Merge branch 'develop' of github.com:HabitRPG/habitrpg into common-convert

Conflicts: bower.json public/manifest.json src/controllers/auth.js
2025-12-14 21:27:23 +01:00 · 2015-02-05 11:20:40 -06:00
parent 28b9ad11cb 3897266ba6
commit dca2f13dda
12 changed files with 397 additions and 36 deletions
--- a/.jshintrc
+++ b/.jshintrc
@@ -8,5 +8,5 @@

 	"asi": true,
 	"boss": true,
-	"newcap": false,
+	"newcap": false
 }
--- a/Gruntfile.js
+++ b/Gruntfile.js
@@ -110,7 +110,7 @@ module.exports = function(grunt) {

  //Load build files from public/manifest.json
  grunt.registerTask('loadManifestFiles', 'Load all build files from public/manifest.json', function(){
-    var files = grunt.file.readJSON('./public/manifest.json');
+    var files = grunt.file.readJSON('./website/public/manifest.json');
    var uglify = {};
    var cssmin = {};

@@ -130,6 +130,8 @@ module.exports = function(grunt) {
      });

    });
+    console.log(uglify);
+    console.log(cssmin);

    grunt.config.set('uglify.build.files', uglify);
    grunt.config.set('uglify.build.options', {compress: false});
@@ -142,6 +144,7 @@ module.exports = function(grunt) {
  // Register tasks.
  grunt.registerTask('build:prod', ['loadManifestFiles', 'clean:build', 'uglify', 'stylus', 'cssmin', 'copy:build', 'hashres']);
  grunt.registerTask('build:dev', ['stylus']);
+  grunt.registerTask('test', ['loadManifestFiles', 'uglify', 'cssmin']);

  grunt.registerTask('run:dev', [ 'build:dev', 'concurrent' ]);

--- a/bower.json
+++ b/bower.json
@@ -26,7 +26,7 @@
    "angular-loading-bar": "~0.6.0",
    "bootstrap": "~3.1.0",
    "bootstrap-growl": "git://github.com/ifightcrime/bootstrap-growl.git#master",
-    "bootstrap-tour": "~0.8.1",
+    "bootstrap-tour": "~0.10.1",
    "BrowserQuest": "git://github.com/browserquest/BrowserQuest.git",
    "github-buttons": "git://github.com/mdo/github-buttons.git",
    "marked": "~0.2.9",
--- a/gulpfile.js
+++ b/gulpfile.js
@@ -21,6 +21,7 @@ var gulp        = require('gulp'),
    pkg         = require('./package');

 var paths = {
+  build: "./website/build",
  stylus: {
     src: {
       app: './website/public/css/index.styl',
@@ -165,6 +166,7 @@ gulp.task('sprite', function(cb) {
          STEP++;
          console.log("Finished spritesmith" + key + ".png");
          if(STEP >= COUNT) {
+            console.log(paths.sprites.cssminSrc);
            gulp.src(paths.sprites.cssminSrc)
              .pipe(concat('habitrpg-shared.css'))
              .pipe(cssmin())
@@ -185,6 +187,45 @@ gulp.task('browserify', function() {
    .pipe(gulp.dest(paths.common.dest))
 })

