[android] add SSHClient gomobile binding for in-app terminal

Exposes SSHClient + SSHTerminalListener to the Android app. Connect()
auto-detects the server type via banner inspection and selects the auth
path: NetBird-SSH with JWT triggers the device-code OAuth flow via the
existing URLOpener; NetBird-SSH without JWT uses the NetBird private
key; regular SSH falls back to NetBird key then optional password. The
client dials through the running tunnel using a plain net.Dialer and
relies on the gomobile-bound listener for streaming PTY output back to
Java for rendering in an xterm.js WebView.

client/android/ssh_client.go

@@ -0,0 +1,434 @@
+//go:build android
+
+package android
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	gossh "golang.org/x/crypto/ssh"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/ssh/detection"
+)
+
+const (
+	sshDialTimeout      = 30 * time.Second
+	sshDetectionTimeout = 5 * time.Second
+)
+
+// SSHTerminalListener receives SSH session events. It is implemented in Java.
+//
+// All callbacks are invoked from goroutines and may run concurrently with each
+// other; the implementation must be safe to call from any thread.
+type SSHTerminalListener interface {
+	OnConnected()
+	OnData(data []byte)
+	OnClose(reason string)
+	OnError(message string)
+}
+
+// SSHClient is a NetBird-aware SSH client exposed to Java via gomobile.
+//
+// It dials through the running NetBird tunnel and runs a standard SSH session
+// on top with PTY enabled. Host-key verification uses the NetBird-provided
+// peer SSH host keys, identical to the desktop client.
+type SSHClient struct {
+	nb        *Client
+	mu        sync.Mutex
+	listener  SSHTerminalListener
+	urlOpener URLOpener
+
+	sshClient *gossh.Client
+	session   *gossh.Session
+	stdin     io.WriteCloser
+	closed    bool
+}
+
+// NewSSHClient creates a new SSH client bound to the running NetBird Client.
+func NewSSHClient(c *Client) *SSHClient {
+	return &SSHClient{nb: c}
+}
+
+// SetListener registers the Java listener. Must be called before Connect to
+// receive any events.
+func (s *SSHClient) SetListener(l SSHTerminalListener) {
+	s.mu.Lock()
+	s.listener = l
+	s.mu.Unlock()
+}
+
+// SetURLOpener registers the Java URL opener used to display the device-code
+// authorization page in a Custom Tabs window when the target peer requires
+// JWT authentication. Must be set before Connect to be effective.
+func (s *SSHClient) SetURLOpener(opener URLOpener) {
+	s.mu.Lock()
+	s.urlOpener = opener
+	s.mu.Unlock()
+}
+
+// Connect dials the SSH server through the NetBird tunnel and performs the
+// SSH handshake. It auto-detects the server type via SSH banner inspection
+// and selects the appropriate authentication path:
+//
+//   - NetBird-SSH server requiring JWT: launches the OAuth 2.0 device-code
+//     flow, opens the verification URL through the registered URLOpener, and
+//     uses the resulting token as the SSH password. Host-key verification
+//     uses the NetBird peer registry.
+//   - NetBird-SSH server without JWT: authenticates with the NetBird SSH
+//     private key. Host-key verification uses the NetBird peer registry.
+//   - Regular SSH server (e.g. OpenSSH): authenticates with the NetBird key
+//     first (so a user-installed NetBird public key works), then falls back
+//     to the supplied password if non-empty. Host-key verification is
+//     disabled (TOFU pending).
+//
+// The password parameter is only consulted for regular SSH servers.
+func (s *SSHClient) Connect(host string, port int, user, password string) error {
+	cfg, _, cc := s.nb.stateSnapshot()
+	if cc == nil {
+		return errors.New("netbird client not running")
+	}
+	if cfg == nil {
+		return errors.New("netbird config not loaded")
+	}
+	engine := cc.Engine()
+	if engine == nil {
+		return errors.New("netbird engine not available")
+	}
+
+	serverType := detectServerType(host, port)
+	log.Infof("SSH server type for %s:%d: %s", host, port, serverType)
+
+	authMethods, hostKeyCallback, err := s.buildAuth(cfg, engine, serverType, password)
+	if err != nil {
+		return err
+	}
+
+	clientConfig := &gossh.ClientConfig{
+		User:            user,
+		Auth:            authMethods,
+		HostKeyCallback: hostKeyCallback,
+		Timeout:         sshDialTimeout,
+	}
+	return s.dialAndHandshake(host, port, clientConfig)
+}
+
+// StartSession requests a PTY and starts an interactive shell. Output from
+// the session is forwarded to the listener via OnData.
+func (s *SSHClient) StartSession(cols, rows int) error {
+	log.Debugf("SSH: starting session %dx%d", cols, rows)
+	s.mu.Lock()
+	sshClient := s.sshClient
+	s.mu.Unlock()
+
+	if sshClient == nil {
+		return errors.New("ssh client not connected")
+	}
+
+	session, err := sshClient.NewSession()
+	if err != nil {
+		return fmt.Errorf("new session: %w", err)
+	}
+
+	modes := gossh.TerminalModes{
+		gossh.ECHO:          1,
+		gossh.TTY_OP_ISPEED: 14400,
+		gossh.TTY_OP_OSPEED: 14400,
+		gossh.VINTR:         3,
+		gossh.VQUIT:         28,
+		gossh.VERASE:        127,
+	}
+	if err := session.RequestPty("xterm-256color", rows, cols, modes); err != nil {
+		closeQuiet(session, "session after pty error")
+		return fmt.Errorf("request pty: %w", err)
+	}
+
+	stdin, err := session.StdinPipe()
+	if err != nil {
+		closeQuiet(session, "session after stdin error")
+		return fmt.Errorf("stdin pipe: %w", err)
+	}
+	stdout, err := session.StdoutPipe()
+	if err != nil {
+		closeQuiet(session, "session after stdout error")
+		return fmt.Errorf("stdout pipe: %w", err)
+	}
+	stderr, err := session.StderrPipe()
+	if err != nil {
+		closeQuiet(session, "session after stderr error")
+		return fmt.Errorf("stderr pipe: %w", err)
+	}
+
+	if err := session.Shell(); err != nil {
+		closeQuiet(session, "session after shell error")
+		return fmt.Errorf("start shell: %w", err)
+	}
+
+	s.mu.Lock()
+	s.session = session
+	s.stdin = stdin
+	s.mu.Unlock()
+
+	go s.readLoop(stdout, "stdout")
+	go s.readLoop(stderr, "stderr")
+	log.Debug("SSH: session started, shell running")
+	return nil
+}
+
+// Write sends data to the SSH session stdin.
+func (s *SSHClient) Write(data []byte) error {
+	s.mu.Lock()
+	stdin := s.stdin
+	s.mu.Unlock()
+	if stdin == nil {
+		return errors.New("ssh session not started")
+	}
+	if _, err := stdin.Write(data); err != nil {
+		return fmt.Errorf("write stdin: %w", err)
+	}
+	return nil
+}
+
+// Resize updates the PTY window size.
