Adds `Accounts.validateLoginAttempt`, `Accounts.onLogin`, and
`Accounts.onLoginFailure`.
The process for logging in a user is consolidated in accounts-base,
which is now the only package which directly accesses login tokens in
the database.
All login methods now go through `Accounts._loginMethod`, which
ensures that exceptions are captured and login hooks are called in all
cases.
The callback hook implementation code from livedata is extracted into
an internal `callback-hook` package, where it can be used by accounts.
* Adding "foo.com" to your CSP via browser-policy now adds both
"http://foo.com" and "https://foo.com". This smooths over the fact
that some browsers interpret "foo.com" as "http://foo.com" and some
interpret it as http AND https.
* Trim trailing slashes from origins. Firefox does not allow content
from foo.com if you add "foo.com/" to your CSP.
Specifically, in all Underscore "collection" functions which treat their
arguments polymorphically as either "object-like" or "array-like", don't
treat arguments with `x.constructor === Object` as arrays (except for
the 'arguments' object).
Fixes#594. Fixes#1737.
This implies it is not allowed in `observe` either, or in cursors
returned from publish functions, or in cursors used in {{#each}}
Why? observeChanges and DDP publication use the ID as part of the
callback/message, and eliding it completely breaks them. Meteor UI uses
the ID with {{#each}} to properly move nodes around instead of
re-rendering. We could try to allow it for `observe` outside of
{{#each}}, but it would feel somewhat inconsistent.
"templating - template arg" fails before and after this merge
Conflicts:
packages/handlebars/.npm/package/npm-shrinkwrap.json
packages/handlebars/package.js
(semi-updating handlebars to shrink package size, vs deleting)
packages/minifiers/package.js
(two different new tests)
packages/minimongo/minimongo.js
(observe moved to a new file)
