update log levels

2026-05-26 18:49:56 +00:00 · 2026-05-26 18:23:16 +02:00
10 changed files with 105 additions and 133 deletions
--- a/management/internals/controllers/network_map/update_channel/updatechannel.go
+++ b/management/internals/controllers/network_map/update_channel/updatechannel.go
@@ -51,7 +51,7 @@ func (p *PeersUpdateManager) SendUpdate(ctx context.Context, peerID string, upda
 		found = true
 		select {
 		case channel <- update:
-			log.WithContext(ctx).Debugf("update was sent to channel for peer %s", peerID)
+			log.WithContext(ctx).Tracef("update was sent to channel for peer %s", peerID)
 		default:
 			dropped = true
 			log.WithContext(ctx).Warnf("channel for peer %s is %d full or closed", peerID, len(channel))
--- a/management/internals/server/boot.go
+++ b/management/internals/server/boot.go
@@ -120,7 +120,7 @@ func (s *BaseServer) EventStore() activity.Store {

 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.InstanceManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.AuthMiddleware())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.Router(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.PermissionsManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter(), s.IsValidChildAccount)
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -153,20 +153,6 @@ func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
 	})
 }

-func (s *BaseServer) AuthMiddleware() mux.MiddlewareFunc {
-	return Create(s, func() mux.MiddlewareFunc {
-		m := middleware.NewAuthMiddleware(
-			s.AuthManager(),
-			s.AccountManager().GetAccountIDFromUserAuth,
-			s.AccountManager().SyncUserJWTGroups,
-			s.AccountManager().GetUserFromUserAuth,
-			s.RateLimiter(),
-			s.Metrics().GetMeter(),
-		)
-		return m.Handler
-	})
-}
-
 func (s *BaseServer) GRPCServer() *grpc.Server {
 	return Create(s, func() *grpc.Server {
 		trustedPeers := s.Config.ReverseProxy.TrustedPeers
--- a/management/internals/server/modules.go
+++ b/management/internals/server/modules.go
@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/instance"
 	"github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
@@ -152,16 +151,6 @@ func (s *BaseServer) IdpManager() idp.Manager {
 	})
 }

-func (s *BaseServer) InstanceManager() instance.Manager {
-	return Create(s, func() instance.Manager {
-		m, err := instance.NewManager(context.Background(), s.Store(), s.IdpManager())
-		if err != nil {
-			log.Fatalf("failed to create instance manager: %v", err)
-		}
-		return m
-	})
-}
-
 // OAuthConfigProvider is only relevant when we have an embedded IdP service. Otherwise must be nil
 func (s *BaseServer) OAuthConfigProvider() idp.OAuthConfigProvider {
 	if s.Config.EmbeddedIdP == nil || !s.Config.EmbeddedIdP.Enabled {
@@ -240,3 +229,6 @@ func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
 	})
 }

+func (s *BaseServer) IsValidChildAccount(_ context.Context, _, _, _ string) bool {
+	return false
+}
--- a/management/internals/shared/grpc/server.go
+++ b/management/internals/shared/grpc/server.go
@@ -437,7 +437,7 @@ func (s *Server) handleUpdates(ctx context.Context, accountID string, peerKey wg
 				return nil
 			}

-			log.WithContext(ctx).Debugf("received an update for peer %s", peerKey.String())
+			log.WithContext(ctx).Tracef("received an update for peer %s", peerKey.String())
 			if debouncer.ProcessUpdate(update) {
 				// Send immediately (first update or after quiet period)
 				if err := s.sendUpdate(ctx, accountID, peerKey, peer, update, srv, streamStartTime); err != nil {
@@ -492,7 +492,7 @@ func (s *Server) sendUpdate(ctx context.Context, accountID string, peerKey wgtyp
 		s.cancelPeerRoutines(ctx, accountID, peer, streamStartTime)
 		return status.Errorf(codes.Internal, "failed sending update message")
 	}
-	log.WithContext(ctx).Debugf("sent an update to peer %s", peerKey.String())
+	log.WithContext(ctx).Tracef("sent an update to peer %s", peerKey.String())
 	return nil
 }