+func (s *SSHClient) Resize(cols, rows int) error {
+	s.mu.Lock()
+	session := s.session
+	s.mu.Unlock()
+	if session == nil {
+		return errors.New("ssh session not started")
+	}
+	return session.WindowChange(rows, cols)
+}
+
+// Close terminates the SSH session and underlying connection. Safe to call
+// multiple times.
+func (s *SSHClient) Close() error {
+	s.mu.Lock()
+	sshClient := s.sshClient
+	session := s.session
+	stdin := s.stdin
+	s.sshClient = nil
+	s.session = nil
+	s.stdin = nil
+	s.mu.Unlock()
+
+	if stdin != nil {
+		if err := stdin.Close(); err != nil {
+			log.Debugf("ssh: stdin close: %v", err)
+		}
+	}
+	if session != nil {
+		if err := session.Close(); err != nil && !errors.Is(err, io.EOF) {
+			log.Debugf("ssh: session close: %v", err)
+		}
+	}
+	var firstErr error
+	if sshClient != nil {
+		if err := sshClient.Close(); err != nil {
+			firstErr = err
+		}
+	}
+	s.notifyClose("closed by client")
+	return firstErr
+}
+
+func (s *SSHClient) buildAuth(cfg *profilemanager.Config, engine *internal.Engine,
+	serverType detection.ServerType, password string) ([]gossh.AuthMethod, gossh.HostKeyCallback, error) {
+
+	switch serverType {
+	case detection.ServerTypeNetBirdJWT:
+		token, err := s.requestJWTToken(cfg)
+		if err != nil {
+			return nil, nil, fmt.Errorf("jwt: %w", err)
+		}
+		auths := []gossh.AuthMethod{gossh.Password(token)}
+		return auths, nbssh.CreateHostKeyCallback(&engineHostKeyVerifier{engine: engine}), nil
+
+	case detection.ServerTypeNetBirdNoJWT:
+		if cfg.SSHKey == "" {
+			return nil, nil, errors.New("no NetBird SSH key available")
+		}
+		signer, err := gossh.ParsePrivateKey([]byte(cfg.SSHKey))
+		if err != nil {
+			return nil, nil, fmt.Errorf("parse netbird ssh key: %w", err)
+		}
+		auths := []gossh.AuthMethod{gossh.PublicKeys(signer)}
+		return auths, nbssh.CreateHostKeyCallback(&engineHostKeyVerifier{engine: engine}), nil
+
+	default: // regular SSH
+		var auths []gossh.AuthMethod
+		if cfg.SSHKey != "" {
+			if signer, err := gossh.ParsePrivateKey([]byte(cfg.SSHKey)); err == nil {
+				auths = append(auths, gossh.PublicKeys(signer))
+			} else {
+				log.Debugf("ssh: parse netbird key for regular auth: %v", err)
+			}
+		}
+		if password != "" {
+			pw := password
+			auths = append(auths, gossh.Password(pw))
+			auths = append(auths, gossh.KeyboardInteractive(func(_, _ string, questions []string, _ []bool) ([]string, error) {
+				answers := make([]string, len(questions))
+				for i := range questions {
+					answers[i] = pw
+				}
+				return answers, nil
+			}))
+		}
+		if len(auths) == 0 {
+			return nil, nil, errors.New("no auth method available: provide a password or configure NetBird SSH key")
+		}
+		return auths, gossh.InsecureIgnoreHostKey(), nil // nolint:gosec // TOFU not yet implemented
+	}
+}
+
+func (s *SSHClient) requestJWTToken(cfg *profilemanager.Config) (string, error) {
+	s.mu.Lock()
+	urlOpener := s.urlOpener
+	s.mu.Unlock()
+	if urlOpener == nil {
+		return "", errors.New("URL opener not configured for JWT auth")
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	defer cancel()
+
+	flow, err := auth.NewOAuthFlow(ctx, cfg, false, true, profilemanager.GetLoginHint())
+	if err != nil {
+		return "", fmt.Errorf("create oauth flow: %w", err)
+	}
+
+	flowInfo, err := flow.RequestAuthInfo(ctx)
+	if err != nil {
+		return "", fmt.Errorf("request auth info: %w", err)
+	}
+
+	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)
+
+	tokenInfo, err := flow.WaitToken(ctx, flowInfo)
+	if err != nil {
+		return "", fmt.Errorf("wait for token: %w", err)
+	}
+
+	token := tokenInfo.GetTokenToUse()
+	if token == "" {
+		return "", errors.New("empty token returned by IdP")
+	}
+	return token, nil
+}
+
+func (s *SSHClient) dialAndHandshake(host string, port int, clientConfig *gossh.ClientConfig) error {
+	addr := net.JoinHostPort(host, strconv.Itoa(port))
+	log.Infof("SSH: connecting to %s as %s", addr, clientConfig.User)
+
+	ctx, cancel := context.WithTimeout(context.Background(), sshDialTimeout)
+	defer cancel()
+
+	var dialer net.Dialer
+	conn, err := dialer.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return fmt.Errorf("dial %s: %w", addr, err)
+	}
+
+	sshConn, chans, reqs, err := gossh.NewClientConn(conn, addr, clientConfig)
+	if err != nil {
+		if cerr := conn.Close(); cerr != nil {
+			log.Debugf("ssh: close after handshake error: %v", cerr)
+		}
+		return fmt.Errorf("ssh handshake: %w", err)
+	}
+
+	s.mu.Lock()
+	s.sshClient = gossh.NewClient(sshConn, chans, reqs)
+	listener := s.listener
+	s.mu.Unlock()
+
+	log.Infof("SSH: connected to %s", addr)
+	if listener != nil {
+		listener.OnConnected()
+	}
+	return nil
+}
+
+func (s *SSHClient) readLoop(r io.Reader, name string) {
+	buf := make([]byte, 4096)
+	for {
+		n, err := r.Read(buf)
+		if n > 0 {
+			s.mu.Lock()
+			listener := s.listener
+			s.mu.Unlock()
+			if listener != nil {
+				chunk := make([]byte, n)
+				copy(chunk, buf[:n])
+				listener.OnData(chunk)
+			}
+		}
+		if err != nil {
+			if !errors.Is(err, io.EOF) {
+				log.Debugf("ssh %s read: %v", name, err)
+			}
+			s.notifyClose(err.Error())
+			return
+		}
+	}
+}
+
+func (s *SSHClient) notifyClose(reason string) {
+	s.mu.Lock()
+	if s.closed {
+		s.mu.Unlock()
+		return
+	}
+	s.closed = true
+	listener := s.listener
+	s.mu.Unlock()
+	if listener != nil {
+		listener.OnClose(reason)
+	}
+}
+
+// engineHostKeyVerifier adapts *internal.Engine to nbssh.HostKeyVerifier.
+type engineHostKeyVerifier struct {
+	engine *internal.Engine
+}
+
+func (v *engineHostKeyVerifier) VerifySSHHostKey(peerAddress string, presented []byte) error {
+	storedKey, found := v.engine.GetPeerSSHKey(peerAddress)
+	if !found {
+		return nbssh.ErrPeerNotFound
+	}
+	return nbssh.VerifyHostKey(storedKey, presented, peerAddress)
+}
+
+func closeQuiet(c io.Closer, label string) {
+	if c == nil {
+		return
+	}
+	if err := c.Close(); err != nil && !errors.Is(err, io.EOF) {
+		log.Debugf("ssh: close %s: %v", label, err)
+	}
+}
+
+func detectServerType(host string, port int) detection.ServerType {
+	ctx, cancel := context.WithTimeout(context.Background(), sshDetectionTimeout)
+	defer cancel()
+
+	dialer := &net.Dialer{}
+	serverType, err := detection.DetectSSHServerType(ctx, dialer, host, port)
+	if err != nil {
+		log.Debugf("ssh: server detection for %s:%d failed: %v (assuming regular SSH)", host, port, err)
+		return detection.ServerTypeRegular
+	}
+	return serverType
+}

