FIX

in User#authenticate:
* make search by username case sensitive as in prod there already are
  usernames diffing only in case
* use guard clause instead of nesting

app/models/user.rb

@@ -449,38 +449,38 @@ class User < ActiveRecord::Base
   end
 
   def self.authenticate(login)
-    if (user = where("LOWER(username) = LOWER(?)", login[:username]).first)
+    user = where('username = ?', login[:username]).first
-      begin
+    return nil unless user
-        case user.password_hash
+
-        when User::PASSWORD_SCRYPT
+    begin
-          # FIXME: If exception occurs here, user cannot log in
+      case user.password_hash
-          pass = SCrypt::Password.new(user.password)
+      when User::PASSWORD_SCRYPT
-          return user if pass == login[:password]
+        # FIXME: If exception occurs here, user cannot log in
-        when User::PASSWORD_MD5_SCRYPT
+        pass = SCrypt::Password.new(user.password)
-          pass = SCrypt::Password.new(user.password)
+        return user if pass == login[:password]
-          # Match to Scrypt(Md5(password))
+      when User::PASSWORD_MD5_SCRYPT
-          if pass == Digest::MD5.hexdigest(login[:password])
+        pass = SCrypt::Password.new(user.password)
-            user.raw_password = login[:password]
+        # Match to Scrypt(Md5(password))
-            user.update_password
+        if pass == Digest::MD5.hexdigest(login[:password])
-            user.save!
+          user.raw_password = login[:password]
-            return user
+          user.update_password
-          end
+          user.save!
-        # when User::PASSWORD_MD5
+          return user
-        else
+        end
-          if user.password == Digest::MD5.hexdigest(login[:password])
+      # when User::PASSWORD_MD5
-            user.raw_password = login[:password]
+      else
-            user.update_password
+        if user.password == Digest::MD5.hexdigest(login[:password])
-            user.save!
+          user.raw_password = login[:password]
-            return user
+          user.update_password
-          end
+          user.save!
+          return user
         end
-      # TODO: controller needs to handle this
-      #rescue Exception => ex
-      #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
-      #  return nil
       end
+    # TODO: controller needs to handle this
+    #rescue Exception => ex
+    #  user.errors.add(:password, "%s (%s)" % [I18n.t(:password_corrupt), ex.class.to_s])
+    #  return nil
     end
-    return nil
   end
 
   def self.get(id)