+gulp.task('build', function() {
+  var files = require('./website/public/manifest');
+  var uglifySrc = {};
+  var cssminSrc = {};
+
+  _.each(files, function(val, key){
+
+    var js = uglifySrc[key + '.js'] = [];
+
+    _.each(files[key]['js'], function(val){
+      js.push('./website/public/' + val);
+    });
+
+    var css = cssminSrc[key + '.css'] = [];
+
+    _.each(files[key]['css'], function(val){
+      var path = (val == 'app.css' || val == 'static.css') ?  paths.build : './website/public/';
+      css.push(path + val)
+    });
+
+  });
+
+  // Concat CSS
+  _.each(cssminSrc, function(val, key) {
+    gulp.src(val)
+      .pipe(concat(key))
+      .pipe(cssmin())
+      .pipe(gulp.dest(paths.build))
+  });
+
+  // Uglify JS
+  _.each(uglifySrc, function(val, key) {
+    gulp.src(val)
+      .pipe(concat(key))
+      .pipe(uglify())
+      .pipe(gulp.dest(paths.build))
+  });
+});
+
 gulp.task('watch', ['stylus', 'browserify'], function() {
  gulp.watch(paths.stylus.watch, ['stylus']);
  gulp.watch(paths.common.watch, ['browserify']);
--- a/src/controllers/auth.js
+++ b/src/controllers/auth.js
@@ -0,0 +1,307 @@
+var _ = require('lodash');
+var validator = require('validator');
+var passport = require('passport');
+var shared = require('habitrpg-shared');
+var async = require('async');
+var utils = require('../utils');
+var nconf = require('nconf');
+var request = require('request');
+var User = require('../models/user').model;
+var ga = require('./../utils').ga;
+var i18n = require('./../i18n');
+
+var isProd = nconf.get('NODE_ENV') === 'production';
+
+var api = module.exports;
+
+var NO_TOKEN_OR_UID = { err: "You must include a token and uid (user id) in your request"};
+var NO_USER_FOUND = {err: "No user found."};
+var NO_SESSION_FOUND = { err: "You must be logged in." };
+var accountSuspended = function(uuid){
+  return {
+    err: 'Account has been suspended, please contact leslie@habitrpg.com with your UUID ('+uuid+') for assistance.',
+    code: 'ACCOUNT_SUSPENDED'
+  };
+}
+// Allow case-insensitive regex searching for Mongo queries. See http://stackoverflow.com/a/3561711/362790
+var RegexEscape = function(s){
+  return new RegExp('^' + s.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '$', 'i');
+}
+
+api.auth = function(req, res, next) {
+  var uid = req.headers['x-api-user'];
+  var token = req.headers['x-api-key'];
+  if (!(uid && token)) return res.json(401, NO_TOKEN_OR_UID);
+  User.findOne({_id: uid,apiToken: token}, function(err, user) {
+    if (err) return next(err);
+    if (_.isEmpty(user)) return res.json(401, NO_USER_FOUND);
+    if (user.auth.blocked) return res.json(401, accountSuspended(user._id));
+
+    res.locals.wasModified = req.query._v ? +user._v !== +req.query._v : true;
+    res.locals.user = user;
+    req.session.userId = user._id;
+    return next();
+  });
+};
+
+api.authWithSession = function(req, res, next) { //[todo] there is probably a more elegant way of doing this...
+  if (!(req.session && req.session.userId))
+    return res.json(401, NO_SESSION_FOUND);
+  User.findOne({_id: req.session.userId}, function(err, user) {
+    if (err) return next(err);
+    if (_.isEmpty(user)) return res.json(401, NO_USER_FOUND);
+    res.locals.user = user;
+    next();
+  });
+};
+
+api.authWithUrl = function(req, res, next) {
+  User.findOne({_id:req.query._id, apiToken:req.query.apiToken}, function(err,user){
+    if (err) return next(err);
+    if (_.isEmpty(user)) return res.json(401, NO_USER_FOUND);
+    res.locals.user = user;
+    next();
+  })
+}
+
+api.registerUser = function(req, res, next) {
+  async.auto({
+    validate: function(cb) {
+      if (!(req.body.username && req.body.password && req.body.email))
+        return cb({code:401, err: ":username, :email, :password, :confirmPassword required"});
+      if (req.body.password !== req.body.confirmPassword)
+        return cb({code:401, err: ":password and :confirmPassword don't match"});
+      if (!validator.isEmail(req.body.email))
+        return cb({code:401, err: ":email invalid"});
+      cb();
+    },
+    findEmail: function(cb) {
+      User.findOne({'auth.local.email': RegexEscape(req.body.email)}, {_id:1}, cb);
+    },
+    findUname: function(cb) {
+      User.findOne({'auth.local.username': RegexEscape(req.body.username)}, {_id:1}, cb);
+    },
+    findFacebook: function(cb){
+      User.findOne({_id: req.headers['x-api-user'], apiToken: req.headers['x-api-key']}, {auth:1}, cb);
+    },
+    register: ['validate', 'findEmail', 'findUname', 'findFacebook', function(cb, data) {
+      if (data.findEmail) return cb({code:401, err:"Email already taken"});
+      if (data.findUname) return cb({code:401, err:"Username already taken"});
+      var salt = utils.makeSalt();