client/cmd/testutil_test.go

@@ -13,8 +13,6 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
@@ -31,6 +29,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -98,7 +97,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	t.Cleanup(ctrl.Finish)
 
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
-	peersmanager := peers.NewManager(store)
+	peersmanager := peers.NewManager(store, permissionsManagerMock)
 	settingsManagerMock := settings.NewMockManager(ctrl)
 
 	jobManager := job.NewJobManager(nil, store, peersmanager)

client/firewall/firewalld/firewalld.go

@@ -1,11 +0,0 @@
-// Package firewalld integrates with the firewalld daemon so NetBird can place
-// its wg interface into firewalld's "trusted" zone. This is required because
-// firewalld's nftables chains are created with NFT_CHAIN_OWNER on recent
-// versions, which returns EPERM to any other process that tries to insert
-// rules into them. The workaround mirrors what Tailscale does: let firewalld
-// itself add the accept rules to its own chains by trusting the interface.
-package firewalld
-
-// TrustedZone is the firewalld zone name used for interfaces whose traffic
-// should bypass firewalld filtering.
-const TrustedZone = "trusted"

client/firewall/firewalld/firewalld_linux.go

@@ -1,260 +0,0 @@
-//go:build linux
-
-package firewalld
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os/exec"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/godbus/dbus/v5"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	dbusDest      = "org.fedoraproject.FirewallD1"
-	dbusPath      = "/org/fedoraproject/FirewallD1"
-	dbusRootIface = "org.fedoraproject.FirewallD1"
-	dbusZoneIface = "org.fedoraproject.FirewallD1.zone"
-
-	errZoneAlreadySet = "ZONE_ALREADY_SET"
-	errAlreadyEnabled = "ALREADY_ENABLED"
-	errUnknownIface   = "UNKNOWN_INTERFACE"
-	errNotEnabled     = "NOT_ENABLED"
-
-	// callTimeout bounds each individual DBus or firewall-cmd invocation.
-	// A fresh context is created for each call so a slow DBus probe can't
-	// exhaust the deadline before the firewall-cmd fallback gets to run.
-	callTimeout = 3 * time.Second
-)
-
-var (
-	errDBusUnavailable = errors.New("firewalld dbus unavailable")
-
-	// trustLogOnce ensures the "added to trusted zone" message is logged at
-	// Info level only for the first successful add per process; repeat adds
-	// from other init paths are quieter.
-	trustLogOnce sync.Once
-
-	parentCtxMu sync.RWMutex
-	parentCtx   context.Context = context.Background()
-)
-
-// SetParentContext installs a parent context whose cancellation aborts any
-// in-flight TrustInterface call. It does not affect UntrustInterface, which
-// always uses a fresh Background-rooted timeout so cleanup can still run
-// during engine shutdown when the engine context is already cancelled.
-func SetParentContext(ctx context.Context) {
-	parentCtxMu.Lock()
-	parentCtx = ctx
-	parentCtxMu.Unlock()
-}
-
-func getParentContext() context.Context {
-	parentCtxMu.RLock()
-	defer parentCtxMu.RUnlock()
-	return parentCtx
-}
-
-// TrustInterface places iface into firewalld's trusted zone if firewalld is
-// running. It is idempotent and best-effort: errors are returned so callers
-// can log, but a non-running firewalld is not an error. Only the first
-// successful call per process logs at Info. Respects the parent context set
-// via SetParentContext so startup-time cancellation unblocks it.
-func TrustInterface(iface string) error {
-	parent := getParentContext()
-	if !isRunning(parent) {
-		return nil
-	}
-	if err := addTrusted(parent, iface); err != nil {
-		return fmt.Errorf("add %s to firewalld trusted zone: %w", iface, err)
-	}
-	trustLogOnce.Do(func() {
-		log.Infof("added %s to firewalld trusted zone", iface)
-	})
-	log.Debugf("firewalld: ensured %s is in trusted zone", iface)
-	return nil
-}
-
-// UntrustInterface removes iface from firewalld's trusted zone if firewalld
-// is running. Idempotent. Uses a Background-rooted timeout so it still runs
-// during shutdown after the engine context has been cancelled.
-func UntrustInterface(iface string) error {
-	if !isRunning(context.Background()) {
-		return nil
-	}
-	if err := removeTrusted(context.Background(), iface); err != nil {
-		return fmt.Errorf("remove %s from firewalld trusted zone: %w", iface, err)
-	}
-	return nil
-}
-
-func newCallContext(parent context.Context) (context.Context, context.CancelFunc) {
-	return context.WithTimeout(parent, callTimeout)
-}
-
-func isRunning(parent context.Context) bool {
-	ctx, cancel := newCallContext(parent)
-	ok, err := isRunningDBus(ctx)
-	cancel()
-	if err == nil {
-		return ok
-	}
-	if errors.Is(err, errDBusUnavailable) || errors.Is(err, context.DeadlineExceeded) {
-		ctx, cancel = newCallContext(parent)
-		defer cancel()
-		return isRunningCLI(ctx)
-	}
-	return false
-}
-
-func addTrusted(parent context.Context, iface string) error {
-	ctx, cancel := newCallContext(parent)
-	err := addDBus(ctx, iface)
-	cancel()
-	if err == nil {
-		return nil
-	}
-	if !errors.Is(err, errDBusUnavailable) {
-		log.Debugf("firewalld: dbus add failed, falling back to firewall-cmd: %v", err)
-	}
-	ctx, cancel = newCallContext(parent)
-	defer cancel()
-	return addCLI(ctx, iface)
-}
-
-func removeTrusted(parent context.Context, iface string) error {
-	ctx, cancel := newCallContext(parent)
-	err := removeDBus(ctx, iface)
-	cancel()
-	if err == nil {
-		return nil
-	}
-	if !errors.Is(err, errDBusUnavailable) {
-		log.Debugf("firewalld: dbus remove failed, falling back to firewall-cmd: %v", err)
-	}
-	ctx, cancel = newCallContext(parent)
-	defer cancel()
-	return removeCLI(ctx, iface)
-}
-
-func isRunningDBus(ctx context.Context) (bool, error) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return false, fmt.Errorf("%w: %v", errDBusUnavailable, err)
-	}
-	obj := conn.Object(dbusDest, dbusPath)
-
-	var zone string
-	if err := obj.CallWithContext(ctx, dbusRootIface+".getDefaultZone", 0).Store(&zone); err != nil {
-		return false, fmt.Errorf("firewalld getDefaultZone: %w", err)
-	}
-	return true, nil
-}
-
-func isRunningCLI(ctx context.Context) bool {
-	if _, err := exec.LookPath("firewall-cmd"); err != nil {
-		return false
-	}
-	return exec.CommandContext(ctx, "firewall-cmd", "--state").Run() == nil
-}
-
-func addDBus(ctx context.Context, iface string) error {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
-	}
-	obj := conn.Object(dbusDest, dbusPath)
-
-	call := obj.CallWithContext(ctx, dbusZoneIface+".addInterface", 0, TrustedZone, iface)
-	if call.Err == nil {
-		return nil
-	}
-
-	if dbusErrContains(call.Err, errAlreadyEnabled) {
-		return nil
-	}
-
-	if dbusErrContains(call.Err, errZoneAlreadySet) {
-		move := obj.CallWithContext(ctx, dbusZoneIface+".changeZoneOfInterface", 0, TrustedZone, iface)
-		if move.Err != nil {
-			return fmt.Errorf("firewalld changeZoneOfInterface: %w", move.Err)
-		}
-		return nil
-	}
-
-	return fmt.Errorf("firewalld addInterface: %w", call.Err)
-}
-
-func removeDBus(ctx context.Context, iface string) error {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return fmt.Errorf("%w: %v", errDBusUnavailable, err)
-	}
-	obj := conn.Object(dbusDest, dbusPath)
-
-	call := obj.CallWithContext(ctx, dbusZoneIface+".removeInterface", 0, TrustedZone, iface)
-	if call.Err == nil {
-		return nil
-	}
-
-	if dbusErrContains(call.Err, errUnknownIface) || dbusErrContains(call.Err, errNotEnabled) {
-		return nil
-	}
-
-	return fmt.Errorf("firewalld removeInterface: %w", call.Err)
-}
-
-func addCLI(ctx context.Context, iface string) error {
-	if _, err := exec.LookPath("firewall-cmd"); err != nil {
-		return fmt.Errorf("firewall-cmd not available: %w", err)
-	}
-
-	// --change-interface (no --permanent) binds the interface for the
-	// current runtime only; we do not want membership to persist across
-	// reboots because netbird re-asserts it on every startup.
-	out, err := exec.CommandContext(ctx,
-		"firewall-cmd", "--zone="+TrustedZone, "--change-interface="+iface,
-	).CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("firewall-cmd change-interface: %w: %s", err, strings.TrimSpace(string(out)))
-	}
-	return nil
-}
-
-func removeCLI(ctx context.Context, iface string) error {
-	if _, err := exec.LookPath("firewall-cmd"); err != nil {
-		return fmt.Errorf("firewall-cmd not available: %w", err)
-	}
-
-	out, err := exec.CommandContext(ctx,
-		"firewall-cmd", "--zone="+TrustedZone, "--remove-interface="+iface,
-	).CombinedOutput()
-	if err != nil {
-		msg := strings.TrimSpace(string(out))
-		if strings.Contains(msg, errUnknownIface) || strings.Contains(msg, errNotEnabled) {
-			return nil
-		}
-		return fmt.Errorf("firewall-cmd remove-interface: %w: %s", err, msg)
-	}
-	return nil
-}
-
-func dbusErrContains(err error, code string) bool {
-	if err == nil {
-		return false
-	}
-	var de dbus.Error
-	if errors.As(err, &de) {
-		for _, b := range de.Body {
-			if s, ok := b.(string); ok && strings.Contains(s, code) {
-				return true
-			}
-		}
-	}
-	return strings.Contains(err.Error(), code)
-}