--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -8,6 +8,7 @@ import (

 	"github.com/gorilla/mux"
 	"github.com/rs/cors"
+	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"

@@ -19,6 +20,7 @@ import (
 	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service/manager"

 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
+	idpmanager "github.com/netbirdio/netbird/management/server/idp"

 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
@@ -32,6 +34,7 @@ import (

 	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"

+	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	nbgroups "github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/http/handlers/accounts"
@@ -46,6 +49,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/handlers/routes"
 	"github.com/netbirdio/netbird/management/server/http/handlers/setup_keys"
 	"github.com/netbirdio/netbird/management/server/http/handlers/users"
+	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	nbinstance "github.com/netbirdio/netbird/management/server/instance"
 	nbnetworks "github.com/netbirdio/netbird/management/server/networks"
@@ -55,7 +59,7 @@ import (
 )

 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, appMetrics telemetry.AppMetrics, permissionsManager permissions.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, instanceManager nbinstance.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, authMiddleware mux.MiddlewareFunc) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, permissionsManager permissions.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter, isValidChildAccount middleware.IsValidChildAccountFunc) (http.Handler, error) {

 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -76,11 +80,32 @@ func NewAPIHandler(ctx context.Context, router *mux.Router, accountManager accou
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}

+	if rateLimiter == nil {
+		log.Warn("NewAPIHandler: nil rate limiter, rate limiting disabled")
+		rateLimiter = middleware.NewAPIRateLimiter(nil)
+		rateLimiter.SetEnabled(false)
+	}
+
+	authMiddleware := middleware.NewAuthMiddleware(
+		authManager,
+		accountManager.GetAccountIDFromUserAuth,
+		accountManager.SyncUserJWTGroups,
+		accountManager.GetUserFromUserAuth,
+		rateLimiter,
+		appMetrics.GetMeter(),
+		isValidChildAccount,
+	)
+
 	corsMiddleware := cors.AllowAll()

 	metricsMiddleware := appMetrics.HTTPMiddleware()

-	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware)
+	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler)
+
+	instanceManager, err := nbinstance.NewManager(ctx, accountManager.GetStore(), idpManager)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create instance manager: %w", err)
+	}

 	accounts.AddEndpoints(accountManager, settingsManager, router)
 	peers.AddEndpoints(accountManager, router, networkMapController, permissionsManager)
--- a/management/server/http/middleware/auth_middleware.go
+++ b/management/server/http/middleware/auth_middleware.go
@@ -8,7 +8,6 @@ import (
 	"strings"
 	"time"

-	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"

@@ -26,8 +25,7 @@ type SyncUserJWTGroupsFunc func(ctx context.Context, userAuth auth.UserAuth) err

 type GetUserFromUserAuthFunc func(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)

-// jwtTokenCtxKey carries the parsed JWT token.
-type jwtTokenCtxKey struct{}
+type IsValidChildAccountFunc func(ctx context.Context, userID, accountID, childAccountID string) bool

 // AuthMiddleware middleware to verify personal access tokens (PAT) and JWT tokens
 type AuthMiddleware struct {
@@ -37,6 +35,7 @@ type AuthMiddleware struct {
 	syncUserJWTGroups   SyncUserJWTGroupsFunc
 	rateLimiter         *APIRateLimiter
 	patUsageTracker     *PATUsageTracker
+	isValidChildAccount IsValidChildAccountFunc
 }

