Account functionality extended, API authentication implemented

- Can now add a second email address to your account and delete one of 
your email addresses
- Reset password now works
- Resetting the password of an account without a password set will set 
one
- Email templates overhauled
- Login tokens limited to close previously devastating ($800 database 
bill) security hole
- Login with REST API now works
- Once logged in, authentication of API calls with token works
- Creatures can now be fetched using the API

app/imports/server/config/SimpleRestConfig.js

@@ -1,8 +1,7 @@
-import { JsonRoutes } from 'meteor/simple:json-routes';
+import { JsonRoutes, RestMiddleware  } from 'meteor/simple:json-routes';
 import { SimpleRest } from 'meteor/simple:rest';
 
 Meteor.startup(() => {
-  //
   // Enable cross origin requests for all endpoints
   JsonRoutes.setResponseHeaders({
     'Cache-Control': 'no-store',
@@ -17,3 +16,18 @@ SimpleRest.configure({
   // No default collection methods get end points
   collections: [],
 });
+
+// All errors are handled as JSON
+JsonRoutes.ErrorMiddleware.use(RestMiddleware.handleErrorAsJson);
+
+// Hack to stop simple:rest adding routes automatically unless their URL
+// has been explicitly set to 'api/...'
+const oldAdd = JsonRoutes.add;
+JsonRoutes.add = function(method, path, handler){
+  if (path.substring(0,4) !== 'api/'){
+    return;
+  }
+  oldAdd(method, path, handler);
+}
+
+import '/imports/server/rest/restLogin.js';