client/firewall/firewalld/firewalld_linux_test.go

@@ -1,49 +0,0 @@
-//go:build linux
-
-package firewalld
-
-import (
-	"errors"
-	"testing"
-
-	"github.com/godbus/dbus/v5"
-)
-
-func TestDBusErrContains(t *testing.T) {
-	tests := []struct {
-		name string
-		err  error
-		code string
-		want bool
-	}{
-		{"nil error", nil, errZoneAlreadySet, false},
-		{"plain error match", errors.New("ZONE_ALREADY_SET: wt0"), errZoneAlreadySet, true},
-		{"plain error miss", errors.New("something else"), errZoneAlreadySet, false},
-		{
-			"dbus.Error body match",
-			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"ZONE_ALREADY_SET: wt0"}},
-			errZoneAlreadySet,
-			true,
-		},
-		{
-			"dbus.Error body miss",
-			dbus.Error{Name: "org.fedoraproject.FirewallD1.Exception", Body: []any{"INVALID_INTERFACE"}},
-			errAlreadyEnabled,
-			false,
-		},
-		{
-			"dbus.Error non-string body falls back to Error()",
-			dbus.Error{Name: "x", Body: []any{123}},
-			"x",
-			true,
-		},
-	}
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			got := dbusErrContains(tc.err, tc.code)
-			if got != tc.want {
-				t.Fatalf("dbusErrContains(%v, %q) = %v; want %v", tc.err, tc.code, got, tc.want)
-			}
-		})
-	}
-}

client/firewall/firewalld/firewalld_other.go

@@ -1,25 +0,0 @@
-//go:build !linux
-
-package firewalld
-
-import "context"
-
-// SetParentContext is a no-op on non-Linux platforms because firewalld only
-// runs on Linux.
-func SetParentContext(context.Context) {
-	// intentionally empty: firewalld is a Linux-only daemon
-}
-
-// TrustInterface is a no-op on non-Linux platforms because firewalld only
-// runs on Linux.
-func TrustInterface(string) error {
-	// intentionally empty: firewalld is a Linux-only daemon
-	return nil
-}
-
-// UntrustInterface is a no-op on non-Linux platforms because firewalld only
-// runs on Linux.
-func UntrustInterface(string) error {
-	// intentionally empty: firewalld is a Linux-only daemon
-	return nil
-}

client/firewall/iptables/manager_linux.go

@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -87,12 +86,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
 
-	// Trust after all fatal init steps so a later failure doesn't leave the
-	// interface in firewalld's trusted zone without a corresponding Close.
-	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
-		log.Warnf("failed to trust interface in firewalld: %v", err)
-	}
-
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -198,12 +191,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 		merr = multierror.Append(merr, fmt.Errorf("reset router: %w", err))
 	}
 
-	// Appending to merr intentionally blocks DeleteState below so ShutdownState
-	// stays persisted and the crash-recovery path retries firewalld cleanup.
-	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
-		merr = multierror.Append(merr, err)
-	}
-
 	// attempt to delete state only if all other operations succeeded
 	if merr == nil {
 		if err := stateManager.DeleteState(&ShutdownState{}); err != nil {
@@ -230,11 +217,6 @@ func (m *Manager) AllowNetbird() error {
 	if err != nil {
 		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
-
-	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
-		log.Warnf("failed to trust interface in firewalld: %v", err)
-	}
-
 	return nil
 }
 

client/firewall/nftables/manager_linux.go

@@ -14,7 +14,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 
-	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -218,10 +217,6 @@ func (m *Manager) AllowNetbird() error {
 		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
 
-	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
-		log.Warnf("failed to trust interface in firewalld: %v", err)
-	}
-
 	return nil
 }
 

client/firewall/nftables/router_linux.go

@@ -19,7 +19,6 @@ import (
 	"golang.org/x/sys/unix"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
@@ -41,8 +40,6 @@ const (
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"
 
-	firewalldTableName = "firewalld"
-
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
 	userDataAcceptInputRule      = "inputaccept"
@@ -136,10 +133,6 @@ func (r *router) Reset() error {
 		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}
 
-	if err := firewalld.UntrustInterface(r.wgIface.Name()); err != nil {
-		merr = multierror.Append(merr, err)
-	}
-
 	if err := r.removeNatPreroutingRules(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove filter prerouting rules: %w", err))
 	}
@@ -287,10 +280,6 @@ func (r *router) createContainers() error {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
 
-	if err := firewalld.TrustInterface(r.wgIface.Name()); err != nil {
-		log.Warnf("failed to trust interface in firewalld: %v", err)
-	}
-
 	if err := r.refreshRulesMap(); err != nil {
 		log.Errorf("failed to refresh rules: %s", err)
 	}
@@ -1330,13 +1319,6 @@ func (r *router) isExternalChain(chain *nftables.Chain) bool {
 		return false
 	}
 
-	// Skip firewalld-owned chains. Firewalld creates its chains with the
-	// NFT_CHAIN_OWNER flag, so inserting rules into them returns EPERM.
-	// We delegate acceptance to firewalld by trusting the interface instead.
-	if chain.Table.Name == firewalldTableName {
-		return false
-	}
-
 	// Skip all iptables-managed tables in the ip family
 	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
 		return false

client/firewall/uspfilter/allow_netbird.go

@@ -3,9 +3,6 @@
 package uspfilter
 
 import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
@@ -19,9 +16,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
 	}
-	if err := firewalld.UntrustInterface(m.wgIface.Name()); err != nil {
-		log.Warnf("failed to untrust interface in firewalld: %v", err)
-	}
 	return nil
 }
 
@@ -30,8 +24,5 @@ func (m *Manager) AllowNetbird() error {
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.AllowNetbird()
 	}
-	if err := firewalld.TrustInterface(m.wgIface.Name()); err != nil {
-		log.Warnf("failed to trust interface in firewalld: %v", err)
-	}
 	return nil
 }

client/firewall/uspfilter/common/iface.go

@@ -9,7 +9,6 @@ import (
 
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
-	Name() string
 	SetFilter(device.PacketFilter) error
 	Address() wgaddr.Address
 	GetWGDevice() *wgdevice.Device

client/firewall/uspfilter/filter_test.go

@@ -31,20 +31,12 @@ var logger = log.NewFromLogrus(logrus.StandardLogger())
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
 
 type IFaceMock struct {
-	NameFunc        func() string
 	SetFilterFunc   func(device.PacketFilter) error
 	AddressFunc     func() wgaddr.Address
 	GetWGDeviceFunc func() *wgdevice.Device
 	GetDeviceFunc   func() *device.FilteredDevice
 }
 
-func (i *IFaceMock) Name() string {
-	if i.NameFunc == nil {
-		return "wgtest"
-	}
-	return i.NameFunc()
-}
-
 func (i *IFaceMock) GetWGDevice() *wgdevice.Device {
 	if i.GetWGDeviceFunc == nil {
 		return nil

client/iface/bind/ice_bind_test.go

@@ -239,12 +239,8 @@ func TestICEBind_HandlesConcurrentMixedTraffic(t *testing.T) {
 		ipv6Count++
 	}
 