 // NewAuthMiddleware instance constructor
@@ -47,6 +46,7 @@ func NewAuthMiddleware(
 	getUserFromUserAuth GetUserFromUserAuthFunc,
 	rateLimiter *APIRateLimiter,
 	meter metric.Meter,
+	isValidChildAccount IsValidChildAccountFunc,
 ) *AuthMiddleware {
 	var patUsageTracker *PATUsageTracker
 	if meter != nil {
@@ -64,18 +64,12 @@ func NewAuthMiddleware(
 		getUserFromUserAuth: getUserFromUserAuth,
 		rateLimiter:         rateLimiter,
 		patUsageTracker:     patUsageTracker,
+		isValidChildAccount: isValidChildAccount,
 	}
 }

-// Handler composes the full authentication chain by wrapping the given
-// handler with ValidationHandler followed by AccountAccessHandler.
+// Handler method of the middleware which authenticates a user either by JWT claims or by PAT
 func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
-	return m.ValidationHandler(m.AccountAccessHandler(h))
-}
-
-// ValidationHandler authenticates the caller via JWT or PAT and stores the
-// resulting UserAuth in the request context. It performs no account-level work.
-func (m *AuthMiddleware) ValidationHandler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if bypass.ShouldBypass(r.URL.Path, h, w, r) {
 			return
@@ -92,14 +86,14 @@ func (m *AuthMiddleware) ValidationHandler(h http.Handler) http.Handler {

 		switch authType {
 		case "bearer":
-			if err := m.validateJWT(r, authHeader); err != nil {
+			if err := m.checkJWTFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Errorf("Error when validating JWT: %s", err.Error())
 				util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "token invalid"), w)
 				return
 			}
 			h.ServeHTTP(w, r)
 		case "token":
-			if err := m.validatePAT(r, authHeader); err != nil {
+			if err := m.checkPATFromRequest(r, authHeader); err != nil {
 				log.WithContext(r.Context()).Debugf("Error when validating PAT: %s", err.Error())
 				// Check if it's a status error, otherwise default to Unauthorized
 				if _, ok := status.FromError(err); !ok {
@@ -116,55 +110,66 @@ func (m *AuthMiddleware) ValidationHandler(h http.Handler) http.Handler {
 	})
 }

-// AccountAccessHandler runs post-validation access checks for JWT-authenticated
-// requests. PAT requests pass through unchanged.
-func (m *AuthMiddleware) AccountAccessHandler(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if bypass.ShouldBypass(r.URL.Path, h, w, r) {
-			return
-		}
-
-		userAuth, err := nbcontext.GetUserAuthFromRequest(r)
-		if err != nil {
-			util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "no valid authentication provided"), w)
-			return
-		}
-
-		if userAuth.IsPAT {
-			h.ServeHTTP(w, r)
-			return
-		}
-
-		validatedToken, _ := r.Context().Value(jwtTokenCtxKey{}).(*jwt.Token)
-
-		if err := m.applyAccountAccess(r, userAuth, validatedToken); err != nil {
-			log.WithContext(r.Context()).Errorf("Error applying JWT account access: %s", err.Error())
-			util.WriteError(r.Context(), status.Errorf(status.Unauthorized, "token invalid"), w)
-			return
-		}
-
-		h.ServeHTTP(w, r)
-	})
-}
-
-func (m *AuthMiddleware) validateJWT(r *http.Request, authHeaderParts []string) error {
+// CheckJWTFromRequest checks if the JWT is valid
+func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromJWTRequest(authHeaderParts)
+
+	// If an error occurs, call the error handler and return an error
 	if err != nil {
 		return fmt.Errorf("error extracting token: %w", err)
 	}

-	userAuth, validatedToken, err := m.authManager.ValidateAndParseToken(r.Context(), token)
+	ctx := r.Context()
+
+	userAuth, validatedToken, err := m.authManager.ValidateAndParseToken(ctx, token)
 	if err != nil {
 		return err
 	}

