/op USER remove only works until USER reconnects

Describe the bug Using the /op command to remove a user from being op only works until they reconnect again. Un-opping is done by adding an entry with 1ns expiry time, which is rejected by the Set (https://github.com/shazow/ssh-chat/blob/7413539965622ba07e8cd3719fc9d545fb52c5fd/set/set.go#L130 and https://github.com/shazow/ssh-chat/blob/7413539965622ba07e8cd3719fc9d545fb52c5fd/set/set.go#L111) as expired (unless you're really, really fast, which never happened to me). Upon reconnection, the public key is still in the op set, so a removed op regains op status.

Versions

Client version: any
Server version: at least the latest one, probably every one after /op with remove was added in 60701198fccf36167899d756ede9e4d5770e9a9b

To Reproduce Steps to reproduce the behavior:

Start a chat server and connect as op
run: /op (your name) remove
you are no longer op (as seen with /whois and "must be op" for op commands)
disconnect and reconnect
you are op again (as seen with /whois and "must be op" for op commands)

This also works with two ops and one up-opping the other (probably a more typical case), but the above seems to be the simplest.

Expected behavior op2 should not be op after being removed.

Additional context I found this while writing a /whitelist for #270, so I'll just incorporate a fix for this there, if that's ok (doesn't seem extremely urgent to me).

The two possible solutions I can think of are:

Allow expired items to be added. This probably changes less code, but I haven't really checked if something depends on the current error. (Just grep ErrNil, which returned nothing outside of set/set.go)
Add DeWhitelist and DeOp methods to Auth that call Set.Remove. This requires more changes, but seems like The Right Way.

In any case, I'd probably also add some error logging or passing errors up where auth deals with Set.

shazow / ssh-chat

/op USER remove only works until USER reconnects #397