-	// Allow some UDP packet loss under load (e.g. FreeBSD/QEMU runners). The
-	// routing-correctness checks above are the real assertions; the counts
-	// are a sanity bound to catch a totally silent path.
-	minDelivered := packetsPerFamily * 80 / 100
-	assert.GreaterOrEqual(t, ipv4Count, minDelivered, "IPv4 delivery below threshold")
-	assert.GreaterOrEqual(t, ipv6Count, minDelivered, "IPv6 delivery below threshold")
+	assert.Equal(t, packetsPerFamily, ipv4Count)
+	assert.Equal(t, packetsPerFamily, ipv6Count)
 }
 
 func TestICEBind_DetectsAddressFamilyFromConnection(t *testing.T) {

client/internal/debug/upload_test.go

@@ -3,12 +3,10 @@ package debug
 import (
 	"context"
 	"errors"
-	"net"
 	"net/http"
 	"os"
 	"path/filepath"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -21,10 +19,8 @@ func TestUpload(t *testing.T) {
 		t.Skip("Skipping upload test on docker ci")
 	}
 	testDir := t.TempDir()
-	addr := reserveLoopbackPort(t)
-	testURL := "http://" + addr
+	testURL := "http://localhost:8080"
 	t.Setenv("SERVER_URL", testURL)
-	t.Setenv("SERVER_ADDRESS", addr)
 	t.Setenv("STORE_DIR", testDir)
 	srv := server.NewServer()
 	go func() {
@@ -37,7 +33,6 @@ func TestUpload(t *testing.T) {
 			t.Errorf("Failed to stop server: %v", err)
 		}
 	})
-	waitForServer(t, addr)
 
 	file := filepath.Join(t.TempDir(), "tmpfile")
 	fileContent := []byte("test file content")
@@ -52,30 +47,3 @@ func TestUpload(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, fileContent, createdFileContent)
 }
-
-// reserveLoopbackPort binds an ephemeral port on loopback to learn a free
-// address, then releases it so the server under test can rebind. The close/
-// rebind window is racy in theory; on loopback with a kernel-assigned port
-// it's essentially never contended in practice.
-func reserveLoopbackPort(t *testing.T) string {
-	t.Helper()
-	l, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-	addr := l.Addr().String()
-	require.NoError(t, l.Close())
-	return addr
-}
-
-func waitForServer(t *testing.T, addr string) {
-	t.Helper()
-	deadline := time.Now().Add(5 * time.Second)
-	for time.Now().Before(deadline) {
-		c, err := net.DialTimeout("tcp", addr, 100*time.Millisecond)
-		if err == nil {
-			_ = c.Close()
-			return
-		}
-		time.Sleep(20 * time.Millisecond)
-	}
-	t.Fatalf("server did not start listening on %s in time", addr)
-}

client/internal/dns/file_parser_unix.go

@@ -13,7 +13,6 @@ import (
 
 const (
 	defaultResolvConfPath = "/etc/resolv.conf"
-	nsswitchConfPath      = "/etc/nsswitch.conf"
 )
 
 type resolvConf struct {

client/internal/dns/handler_chain.go

@@ -1,10 +1,7 @@
 package dns
 
 import (
-	"context"
 	"fmt"
-	"math"
-	"net"
 	"slices"
 	"strconv"
 	"strings"
@@ -195,12 +192,6 @@ func (c *HandlerChain) logHandlers() {
 }
 
 func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	c.dispatch(w, r, math.MaxInt)
-}
-
-// dispatch routes a DNS request through the chain, skipping handlers with
-// priority > maxPriority. Shared by ServeDNS and ResolveInternal.
-func (c *HandlerChain) dispatch(w dns.ResponseWriter, r *dns.Msg, maxPriority int) {
 	if len(r.Question) == 0 {
 		return
 	}
@@ -225,9 +216,6 @@ func (c *HandlerChain) dispatch(w dns.ResponseWriter, r *dns.Msg, maxPriority in
 
 	// Try handlers in priority order
 	for _, entry := range handlers {
-		if entry.Priority > maxPriority {
-			continue
-		}
 		if !c.isHandlerMatch(qname, entry) {
 			continue
 		}
@@ -285,55 +273,6 @@ func (c *HandlerChain) logResponse(logger *log.Entry, cw *ResponseWriterChain, q
 		cw.response.Len(), meta, time.Since(startTime))
 }
 
-// ResolveInternal runs an in-process DNS query against the chain, skipping any
-// handler with priority > maxPriority. Used by internal callers (e.g. the mgmt
-// cache refresher) that must bypass themselves to avoid loops. Honors ctx
-// cancellation; on ctx.Done the dispatch goroutine is left to drain on its own
-// (bounded by the invoked handler's internal timeout).
-func (c *HandlerChain) ResolveInternal(ctx context.Context, r *dns.Msg, maxPriority int) (*dns.Msg, error) {
-	if len(r.Question) == 0 {
-		return nil, fmt.Errorf("empty question")
-	}
-
-	base := &internalResponseWriter{}
-	done := make(chan struct{})
-	go func() {
-		c.dispatch(base, r, maxPriority)
-		close(done)
-	}()
-
-	select {
-	case <-done:
-	case <-ctx.Done():
-		// Prefer a completed response if dispatch finished concurrently with cancellation.
-		select {
-		case <-done:
-		default:
-			return nil, fmt.Errorf("resolve %s: %w", strings.ToLower(r.Question[0].Name), ctx.Err())
-		}
-	}
-
-	if base.response == nil || base.response.Rcode == dns.RcodeRefused {
-		return nil, fmt.Errorf("no handler resolved %s at priority ≤ %d",
-			strings.ToLower(r.Question[0].Name), maxPriority)
-	}
-	return base.response, nil
-}
-
-// HasRootHandlerAtOrBelow reports whether any "." handler is registered at
-// priority ≤ maxPriority.
-func (c *HandlerChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
-	c.mu.RLock()
-	defer c.mu.RUnlock()
-
-	for _, h := range c.handlers {
-		if h.Pattern == "." && h.Priority <= maxPriority {
-			return true
-		}
-	}
-	return false
-}
-
 func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 	switch {
 	case entry.Pattern == ".":
@@ -352,36 +291,3 @@ func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
 		}
 	}
 }
-
-// internalResponseWriter captures a dns.Msg for in-process chain queries.
-type internalResponseWriter struct {
-	response *dns.Msg
-}
-
-func (w *internalResponseWriter) WriteMsg(m *dns.Msg) error { w.response = m; return nil }
-func (w *internalResponseWriter) LocalAddr() net.Addr       { return nil }
-func (w *internalResponseWriter) RemoteAddr() net.Addr      { return nil }
-
-// Write unpacks raw DNS bytes so handlers that call Write instead of WriteMsg
-// still surface their answer to ResolveInternal.
-func (w *internalResponseWriter) Write(p []byte) (int, error) {
-	msg := new(dns.Msg)
-	if err := msg.Unpack(p); err != nil {
-		return 0, err
-	}
-	w.response = msg
-	return len(p), nil
-}
-
-func (w *internalResponseWriter) Close() error      { return nil }
-func (w *internalResponseWriter) TsigStatus() error { return nil }
-
-// TsigTimersOnly is part of dns.ResponseWriter.
-func (w *internalResponseWriter) TsigTimersOnly(bool) {
-	// no-op: in-process queries carry no TSIG state.
-}
-
-// Hijack is part of dns.ResponseWriter.
-func (w *internalResponseWriter) Hijack() {
-	// no-op: in-process queries have no underlying connection to hand off.
-}

client/internal/dns/handler_chain_test.go

@@ -1,15 +1,11 @@
 package dns_test
 
 import (
-	"context"
-	"net"
 	"testing"
-	"time"
 
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/require"
 