+      var newUser = {
+        auth: {
+          local: {
+            username: req.body.username,
+            email: req.body.email,
+            salt: salt,
+            hashed_password: utils.encryptPassword(req.body.password, salt)
+          },
+          timestamps: {created: +new Date(), loggedIn: +new Date()}
+        }
+      };
+      // existing user, allow them to add local authentication
+      if (data.findFacebook) {
+        data.findFacebook.auth.local = newUser.auth.local;
+        data.findFacebook.save(cb);
+      // new user, register them
+      } else {
+        newUser.preferences = newUser.preferences || {};
+        newUser.preferences.language = req.language; // User language detected from browser, not saved
+        var user = new User(newUser);
+        utils.txnEmail(user, 'welcome');
+        ga.event('register', 'Local').send();
+        user.save(cb);
+      }
+    }]
+  }, function(err, data) {
+    if (err) return err.code ? res.json(err.code, err) : next(err);
+    res.json(200, data.register[0]);
+  });
+};
+
+/*
+ Register new user with uname / password
+ */
+
+
+api.loginLocal = function(req, res, next) {
+  var username = req.body.username;
+  var password = req.body.password;
+  if (!(username && password)) return res.json(401, {err:'Missing :username or :password in request body, please provide both'});
+  var login = validator.isEmail(username) ? {'auth.local.email':username} : {'auth.local.username':username};
+  User.findOne(login, {auth:1}, function(err, user){
+    if (err) return next(err);
+    if (!user) return res.json(401, {err:"Username or password incorrect. Click 'Forgot Password' for help with either. (Note: usernames are case-sensitive)"});
+    if (user.auth.blocked) return res.json(401, accountSuspended(user._id));
+    // We needed the whole user object first so we can get his salt to encrypt password comparison
+    User.findOne(
+      {$and: [login, {'auth.local.hashed_password': utils.encryptPassword(password, user.auth.local.salt)}]}
+    , {_id:1, apiToken:1}
+    , function(err, user){
+      if (err) return next(err);
+      if (!user) return res.json(401,{err:"Username or password incorrect. Click 'Forgot Password' for help with either. (Note: usernames are case-sensitive)"});
+      res.json({id: user._id,token: user.apiToken});
+      password = null;
+    });
+  });
+};
+
+/*
+ POST /user/auth/social
+ */
+api.loginSocial = function(req, res, next) {
+  var access_token = req.body.authResponse.access_token,
+    network = req.body.network;
+  if (network!=='facebook')
+    return res.json(401, {err:"Only Facebook supported currently."});
+  async.auto({
+    profile: function (cb) {
+      passport._strategies[network].userProfile(access_token, cb);
+    },
+    user: ['profile', function (cb, results) {
+      var q = {};
+      q['auth.' + network + '.id'] = results.profile.id;
+      User.findOne(q, {_id: 1, apiToken: 1, auth: 1}, cb);
+    }],
+    register: ['profile', 'user', function (cb, results) {
+      if (results.user) return cb(null, results.user);
+      // Create new user
+      var prof = results.profile;
+      var user = {
+        preferences: {
+          language: req.language // User language detected from browser, not saved
+        },
+        auth: {
+          timestamps: {created: +new Date(), loggedIn: +new Date()}
+        }
+      };
+      user.auth[network] = prof;
+      user = new User(user);
+      user.save(cb);
+
+      utils.txnEmail(user, 'welcome');
+      ga.event('register', network).send();
+    }]
+  }, function(err, results){
+    if (err) return res.json(401, {err: err.toString ? err.toString() : err});
+    var acct = results.register[0] ? results.register[0] : results.register;
+    if (acct.auth.blocked) return res.json(401, accountSuspended(acct._id));
+    return res.json(200, {id:acct._id, token:acct.apiToken});
+  })
+};
+
+/**
+ * DELETE /user/auth/social
+ */
+api.deleteSocial = function(req,res,next){
+  if (!res.locals.user.auth.local.username)
+    return res.json(401, {err:"Account lacks another authentication method, can't detach Facebook"});
+  //FIXME for some reason, the following gives https://gist.github.com/lefnire/f93eb306069b9089d123
+  //res.locals.user.auth.facebook = null;
+  //res.locals.user.auth.save(function(err, saved){
+  User.update({_id:res.locals.user._id}, {$unset:{'auth.facebook':1}}, function(err){
+    if (err) return next(err);
+    res.send(200);
+  })
+}
+
+api.resetPassword = function(req, res, next){
+  var email = req.body.email,
+    salt = utils.makeSalt(),
+    newPassword =  utils.makeSalt(), // use a salt as the new password too (they'll change it later)
+    hashed_password = utils.encryptPassword(newPassword, salt);
+
