+  performCaseInsensitiveCheck();
+  var userId = Accounts.insertUserDoc(options, user);
+  // Perform another check after insert, in case a matching user has been
+  // inserted in the meantime
+  try {
+    performCaseInsensitiveCheck();
+  } catch (ex) {
+    // Remove inserted user if the check fails
+    Meteor.users.remove(userId);
+    throw ex;
+  }
+  return userId;
 };
 
 // method for create user. Requests come from the client.