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
@@ -1046,163 +1042,3 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 		})
 	}
 }
-
-// answeringHandler writes a fixed A record to ack the query. Used to verify
-// which handler ResolveInternal dispatches to.
-type answeringHandler struct {
-	name string
-	ip   string
-}
-
-func (h *answeringHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	resp := &dns.Msg{}
-	resp.SetReply(r)
-	resp.Answer = []dns.RR{&dns.A{
-		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-		A:   net.ParseIP(h.ip).To4(),
-	}}
-	_ = w.WriteMsg(resp)
-}
-
-func (h *answeringHandler) String() string { return h.name }
-
-func TestHandlerChain_ResolveInternal_SkipsAboveMaxPriority(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-
-	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
-	low := &answeringHandler{name: "low", ip: "10.0.0.2"}
-
-	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
-	chain.AddHandler("example.com.", low, nbdns.PriorityUpstream)
-
-	r := new(dns.Msg)
-	r.SetQuestion("example.com.", dns.TypeA)
-
-	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
-	assert.NoError(t, err)
-	assert.NotNil(t, resp)
-	assert.Equal(t, 1, len(resp.Answer))
-	a, ok := resp.Answer[0].(*dns.A)
-	assert.True(t, ok)
-	assert.Equal(t, "10.0.0.2", a.A.String(), "should skip mgmtCache handler and resolve via upstream")
-}
-
-func TestHandlerChain_ResolveInternal_ErrorWhenNoMatch(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-	high := &answeringHandler{name: "high", ip: "10.0.0.1"}
-	chain.AddHandler("example.com.", high, nbdns.PriorityMgmtCache)
-
-	r := new(dns.Msg)
-	r.SetQuestion("example.com.", dns.TypeA)
-
-	_, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
-	assert.Error(t, err, "no handler at or below maxPriority should error")
-}
-
-// rawWriteHandler packs a response and calls ResponseWriter.Write directly
-// (instead of WriteMsg), exercising the internalResponseWriter.Write path.
-type rawWriteHandler struct {
-	ip string
-}
-
-func (h *rawWriteHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	resp := &dns.Msg{}
-	resp.SetReply(r)
-	resp.Answer = []dns.RR{&dns.A{
-		Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-		A:   net.ParseIP(h.ip).To4(),
-	}}
-	packed, err := resp.Pack()
-	if err != nil {
-		return
-	}
-	_, _ = w.Write(packed)
-}
-
-func TestHandlerChain_ResolveInternal_CapturesRawWrite(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-	chain.AddHandler("example.com.", &rawWriteHandler{ip: "10.0.0.3"}, nbdns.PriorityUpstream)
-
-	r := new(dns.Msg)
-	r.SetQuestion("example.com.", dns.TypeA)
-
-	resp, err := chain.ResolveInternal(context.Background(), r, nbdns.PriorityUpstream)
-	assert.NoError(t, err)
-	require.NotNil(t, resp)
-	require.Len(t, resp.Answer, 1)
-	a, ok := resp.Answer[0].(*dns.A)
-	require.True(t, ok)
-	assert.Equal(t, "10.0.0.3", a.A.String(), "handlers calling Write(packed) must still surface their answer")
-}
-
-func TestHandlerChain_ResolveInternal_EmptyQuestion(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-	_, err := chain.ResolveInternal(context.Background(), new(dns.Msg), nbdns.PriorityUpstream)
-	assert.Error(t, err)
-}
-
-// hangingHandler blocks indefinitely until closed, simulating a wedged upstream.
-type hangingHandler struct {
-	block chan struct{}
-}
-
-func (h *hangingHandler) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	<-h.block
-	resp := &dns.Msg{}
-	resp.SetReply(r)
-	_ = w.WriteMsg(resp)
-}
-
-func (h *hangingHandler) String() string { return "hangingHandler" }
-
-func TestHandlerChain_ResolveInternal_HonorsContextTimeout(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-	h := &hangingHandler{block: make(chan struct{})}
-	defer close(h.block)
-
-	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
-
-	r := new(dns.Msg)
-	r.SetQuestion("example.com.", dns.TypeA)
-
-	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
-	defer cancel()
-
-	start := time.Now()
-	_, err := chain.ResolveInternal(ctx, r, nbdns.PriorityUpstream)
-	elapsed := time.Since(start)
-
-	assert.Error(t, err)
-	assert.ErrorIs(t, err, context.DeadlineExceeded)
-	assert.Less(t, elapsed, 500*time.Millisecond, "ResolveInternal must return shortly after ctx deadline")
-}
-
-func TestHandlerChain_HasRootHandlerAtOrBelow(t *testing.T) {
-	chain := nbdns.NewHandlerChain()
-	h := &answeringHandler{name: "h", ip: "10.0.0.1"}
-
-	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "empty chain")
-
-	chain.AddHandler("example.com.", h, nbdns.PriorityUpstream)
-	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "non-root handler does not count")
-
-	chain.AddHandler(".", h, nbdns.PriorityMgmtCache)
-	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler above threshold excluded")
-
-	chain.AddHandler(".", h, nbdns.PriorityDefault)
-	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root handler at PriorityDefault included")
-
-	chain.RemoveHandler(".", nbdns.PriorityDefault)
-	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
-
-	// Primary nsgroup case: root handler lands at PriorityUpstream.
-	chain.AddHandler(".", h, nbdns.PriorityUpstream)
-	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityUpstream included")
-	chain.RemoveHandler(".", nbdns.PriorityUpstream)
-
-	// Fallback case: original /etc/resolv.conf entries land at PriorityFallback.
-	chain.AddHandler(".", h, nbdns.PriorityFallback)
-	assert.True(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream), "root at PriorityFallback included")
-	chain.RemoveHandler(".", nbdns.PriorityFallback)
-	assert.False(t, chain.HasRootHandlerAtOrBelow(nbdns.PriorityUpstream))
-}

client/internal/dns/host_unix.go

@@ -46,12 +46,12 @@ type restoreHostManager interface {
 }
 
 func newHostManager(wgInterface string) (hostManager, error) {
-	osManager, reason, err := getOSDNSManagerType()
+	osManager, err := getOSDNSManagerType()
 	if err != nil {
 		return nil, fmt.Errorf("get os dns manager type: %w", err)
 	}
 
-	log.Infof("System DNS manager discovered: %s (%s)", osManager, reason)
+	log.Infof("System DNS manager discovered: %s", osManager)
 	mgr, err := newHostManagerFromType(wgInterface, osManager)
 	// need to explicitly return nil mgr on error to avoid returning a non-nil interface containing a nil value
 	if err != nil {
@@ -74,49 +74,17 @@ func newHostManagerFromType(wgInterface string, osManager osManagerType) (restor
 	}
 }
 
-func getOSDNSManagerType() (osManagerType, string, error) {
-	resolved := isSystemdResolvedRunning()
-	nss := isLibnssResolveUsed()
-	stub := checkStub()
-
-	// Prefer systemd-resolved whenever it owns libc resolution, regardless of
-	// who wrote /etc/resolv.conf. File-mode rewrites do not affect lookups
-	// that go through nss-resolve, and in foreign mode they can loop back
-	// through resolved as an upstream.
-	if resolved && (nss || stub) {
-		return systemdManager, fmt.Sprintf("systemd-resolved active (nss-resolve=%t, stub=%t)", nss, stub), nil
-	}
-
-	mgr, reason, rejected, err := scanResolvConfHeader()
-	if err != nil {
-		return 0, "", err
-	}
-	if reason != "" {
-		return mgr, reason, nil
-	}
-
-	fallback := fmt.Sprintf("no manager matched (resolved=%t, nss-resolve=%t, stub=%t)", resolved, nss, stub)
-	if len(rejected) > 0 {
-		fallback += "; rejected: " + strings.Join(rejected, ", ")
-	}
-	return fileManager, fallback, nil
-}
-
-// scanResolvConfHeader walks /etc/resolv.conf header comments and returns the
-// matching manager. If reason is empty the caller should pick file mode and
-// use rejected for diagnostics.
-func scanResolvConfHeader() (osManagerType, string, []string, error) {
+func getOSDNSManagerType() (osManagerType, error) {
 	file, err := os.Open(defaultResolvConfPath)
 	if err != nil {
-		return 0, "", nil, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
+		return 0, fmt.Errorf("unable to open %s for checking owner, got error: %w", defaultResolvConfPath, err)
 	}
 	defer func() {
-		if cerr := file.Close(); cerr != nil {
-			log.Errorf("close file %s: %s", defaultResolvConfPath, cerr)
+		if err := file.Close(); err != nil {
+			log.Errorf("close file %s: %s", defaultResolvConfPath, err)
 		}
 	}()
 
-	var rejected []string
 	scanner := bufio.NewScanner(file)
 	for scanner.Scan() {
 		text := scanner.Text()
@@ -124,48 +92,41 @@ func scanResolvConfHeader() (osManagerType, string, []string, error) {
 			continue
 		}
 		if text[0] != '#' {
-			break
+			return fileManager, nil
 		}
-		if mgr, reason, rej := matchResolvConfHeader(text); reason != "" {
-			return mgr, reason, nil, nil
-		} else if rej != "" {
-			rejected = append(rejected, rej)
+		if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
+			return netbirdManager, nil
+		}
+		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
+			return networkManager, nil
+		}
+		if strings.Contains(text, "systemd-resolved") && isSystemdResolvedRunning() {
+			if checkStub() {
+				return systemdManager, nil
+			} else {
+				return fileManager, nil
+			}
+		}
+		if strings.Contains(text, "resolvconf") {
+			if isSystemdResolveConfMode() {
+				return systemdManager, nil
+			}
+
+			return resolvConfManager, nil
 		}
 	}
 	if err := scanner.Err(); err != nil && err != io.EOF {
-		return 0, "", nil, fmt.Errorf("scan: %w", err)
+		return 0, fmt.Errorf("scan: %w", err)
 	}
-	return 0, "", rejected, nil
+
+	return fileManager, nil
 }
 
