* The CSS styles were leaking information about tunnels, even for
things like the login page, which can be sent to anyone.
* Tokens could be created for any user by any user.
Not sure the feature is boring enough to keep. There are some tricky
things that still need to be solved like figuring out how to let
tunnels share the same public key, since the OpenSSH server seems to
only pick up the first instance of each key in the authorized_keys
file.
Also, what happens if someone wants to use their normal SSH key for
the server for a boringproxy tunnel. I could easily introduce a bug
that would lock someone out of their server in certain corner cases.
I think adding the ability to download the private key for each tunnel
will handle most cases for now.
Allows tunnels to specify what address the client with connect to
for upstream connections.
Also changed the tunnel-adder UI.
Also fixed a bug where invalid domains would crash. Needed to
properly return an error dialog.
Needed to change HTML architecture to inline multiple independent
copies of the menu. There might be a cleaner way to do this, but
it will work for now.
Learned about the :target CSS selector, which can be used to
replace content depending on the current URL hash. This allows
making a sort of single page app without JavaScript.
Currently experimenting with returning all the pages in a single
request, then switching between them with :target. Seems to be
working quite well so far.
API is now the central control point for making authorized
requests. The current architecture is:
* db simply returns all data
* api uses tokens to filter data from db. It includes methods for
returning objects, and HTTP endpoints for return JSON.
* ui calls the api functions to get filtered data.
Also changed order that extractToken looks for tokens. Used to
be cookies then headers then query. Now in reverse, to make it
easier to override, ie for replacing cookies during login.
