added docs for the tunnel client

README.md

@@ -347,9 +347,25 @@ tunnel_server:
     - 'api.tunnel.example.com'
 ```
 
-### tunnel\_client
+### tunnel
 
-TODO
+The tunnel client is meant to be run from behind a firewalls, carrier-grade NAT,
+or otherwise inaccessible devices to allow them to be accessed publicly on the
+internet.
+
+It has no options per se, but is rather a list of tokens that can be used to
+connect to tunnel servers. If the token does not have an `aud` field it must be
+provided in an object with the token provided in the `jwt` field and the tunnel
+server url provided in the `tunnelUrl` field.
+
+Example config:
+
+```yml
+tunnel:
+  - 'some.jwt_encoded.token'
+  - jwt: 'other.jwt_encoded.token'
+    tunnelUrl: 'wss://api.tunnel.example.com/'
+```
 
 ### ddns
 

lib/tunnel-client-manager.js

@@ -102,6 +102,9 @@ module.exports.create = function (deps, config) {
   }
 
   function addToken(data) {
+    if (!data.jwt) {
+      return PromiseA.reject(new Error("missing 'jwt' from tunnel data"));
+    }
     if (!data.tunnelUrl) {
       var decoded;
       try {
@@ -170,11 +173,19 @@ module.exports.create = function (deps, config) {
     return activeTunnels[data.tunnelUrl].clear(data.jwt);
   }
 
-  if (typeof config.tunnel === 'string') {
-    config.tunnel.split(',').forEach(function (jwt) {
-      addToken({ jwt: jwt, owner: 'config' });
-    });
+  var confTokens = config.tunnel;
+  if (typeof confTokens === 'string') {
+    confTokens = confTokens.split(',');
   }
+  confTokens.forEach(function (jwt) {
+    if (typeof jwt === 'object') {
+      jwt.owner = 'config';
+      addToken(jwt);
+    } else {
+      addToken({ jwt: jwt, owner: 'config' });
+    }
+  });
+
   storage.all().then(function (stored) {
     stored.forEach(function (result) {
       addToken(result);