Only allow users to configure login services that are actually part of the app.

(Well, and services with names like "registerLoginHandler", but whatever.)

This prevents this attack:
  - Alice launches site with Facebook login
  - Mallory sends configureLoginService method to configure the Twitter service
  - Alice runs "meteor add accounts-twitter" and is impressed that Twitter integration
    Just Works with no configuration
  - Now the app is using Mallory's credentials

packages/accounts-base/accounts_server.js

@@ -260,10 +260,14 @@
   // to this collection are also allowed in insecure mode.
   Meteor.methods({
     "configureLoginService": function(options) {
-      if (!Accounts.configuration.findOne({service: options.service}))
-        Accounts.configuration.insert(options);
-      else
+      // Don't let random users configure a service we haven't added yet (so
+      // that when we do later add it, it's set up with their configuration
+      // instead of ours).
+      if (!Accounts[options.service])
+        throw new Meteor.Error(403, "Service unknown");
+      if (Accounts.configuration.findOne({service: options.service}))
         throw new Meteor.Error(403, "Service " + options.service + " already configured");
+      Accounts.configuration.insert(options);
     }
   });
 

packages/accounts-ui-unstyled/login_buttons_dialogs.js

@@ -170,7 +170,7 @@
         // Configure this login service
         Meteor.call("configureLoginService", configuration, function (error, result) {
           if (error)
-            Meteor._debug("Error configurating login service " + serviceName, error);
+            Meteor._debug("Error configuring login service " + serviceName, error);
           else
             loginButtonsSession.set('configureLoginServiceDialogVisible', false);
         });