+  User.findOne({'auth.local.email': RegexEscape(email)}, function(err, user){
+    if (err) return next(err);
+    if (!user) return res.send(500, {err:"Couldn't find a user registered for email " + email});
+    user.auth.local.salt = salt;
+    user.auth.local.hashed_password = hashed_password;
+    utils.txnEmail(user, 'reset-password', [
+      {name: "NEW_PASSWORD", content: newPassword},
+      {name: "USERNAME", content: user.auth.local.username}
+    ]);
+    user.save(function(err){
+      if(err) return next(err);
+      res.send('New password sent to '+ email);
+      email = salt = newPassword = hashed_password = null;
+    });
+  });
+};
+
+var invalidPassword = function(user, password){
+  var hashed_password = utils.encryptPassword(password, user.auth.local.salt);
+  if (hashed_password !== user.auth.local.hashed_password)
+    return {code:401, err:"Incorrect password"};
+  return false;
+}
+
+api.changeUsername = function(req, res, next) {
+  async.waterfall([
+    function(cb){
+      User.findOne({'auth.local.username': RegexEscape(req.body.username)}, {auth:1}, cb);
+    },
+    function(found, cb){
+      if (found) return cb({code:401, err: "Username already taken"});
+      if (invalidPassword(res.locals.user, req.body.password)) return cb(invalidPassword(res.locals.user, req.body.password));
+      res.locals.user.auth.local.username = req.body.username;
+      res.locals.user.save(cb);
+    }
+  ], function(err){
+    if (err) return err.code ? res.json(err.code, err) : next(err);
+    res.send(200);
+  })
+}
+
+api.changeEmail = function(req, res, next){
+  async.waterfall([
+    function(cb){
+      User.findOne({'auth.local.email': RegexEscape(req.body.email)}, {auth:1}, cb);
+    },
+    function(found, cb){
+      if(found) return cb({code:401, err: "Email already taken"});
+      if (invalidPassword(res.locals.user, req.body.password)) return cb(invalidPassword(res.locals.user, req.body.password));
+      res.locals.user.auth.local.email = req.body.email;
+      res.locals.user.save(cb);
+    }
+  ], function(err){
+    if (err) return err.code ? res.json(err.code,err) : next(err);
+    res.send(200);
+  })
+}
+
+api.changePassword = function(req, res, next) {
+  var user = res.locals.user,
+    oldPassword = req.body.oldPassword,
+    newPassword = req.body.newPassword,
+    confirmNewPassword = req.body.confirmNewPassword;
+
+  if (newPassword != confirmNewPassword)
+    return res.json(401, {err: "Password & Confirm don't match"});
+
+  var salt = user.auth.local.salt,
+    hashed_old_password = utils.encryptPassword(oldPassword, salt),
+    hashed_new_password = utils.encryptPassword(newPassword, salt);
+
+  if (hashed_old_password !== user.auth.local.hashed_password)
+    return res.json(401, {err:"Old password doesn't match"});
+
+  user.auth.local.hashed_password = hashed_new_password;
+  user.save(function(err, saved){
+    if (err) next(err);
+    res.send(200);
+  })
+}
+
+/*
+ Registers a new user. Only accepting username/password registrations, no Facebook
+ */
+
+api.setupPassport = function(router) {
+
+  router.get('/logout', i18n.getUserLanguage, function(req, res) {
+    req.logout();
+    delete req.session.userId;
+    res.redirect('/');
+  })
+
+};
--- a/website/public/js/controllers/groupsCtrl.js
+++ b/website/public/js/controllers/groupsCtrl.js
@@ -111,7 +111,7 @@ habitrpg.controller("GroupsCtrl", ['$scope', '$rootScope', 'Shared', 'Groups', '
  .controller("MemberModalCtrl", ['$scope', '$rootScope', 'Members', 'Shared', '$http', 'Notification', 'Groups',
    function($scope, $rootScope, Members, Shared, $http, Notification, Groups) {
      $scope.timestamp = function(timestamp){
-        return moment(timestamp).format('MM/DD/YYYY');
+        return moment(timestamp).format($rootScope.User.user.preferences.dateFormat.toUpperCase());
      }
      // We watch Members.selectedMember because it's asynchronously set, so would be a hassle to handle updates here
      $scope.$watch( function() { return Members.selectedMember; }, function (member) {
--- a/website/public/js/controllers/rootCtrl.js
+++ b/website/public/js/controllers/rootCtrl.js
@@ -166,7 +166,7 @@ habitrpg.controller("RootCtrl", ['$scope', '$rootScope', '$location', 'User', '$
      }
      matrix = [[env.t('date'), env.t('score')]];
      _.each(history, function(obj) {
-        matrix.push([moment(obj.date).format('MM/DD/YY'), obj.value]);
+        matrix.push([moment(obj.date).format(User.user.preferences.dateFormat.toUpperCase().replace('YYYY','YY') ), obj.value]);
      });
      data = google.visualization.arrayToDataTable(matrix);
      options = {
--- a/website/public/js/services/guideServices.js
+++ b/website/public/js/services/guideServices.js
@@ -5,8 +5,8 @@
 */