-// matchResolvConfHeader inspects a single comment line. Returns either a
-// definitive (manager, reason) or a non-empty rejected diagnostic.
-func matchResolvConfHeader(text string) (osManagerType, string, string) {
-	if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
-		return netbirdManager, "netbird-managed resolv.conf header detected", ""
-	}
-	if strings.Contains(text, "NetworkManager") {
-		if isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
-			return networkManager, "NetworkManager header + supported version on dbus", ""
-		}
-		return 0, "", "NetworkManager header (no dbus or unsupported version)"
-	}
-	if strings.Contains(text, "resolvconf") {
-		if isSystemdResolveConfMode() {
-			return systemdManager, "resolvconf header in systemd-resolved compatibility mode", ""
-		}
-		return resolvConfManager, "resolvconf header detected", ""
-	}
-	return 0, "", ""
-}
-
-// checkStub reports whether systemd-resolved's stub (127.0.0.53) is listed
-// in /etc/resolv.conf. On parse failure we assume it is, to avoid dropping
-// into file mode while resolved is active.
+// checkStub checks if the stub resolver is disabled in systemd-resolved. If it is disabled, we fall back to file manager.
 func checkStub() bool {
 	rConf, err := parseDefaultResolvConf()
 	if err != nil {
-		log.Warnf("failed to parse resolv conf, assuming stub is active: %s", err)
+		log.Warnf("failed to parse resolv conf: %s", err)
 		return true
 	}
 
@@ -178,36 +139,3 @@ func checkStub() bool {
 
 	return false
 }
-
-// isLibnssResolveUsed reports whether nss-resolve is listed before dns on
-// the hosts: line of /etc/nsswitch.conf. When it is, libc lookups are
-// delegated to systemd-resolved regardless of /etc/resolv.conf.
-func isLibnssResolveUsed() bool {
-	bs, err := os.ReadFile(nsswitchConfPath)
-	if err != nil {
-		log.Debugf("read %s: %v", nsswitchConfPath, err)
-		return false
-	}
-	return parseNsswitchResolveAhead(bs)
-}
-
-func parseNsswitchResolveAhead(data []byte) bool {
-	for _, line := range strings.Split(string(data), "\n") {
-		if i := strings.IndexByte(line, '#'); i >= 0 {
-			line = line[:i]
-		}
-		fields := strings.Fields(line)
-		if len(fields) < 2 || fields[0] != "hosts:" {
-			continue
-		}
-		for _, module := range fields[1:] {
-			switch module {
-			case "dns":
-				return false
-			case "resolve":
-				return true
-			}
-		}
-	}
-	return false
-}

client/internal/dns/host_unix_test.go

@@ -1,76 +0,0 @@
-//go:build (linux && !android) || freebsd
-
-package dns
-
-import "testing"
-
-func TestParseNsswitchResolveAhead(t *testing.T) {
-	tests := []struct {
-		name string
-		in   string
-		want bool
-	}{
-		{
-			name: "resolve before dns with action token",
-			in:   "hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns\n",
-			want: true,
-		},
-		{
-			name: "dns before resolve",
-			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns resolve\n",
-			want: false,
-		},
-		{
-			name: "debian default with only dns",
-			in:   "hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines\n",
-			want: false,
-		},
-		{
-			name: "neither resolve nor dns",
-			in:   "hosts: files myhostname\n",
-			want: false,
-		},
-		{
-			name: "no hosts line",
-			in:   "passwd: files systemd\ngroup: files systemd\n",
-			want: false,
-		},
-		{
-			name: "empty",
-			in:   "",
-			want: false,
-		},
-		{
-			name: "comments and blank lines ignored",
-			in:   "# comment\n\n# another\nhosts: resolve dns\n",
-			want: true,
-		},
-		{
-			name: "trailing inline comment",
-			in:   "hosts: resolve [!UNAVAIL=return] dns # fallback\n",
-			want: true,
-		},
-		{
-			name: "hosts token must be the first field",
-			in:   "  hosts: resolve dns\n",
-			want: true,
-		},
-		{
-			name: "other db line mentioning resolve is ignored",
-			in:   "networks: resolve\nhosts: dns\n",
-			want: false,
-		},
-		{
-			name: "only resolve, no dns",
-			in:   "hosts: files resolve\n",
-			want: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := parseNsswitchResolveAhead([]byte(tt.in)); got != tt.want {
-				t.Errorf("parseNsswitchResolveAhead() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

client/internal/dns/mgmt/mgmt.go

@@ -2,83 +2,40 @@ package mgmt
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"net/url"
-	"os"
-	"slices"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/sync/singleflight"
 
 	dnsconfig "github.com/netbirdio/netbird/client/internal/dns/config"
-	"github.com/netbirdio/netbird/client/internal/dns/resutil"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
-const (
-	dnsTimeout     = 5 * time.Second
-	defaultTTL     = 300 * time.Second
-	refreshBackoff = 30 * time.Second
+const dnsTimeout = 5 * time.Second
 
-	// envMgmtCacheTTL overrides defaultTTL for integration/dev testing.
-	envMgmtCacheTTL = "NB_MGMT_CACHE_TTL"
-)
-
-// ChainResolver lets the cache refresh stale entries through the DNS handler
-// chain instead of net.DefaultResolver, avoiding loopback when NetBird is the
-// system resolver.
-type ChainResolver interface {
-	ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error)
-	HasRootHandlerAtOrBelow(maxPriority int) bool
-}
-
-// cachedRecord holds DNS records plus timestamps used for TTL refresh.
-// records and cachedAt are set at construction and treated as immutable;
-// lastFailedRefresh and consecFailures are mutable and must be accessed under
-// Resolver.mutex.
-type cachedRecord struct {
-	records           []dns.RR
-	cachedAt          time.Time
-	lastFailedRefresh time.Time
-	consecFailures    int
-}
-
-// Resolver caches critical NetBird infrastructure domains.
-// records, refreshing, mgmtDomain and serverDomains are all guarded by mutex.
+// Resolver caches critical NetBird infrastructure domains
 type Resolver struct {
-	records       map[dns.Question]*cachedRecord
+	records       map[dns.Question][]dns.RR
 	mgmtDomain    *domain.Domain
 	serverDomains *dnsconfig.ServerDomains
 	mutex         sync.RWMutex
+}
 
-	chain            ChainResolver
-	chainMaxPriority int
-	refreshGroup     singleflight.Group
-
-	// refreshing tracks questions whose refresh is running via the OS
-	// fallback path. A ServeDNS hit for a question in this map indicates
-	// the OS resolver routed the recursive query back to us (loop). Only
-	// the OS path arms this so chain-path refreshes don't produce false
-	// positives. The atomic bool is CAS-flipped once per refresh to
-	// throttle the warning log.
-	refreshing map[dns.Question]*atomic.Bool
-
-	cacheTTL time.Duration
+type ipsResponse struct {
+	ips []netip.Addr
+	err error
 }
 
 // NewResolver creates a new management domains cache resolver.
 func NewResolver() *Resolver {
 	return &Resolver{
-		records:    make(map[dns.Question]*cachedRecord),
-		refreshing: make(map[dns.Question]*atomic.Bool),
-		cacheTTL:   resolveCacheTTL(),
+		records: make(map[dns.Question][]dns.RR),
 	}
 }
 
@@ -87,19 +44,7 @@ func (m *Resolver) String() string {
 	return "MgmtCacheResolver"
 }
 
