* The CSS styles were leaking information about tunnels, even for
things like the login page, which can be sent to anyone.
* Tokens could be created for any user by any user.
Not sure the feature is boring enough to keep. There are some tricky
things that still need to be solved like figuring out how to let
tunnels share the same public key, since the OpenSSH server seems to
only pick up the first instance of each key in the authorized_keys
file.
Also, what happens if someone wants to use their normal SSH key for
the server for a boringproxy tunnel. I could easily introduce a bug
that would lock someone out of their server in certain corner cases.
I think adding the ability to download the private key for each tunnel
will handle most cases for now.
Just needed to add an option to allow external connections to the
ports from the server, then set the proper values in the
authorized_keys file and on the client.
Allows tunnels to specify what address the client with connect to
for upstream connections.
Also changed the tunnel-adder UI.
Also fixed a bug where invalid domains would crash. Needed to
properly return an error dialog.
Debugging notes:
* The act of refreshing a page can delete tunnels created by other UI
sessions, I think because it has local CSS checkbox state.
* Happens on firefox desktop and mobile. Here's how to reproduce:
1. Load the UI in Chrome and FF.
2. Delete the last tunnel from FF.
3. Add it back in Chrome.
4. Refresh FF. The tunnel will be silently deleted.
* I'm pretty sure this is bugged behavior in FF, because the checkboxes have
completely unique ids, but it's treating them like the same checkbox.
* Setting autocomplete='off' on the input elements seems to fix the problem.
Not sure if it will work correctly in all browsers.