 angular.module('habitrpg').factory('Guide',
-['$rootScope', 'User', '$timeout',
-function($rootScope, User, $timeout) {
+['$rootScope', 'User', '$timeout', '$state',
+function($rootScope, User, $timeout, $state) {
  /**
   * Init and show the welcome tour. Note we do it listening to a $rootScope broadcasted 'userLoaded' message,
   * this because we need to determine whether to show the tour *after* the user has been pulled from the server,
@@ -17,7 +17,7 @@ function($rootScope, User, $timeout) {
    if (User.user.flags.showTour === false) return;
    var tourSteps = [
      {
-        element: ".main-herobox",
+        orphan:true,
        title: window.env.t('welcomeHabit'),
        content: window.env.t('welcomeHabitT1') + " <a href='http://www.kickstarter.com/profile/1823740484' target='_blank'>Justin</a>, " + window.env.t('welcomeHabitT2'),
      }, {
@@ -29,11 +29,11 @@ function($rootScope, User, $timeout) {
        title: window.env.t('avatarCustom'),
        content: window.env.t('avatarCustomText'),
      }, {
-        element: "#bars",
+        element: ".hero-stats",
        title: window.env.t('hitPoints'),
        content: window.env.t('hitPointsText'),
      }, {
-        element: "#bars",
+        element: ".hero-stats",
        title: window.env.t('expPoints'),
        content: window.env.t('expPointsText'),
      }, {
@@ -55,7 +55,7 @@ function($rootScope, User, $timeout) {
        element: "ul.todos",
        title: window.env.t('todos'),
        content: window.env.t('tourTodos'),
-        placement: "top"
+        placement: "top",
      }, {
        element: "ul.main-list.rewards",
        title: window.env.t('rewards'),
@@ -67,34 +67,32 @@ function($rootScope, User, $timeout) {
        content: window.env.t('hoverOverText'),
        placement: "right"
      }, {
-        element: "ul.habits li:first-child",
+        orphan:true,
        title: window.env.t('unlockFeatures'),
        content: window.env.t('unlockFeaturesT1') + " <a href='http://habitrpg.wikia.com' target='_blank'>" + window.env.t('habitWiki') + "</a> " + window.env.t('unlockFeaturesT2'),
        placement: "right"
      }
    ];
-    _.each(tourSteps, function(step){
-      if (env.worldDmg.guide) {
-        step.content = "<div><div class='npc_justin_broken float-left'></div>" + step.content + "</div>";
-      } else {
-        step.content = "<div><div class='npc_justin float-left'></div>" + step.content + "</div>";
-      }
-    });
    $('.main-herobox').popover('destroy');
    var tour = new Tour({
-      template: "<div class='popover'>" +
-        "<div class='arrow'></div><h3 class='popover-title'></h3><div class='popover-content'></div>" +
-        "<div class='popover-navigation'><div class='btn-group'>" +
-        "<button class='btn btn-sm btn-default' data-role='prev'>&laquo;</button>" +
-        "<button class='btn btn-sm btn-default' data-role='next'>&raquo;</button>" +
-        "<button class='btn btn-sm btn-default' data-role='pause-resume' data-pause-text='Pause' data-resume-text='Resume'>Pause</button></div>" +
-        "<button class='btn btn-sm btn-default' data-role='end'>" + window.env.t('endTour') + "</button></div></div>",
+      backdrop: true,
+      //orphan: true,
+      //keyboard: false,
+      template: '<div class="popover" role="tooltip"> <div class="arrow"></div> <h3 class="popover-title"></h3> <div class="popover-content"></div> <div class="popover-navigation"> <div class="btn-group"> <button class="btn btn-sm btn-default" data-role="prev">&laquo; Prev</button> <button class="btn btn-sm btn-default" data-role="next">Next &raquo;</button> <button class="btn btn-sm btn-default" data-role="pause-resume" data-pause-text="Pause" data-resume-text="Resume">Pause</button> </div> <button class="btn btn-sm btn-default" data-role="end">' + window.env.t('endTour') + '</button> </div> </div>',
      onEnd: function(){
        User.set({'flags.showTour': false});
      }
    });
-    tourSteps.forEach(function(step) {
-      tour.addStep(_.defaults(step, {html: true}));
+    _.each(tourSteps, function(step) {
+      step.content = "<div><div class='" + (env.worldDmg.guide ? "npc_justin_broken" : "npc_justin") + " float-left'></div>" + step.content + "</div>";
+      step.onShow = function(){
+        // Since all the steps are currently on the tasks page, ensure we go back there for each step in case they
+        // clicked elsewhere during the tour. FIXME: $state.go() returns a promise, necessary for async tour steps;
+        // however, that's not working here - have to use timeout instead :/
+        if (!$state.is('tasks')) return $timeout(function(){$state.go('tasks');}, 0)
+      }
+      step.html = true;
+      tour.addStep(step);
    });
    tour.restart(); // Tour doesn't quite mesh with our handling of flags.showTour, just restart it on page load
    //tour.start(true);
--- a/website/public/manifest.json
+++ b/website/public/manifest.json
@@ -73,6 +73,7 @@
            "bower_components/pnotify/jquery.pnotify.default.css",
            "bower_components/pnotify/jquery.pnotify.default.icons.css",
            "common/sprites/habitrpg-shared.css",
+            "bower_components/bootstrap-tour/build/css/bootstrap-tour.css",
            "fontello/css/fontelico.css"
        ]
    },
--- a/website/src/controllers/auth.js
+++ b/website/src/controllers/auth.js
@@ -23,9 +23,9 @@ var accountSuspended = function(uuid){
    code: 'ACCOUNT_SUSPENDED'
  };
 }
-// escape email for regex, then search case-insensitive. See http://stackoverflow.com/a/3561711/362790
-var mongoEmailRegex = function(email){
-  return new RegExp('^' + email.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '$', 'i');
+// Allow case-insensitive regex searching for Mongo queries. See http://stackoverflow.com/a/3561711/362790
+var RegexEscape = function(s){
+  return new RegExp('^' + s.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') + '$', 'i');
 }