+	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
+		if m.isValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+			userAuth.AccountId = impersonate[0]
+			userAuth.IsChild = true
+		}
+	}
+
+	// Email is now extracted in ToUserAuth (from claims or userinfo endpoint)
+	// Available as userAuth.Email
+
+	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
+	accountId, _, err := m.ensureAccount(ctx, userAuth)
+	if err != nil {
+		return err
+	}
+
+	if userAuth.AccountId != accountId {
+		log.WithContext(ctx).Tracef("Auth middleware sets accountId from ensure, before %s, now %s", userAuth.AccountId, accountId)
+		userAuth.AccountId = accountId
+	}
+
+	userAuth, err = m.authManager.EnsureUserAccessByJWTGroups(ctx, userAuth, validatedToken)
+	if err != nil {
+		return err
+	}
+
+	err = m.syncUserJWTGroups(ctx, userAuth)
+	if err != nil {
+		log.WithContext(ctx).Errorf("HTTP server failed to sync user JWT groups: %s", err)
+	}
+
+	_, err = m.getUserFromUserAuth(ctx, userAuth)
+	if err != nil {
+		log.WithContext(ctx).Errorf("HTTP server failed to update user from user auth: %s", err)
+		return err
+	}
+
 	// propagates ctx change to upstream middleware
 	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
-	*r = *r.WithContext(context.WithValue(r.Context(), jwtTokenCtxKey{}, validatedToken))
 	return nil
 }

-func (m *AuthMiddleware) validatePAT(r *http.Request, authHeaderParts []string) error {
+// CheckPATFromRequest checks if the PAT is valid
+func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []string) error {
 	token, err := getTokenFromPATRequest(authHeaderParts)
 	if err != nil {
 		return fmt.Errorf("error extracting token: %w", err)
@@ -187,7 +192,8 @@ func (m *AuthMiddleware) validatePAT(r *http.Request, authHeaderParts []string)
 		return fmt.Errorf("token expired")
 	}

-	if err := m.authManager.MarkPATUsed(ctx, pat.ID); err != nil {
+	err = m.authManager.MarkPATUsed(ctx, pat.ID)
+	if err != nil {
 		return err
 	}

@@ -199,40 +205,11 @@ func (m *AuthMiddleware) validatePAT(r *http.Request, authHeaderParts []string)
 		IsPAT:          true,
 	}

-	// propagates ctx change to upstream middleware
-	*r = *nbcontext.SetUserAuthInRequest(r, userAuth)
-	return nil
-}
-
-// applyAccountAccess executes account-level checks for an authenticated JWT
-// user: ensures the account exists, verifies access via JWT groups, syncs
-// groups, and fetches the user record.
-func (m *AuthMiddleware) applyAccountAccess(r *http.Request, userAuth auth.UserAuth, validatedToken *jwt.Token) error {
-	ctx := r.Context()
-
-	// we need to call this method because if user is new, we will automatically add it to existing or create a new account
-	accountId, _, err := m.ensureAccount(ctx, userAuth)
-	if err != nil {
-		return err
-	}
-
-	if userAuth.AccountId != accountId {
-		log.WithContext(ctx).Tracef("Auth middleware sets accountId from ensure, before %s, now %s", userAuth.AccountId, accountId)
-		userAuth.AccountId = accountId
-	}
-
-	userAuth, err = m.authManager.EnsureUserAccessByJWTGroups(ctx, userAuth, validatedToken)
-	if err != nil {
-		return err
-	}
-
-	if err := m.syncUserJWTGroups(ctx, userAuth); err != nil {
-		log.WithContext(ctx).Errorf("HTTP server failed to sync user JWT groups: %s", err)
-	}
-
-	if _, err := m.getUserFromUserAuth(ctx, userAuth); err != nil {
-		log.WithContext(ctx).Errorf("HTTP server failed to update user from user auth: %s", err)
-		return err
+	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
+		if m.isValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
+			userAuth.AccountId = impersonate[0]
+			userAuth.IsChild = true
+		}
 	}

