review comments

management/internals/modules/reverseproxy/domain/manager/manager_test.go

@@ -62,20 +62,22 @@ func TestGetClusterAllowList_NoBYOP_FallbackToShared(t *testing.T) {
 	assert.Equal(t, []string{"eu.proxy.netbird.io", "us.proxy.netbird.io"}, result)
 }
 
-func TestGetClusterAllowList_BYOPError_FallbackToShared(t *testing.T) {
+func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
 			return nil, errors.New("db error")
 		},
 		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			return []string{"eu.proxy.netbird.io"}, nil
+			t.Fatal("should not call GetActiveClusterAddresses when BYOP lookup fails")
+			return nil, nil
 		},
 	}
 
 	mgr := Manager{proxyManager: pm}
 	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
-	require.NoError(t, err)
-	assert.Equal(t, []string{"eu.proxy.netbird.io"}, result)
+	require.Error(t, err)
+	assert.Nil(t, result)
+	assert.Contains(t, err.Error(), "BYOP cluster addresses")
 }
 
 func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {

management/internals/modules/reverseproxy/proxy/proxy.go

@@ -1,6 +1,11 @@
 package proxy
 
-import "time"
+import (
+	"errors"
+	"time"
+)
+
+var ErrAccountProxyAlreadyExists = errors.New("account already has a registered proxy")
 
 const (
 	StatusConnected    = "connected"

management/internals/modules/reverseproxy/proxytoken/handler.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 type handler struct {
@@ -58,8 +59,14 @@ func (h *handler) createToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var expiresIn time.Duration
-	if req.ExpiresIn != nil && *req.ExpiresIn > 0 {
-		expiresIn = time.Duration(*req.ExpiresIn) * time.Second
+	if req.ExpiresIn != nil {
+		if *req.ExpiresIn < 0 {
+			util.WriteErrorResponse("expires_in must be non-negative", http.StatusBadRequest, w)
+			return
+		}
+		if *req.ExpiresIn > 0 {
+			expiresIn = time.Duration(*req.ExpiresIn) * time.Second
+		}
 	}
 
 	accountID := userAuth.AccountId
@@ -134,7 +141,11 @@ func (h *handler) revokeToken(w http.ResponseWriter, r *http.Request) {
 
 	token, err := h.store.GetProxyAccessTokenByID(r.Context(), store.LockingStrengthNone, tokenID)
 	if err != nil {
-		util.WriteErrorResponse("token not found", http.StatusNotFound, w)
+		if s, ok := status.FromError(err); ok && s.ErrorType == status.NotFound {
+			util.WriteErrorResponse("token not found", http.StatusNotFound, w)
+		} else {
+			util.WriteErrorResponse("failed to retrieve token", http.StatusInternalServerError, w)
+		}
 		return
 	}