 api.auth = function(req, res, next) {
@@ -76,10 +76,10 @@ api.registerUser = function(req, res, next) {
      cb();
    },
    findEmail: function(cb) {
-      User.findOne({'auth.local.email': req.body.email}, cb);
+      User.findOne({'auth.local.email': RegexEscape(req.body.email)}, {_id:1}, cb);
    },
    findUname: function(cb) {
-      User.findOne({'auth.local.username': req.body.username}, cb);
+      User.findOne({'auth.local.username': RegexEscape(req.body.username)}, {_id:1}, cb);
    },
    findFacebook: function(cb){
      User.findOne({_id: req.headers['x-api-user'], apiToken: req.headers['x-api-key']}, {auth:1}, cb);
@@ -211,7 +211,7 @@ api.resetPassword = function(req, res, next){
    newPassword =  utils.makeSalt(), // use a salt as the new password too (they'll change it later)
    hashed_password = utils.encryptPassword(newPassword, salt);

-  User.findOne({'auth.local.email':mongoEmailRegex(email)}, function(err, user){
+  User.findOne({'auth.local.email': RegexEscape(email)}, function(err, user){
    if (err) return next(err);
    if (!user) return res.send(500, {err:"Couldn't find a user registered for email " + email});
    user.auth.local.salt = salt;
@@ -238,7 +238,7 @@ var invalidPassword = function(user, password){
 api.changeUsername = function(req, res, next) {
  async.waterfall([
    function(cb){
-      User.findOne({'auth.local.username': req.body.username}, {auth:1}, cb);
+      User.findOne({'auth.local.username': RegexEscape(req.body.username)}, {auth:1}, cb);
    },
    function(found, cb){
      if (found) return cb({code:401, err: "Username already taken"});
@@ -255,7 +255,7 @@ api.changeUsername = function(req, res, next) {
 api.changeEmail = function(req, res, next){
  async.waterfall([
    function(cb){
-      User.findOne({'auth.local.email': mongoEmailRegex(req.body.email)}, {auth:1}, cb);
+      User.findOne({'auth.local.email': RegexEscape(req.body.email)}, {auth:1}, cb);
    },
    function(found, cb){
      if(found) return cb({code:401, err: "Email already taken"});
--- a/website/views/index.jade
+++ b/website/views/index.jade
--- a/website/views/static/layout.jade
+++ b/website/views/static/layout.jade