 	// propagates ctx change to upstream middleware
--- a/management/server/http/middleware/auth_middleware_test.go
+++ b/management/server/http/middleware/auth_middleware_test.go
@@ -211,6 +211,7 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
+		func(_ context.Context, _, _, _ string) bool { return false },
 	)

 	handlerToTest := authMiddleware.Handler(nextHandler)
@@ -270,6 +271,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -322,6 +324,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -365,6 +368,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -409,6 +413,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -473,6 +478,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -532,6 +538,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -587,6 +594,7 @@ func TestAuthMiddleware_RateLimiting(t *testing.T) {
 			},
 			NewAPIRateLimiter(rateLimitConfig),
 			nil,
+			func(_ context.Context, _, _, _ string) bool { return false },
 		)

 		handler := authMiddleware.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -687,6 +695,7 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		},
 		disabledLimiter,
 		nil,
+		func(_ context.Context, _, _, _ string) bool { return false },
 	)

 	for _, tc := range tt {
--- a/management/server/http/testing/testing_tools/channel/channel.go
+++ b/management/server/http/testing/testing_tools/channel/channel.go
@@ -40,7 +40,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/groups"
 	http2 "github.com/netbirdio/netbird/management/server/http"
-	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
 	"github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
@@ -137,12 +136,8 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	rateLimiter := middleware.NewAPIRateLimiter(nil)
-	rateLimiter.SetEnabled(false)
-	authMiddleware := middleware.NewAuthMiddleware(authManagerMock, am.GetAccountIDFromUserAuth, am.SyncUserJWTGroups, am.GetUserFromUserAuth, rateLimiter, metrics.GetMeter())
-
 	apiRouter := mux.NewRouter().PathPrefix("/api").Subrouter()
-	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, authMiddleware.Handler)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
@@ -271,12 +266,8 @@ func BuildApiBlackBoxWithDBStateAndPeerChannel(t testing_tools.TB, sqlFile strin
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)

-	rateLimiter := middleware.NewAPIRateLimiter(nil)
-	rateLimiter.SetEnabled(false)
-	authMiddleware := middleware.NewAuthMiddleware(authManagerMock, am.GetAccountIDFromUserAuth, am.SyncUserJWTGroups, am.GetUserFromUserAuth, rateLimiter, metrics.GetMeter())
-
 	apiRouter := mux.NewRouter().PathPrefix("/api").Subrouter()
-	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, authMiddleware.Handler)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), apiRouter, am, networksManager, resourcesManager, routersManager, groupsManager, geoMock, authManagerMock, metrics, permissionsManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, serviceManager, nil, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}
--- a/management/server/posture/nb_version.go
+++ b/management/server/posture/nb_version.go
@@ -6,7 +6,6 @@ import (
 	"strings"

 	"github.com/hashicorp/go-version"
-	log "github.com/sirupsen/logrus"

 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )
@@ -33,9 +32,6 @@ func (n *NBVersionCheck) Check(ctx context.Context, peer nbpeer.Peer) (bool, err
 		return true, nil
 	}

-	log.WithContext(ctx).Debugf("peer %s NB version %s is older than minimum allowed version %s",
-		peer.ID, peer.Meta.WtVersion, n.MinVersion)
-
 	return false, nil
 }

--- a/management/server/posture/os_version.go
+++ b/management/server/posture/os_version.go
@@ -100,8 +100,6 @@ func checkMinVersion(ctx context.Context, peerGoOS, peerVersion string, check *M
 		return true, nil
 	}

-	log.WithContext(ctx).Debugf("peer %s OS version %s is older than minimum allowed version %s", peerGoOS, peerVersion, check.MinVersion)
-
 	return false, nil
 }

@@ -125,7 +123,5 @@ func checkMinKernelVersion(ctx context.Context, peerGoOS, peerVersion string, ch
 		return true, nil
 	}

-	log.WithContext(ctx).Debugf("peer %s kernel version %s is older than minimum allowed version %s", peerGoOS, peerVersion, check.MinKernelVersion)
-
 	return false, nil
 }