Cleanup

README.md

@@ -1,4 +1,4 @@
-# vppn: Virtual Pretty Private Network
+# vppn: Virtual Potentially Private Network
 
 ## TODO
 
@@ -30,7 +30,7 @@ AmbientCapabilities=CAP_NET_BIND_SERVICE
 Type=simple
 User=user
 WorkingDirectory=/home/user/
-ExecStart=/home/user/hub -listen <addr>:https -secure=true -root-dir=/home/user
+ExecStart=/home/user/hub -listen <addr>:https -root-dir=/home/user
 Restart=always
 RestartSec=8
 TimeoutStopSec=24

hub/app.go

@@ -19,14 +19,14 @@ var templateFS embed.FS
 type Config struct {
 	RootDir    string
 	ListenAddr string
-	Secure     bool
+	Insecure   bool
 }
 
 type App struct {
 	api      *api.API
 	mux      *http.ServeMux
 	tmpl     map[string]*template.Template
-	secure bool
+	insecure bool
 }
 
 func NewApp(conf Config) (*App, error) {
@@ -39,7 +39,7 @@ func NewApp(conf Config) (*App, error) {
 		api:      api,
 		mux:      http.NewServeMux(),
 		tmpl:     webutil.ParseTemplateSet(templateFuncs, templateFS),
-		secure: conf.Secure,
+		insecure: conf.Insecure,
 	}
 
 	app.registerRoutes()

hub/cookie.go

@@ -17,8 +17,9 @@ func (a *App) setCookie(w http.ResponseWriter, name, value string) {
 		Name:     name,
 		Value:    value,
 		Path:     "/",
-		Secure:   a.secure,
+		Secure:   !a.insecure,
 		SameSite: http.SameSiteStrictMode,
+		HttpOnly: true,
 		MaxAge:   86400 * 365 * 10,
 	})
 }

hub/main.go

@@ -15,7 +15,7 @@ func Main() {
 	conf := Config{}
 	flag.StringVar(&conf.RootDir, "root-dir", "", "[REQUIRED] Root directory.")
 	flag.StringVar(&conf.ListenAddr, "listen", "", "[REQUIRED] Listen address.")
-	flag.BoolVar(&conf.Secure, "secure", false, "Use secure cookies.")
+	flag.BoolVar(&conf.Insecure, "insecure", false, "Don't use secure cookies.")
 
 	flag.Parse()
 

node/supervisor.go

@@ -107,14 +107,10 @@ type peerStateData struct {
 // ----------------------------------------------------------------------------
 
 func (s *peerStateData) sendControlPacket(pkt interface{ Marshal([]byte) []byte }) {
-	s.limiter.Limit()
+	s._sendControlPacket(pkt, s.staged)
-	_sendControlPacket(pkt, s.staged, s.buf1, s.buf2)
 }
 
-func (s *peerStateData) sendControlPacketTo(
+func (s *peerStateData) sendControlPacketTo(pkt interface{ Marshal([]byte) []byte }, addr netip.AddrPort) {
-	pkt interface{ Marshal([]byte) []byte },
-	addr netip.AddrPort,
-) {
 	if !addr.IsValid() {
 		s.logf("ERROR: Attepted to send packet to invalid address: %v", addr)
 		return
@@ -122,7 +118,14 @@ func (s *peerStateData) sendControlPacketTo(
 	route := s.staged
 	route.Direct = true
 	route.RemoteAddr = addr
-	s.limiter.Limit()
+	s._sendControlPacket(pkt, route)
+}
+
+func (s *peerStateData) _sendControlPacket(pkt interface{ Marshal([]byte) []byte }, route peerRoute) {
+	if err := s.limiter.Limit(); err != nil {
+		s.logf("Not sending control packet: rate limited.") // Shouldn't happen.
+		return
+	}
 	_sendControlPacket(pkt, route, s.buf1, s.buf2)
 }