-// SetChainResolver wires the handler chain used to refresh stale cache entries.
-// maxPriority caps which handlers may answer refresh queries (typically
-// PriorityUpstream, so upstream/default/fallback handlers are consulted and
-// mgmt/route/local handlers are skipped).
-func (m *Resolver) SetChainResolver(chain ChainResolver, maxPriority int) {
-	m.mutex.Lock()
-	m.chain = chain
-	m.chainMaxPriority = maxPriority
-	m.mutex.Unlock()
-}
-
-// ServeDNS serves cached A/AAAA records. Stale entries are returned
-// immediately and refreshed asynchronously (stale-while-revalidate).
+// ServeDNS implements dns.Handler interface.
 func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	if len(r.Question) == 0 {
 		m.continueToNext(w, r)
@@ -115,14 +60,7 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 
 	m.mutex.RLock()
-	cached, found := m.records[question]
-	inflight := m.refreshing[question]
-	var shouldRefresh bool
-	if found {
-		stale := time.Since(cached.cachedAt) > m.cacheTTL
-		inBackoff := !cached.lastFailedRefresh.IsZero() && time.Since(cached.lastFailedRefresh) < refreshBackoff
-		shouldRefresh = stale && !inBackoff
-	}
+	records, found := m.records[question]
 	m.mutex.RUnlock()
 
 	if !found {
@@ -130,23 +68,12 @@ func (m *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
-	if inflight != nil && inflight.CompareAndSwap(false, true) {
-		log.Warnf("mgmt cache: possible resolver loop for domain=%s: served stale while an OS-fallback refresh was inflight (if NetBird is the system resolver, the OS-path predicate is wrong)",
-			question.Name)
-	}
-
-	// Skip scheduling a refresh goroutine if one is already inflight for
-	// this question; singleflight would dedup anyway but skipping avoids
-	// a parked goroutine per stale hit under bursty load.
-	if shouldRefresh && inflight == nil {
-		m.scheduleRefresh(question, cached)
-	}
-
 	resp := &dns.Msg{}
 	resp.SetReply(r)
 	resp.Authoritative = false
 	resp.RecursionAvailable = true
-	resp.Answer = cloneRecordsWithTTL(cached.records, m.responseTTL(cached.cachedAt))
+
+	resp.Answer = append(resp.Answer, records...)
 
 	log.Debugf("serving %d cached records for domain=%s", len(resp.Answer), question.Name)
 
@@ -171,260 +98,101 @@ func (m *Resolver) continueToNext(w dns.ResponseWriter, r *dns.Msg) {
 	}
 }
 
-// AddDomain resolves a domain and stores its A/AAAA records in the cache.
-// A family that resolves NODATA (nil err, zero records) evicts any stale
-// entry for that qtype.
+// AddDomain manually adds a domain to cache by resolving it.
 func (m *Resolver) AddDomain(ctx context.Context, d domain.Domain) error {
 	dnsName := strings.ToLower(dns.Fqdn(d.PunycodeString()))
 
 	ctx, cancel := context.WithTimeout(ctx, dnsTimeout)
 	defer cancel()
 
-	aRecords, aaaaRecords, errA, errAAAA := m.lookupBoth(ctx, d, dnsName)
-
-	if errA != nil && errAAAA != nil {
-		return fmt.Errorf("resolve %s: %w", d.SafeString(), errors.Join(errA, errAAAA))
+	ips, err := lookupIPWithExtraTimeout(ctx, d)
+	if err != nil {
+		return err
 	}
 
-	if len(aRecords) == 0 && len(aaaaRecords) == 0 {
-		if err := errors.Join(errA, errAAAA); err != nil {
-			return fmt.Errorf("resolve %s: no A/AAAA records: %w", d.SafeString(), err)
+	var aRecords, aaaaRecords []dns.RR
+	for _, ip := range ips {
+		if ip.Is4() {
+			rr := &dns.A{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				A: ip.AsSlice(),
+			}
+			aRecords = append(aRecords, rr)
+		} else if ip.Is6() {
+			rr := &dns.AAAA{
+				Hdr: dns.RR_Header{
+					Name:   dnsName,
+					Rrtype: dns.TypeAAAA,
+					Class:  dns.ClassINET,
+					Ttl:    300,
+				},
+				AAAA: ip.AsSlice(),
+			}
+			aaaaRecords = append(aaaaRecords, rr)
 		}
-		return fmt.Errorf("resolve %s: no A/AAAA records", d.SafeString())
 	}
 
-	now := time.Now()
 	m.mutex.Lock()
-	defer m.mutex.Unlock()
 
-	m.applyFamilyRecords(dnsName, dns.TypeA, aRecords, errA, now)
-	m.applyFamilyRecords(dnsName, dns.TypeAAAA, aaaaRecords, errAAAA, now)
+	if len(aRecords) > 0 {
+		aQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aQuestion] = aRecords
+	}
 
-	log.Debugf("added/updated domain=%s with %d A records and %d AAAA records",
+	if len(aaaaRecords) > 0 {
+		aaaaQuestion := dns.Question{
+			Name:   dnsName,
+			Qtype:  dns.TypeAAAA,
+			Qclass: dns.ClassINET,
+		}
+		m.records[aaaaQuestion] = aaaaRecords
+	}
+
+	m.mutex.Unlock()
+
+	log.Debugf("added domain=%s with %d A records and %d AAAA records",
 		d.SafeString(), len(aRecords), len(aaaaRecords))
 
 	return nil
 }
 
-// applyFamilyRecords writes records, evicts on NODATA, leaves the cache
-// untouched on error. Caller holds m.mutex.
-func (m *Resolver) applyFamilyRecords(dnsName string, qtype uint16, records []dns.RR, err error, now time.Time) {
-	q := dns.Question{Name: dnsName, Qtype: qtype, Qclass: dns.ClassINET}
-	switch {
-	case len(records) > 0:
-		m.records[q] = &cachedRecord{records: records, cachedAt: now}
-	case err == nil:
-		delete(m.records, q)
-	}
-}
+func lookupIPWithExtraTimeout(ctx context.Context, d domain.Domain) ([]netip.Addr, error) {
+	log.Infof("looking up IP for mgmt domain=%s", d.SafeString())
+	defer log.Infof("done looking up IP for mgmt domain=%s", d.SafeString())
+	resultChan := make(chan *ipsResponse, 1)
 
-// scheduleRefresh kicks off an async refresh. DoChan spawns one goroutine per
-// unique in-flight key; bursty stale hits share its channel. expected is the
-// cachedRecord pointer observed by the caller; the refresh only mutates the
-// cache if that pointer is still the one stored, so a stale in-flight refresh
-// can't clobber a newer entry written by AddDomain or a competing refresh.
-func (m *Resolver) scheduleRefresh(question dns.Question, expected *cachedRecord) {
-	key := question.Name + "|" + dns.TypeToString[question.Qtype]
-	_ = m.refreshGroup.DoChan(key, func() (any, error) {
-		return nil, m.refreshQuestion(question, expected)
-	})
-}
-
-// refreshQuestion replaces the cached records on success, or marks the entry
-// failed (arming the backoff) on failure. While this runs, ServeDNS can detect
-// a resolver loop by spotting a query for this same question arriving on us.
-// expected pins the cache entry observed at schedule time; mutations only apply
-// if m.records[question] still points at it.
-func (m *Resolver) refreshQuestion(question dns.Question, expected *cachedRecord) error {
-	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
-	defer cancel()
-
-	d, err := domain.FromString(strings.TrimSuffix(question.Name, "."))
-	if err != nil {
-		m.markRefreshFailed(question, expected)
-		return fmt.Errorf("parse domain: %w", err)
-	}
-
-	records, err := m.lookupRecords(ctx, d, question)
-	if err != nil {
-		fails := m.markRefreshFailed(question, expected)
-		logf := log.Warnf
-		if fails == 0 || fails > 1 {
-			logf = log.Debugf
+	go func() {
+		ips, err := net.DefaultResolver.LookupNetIP(ctx, "ip", d.PunycodeString())
+		resultChan <- &ipsResponse{
+			err: err,
+			ips: ips,
 		}
-		logf("refresh mgmt cache domain=%s type=%s: %v (consecutive failures=%d)",
-			d.SafeString(), dns.TypeToString[question.Qtype], err, fails)
-		return err
+	}()
+
+	var resp *ipsResponse
+
+	select {
+	case <-time.After(dnsTimeout + time.Millisecond*500):
+		log.Warnf("timed out waiting for IP for mgmt domain=%s", d.SafeString())
+		return nil, fmt.Errorf("timed out waiting for ips to be available for domain %s", d.SafeString())
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	case resp = <-resultChan:
 	}
 
-	// NOERROR/NODATA: family gone upstream, evict so we stop serving stale.
-	if len(records) == 0 {
-		m.mutex.Lock()
-		if m.records[question] == expected {
-			delete(m.records, question)
-			m.mutex.Unlock()
-			log.Infof("removed mgmt cache domain=%s type=%s: no records returned",
-				d.SafeString(), dns.TypeToString[question.Qtype])
-			return nil
-		}
-		m.mutex.Unlock()
-		log.Debugf("skipping refresh evict for domain=%s type=%s: entry changed during refresh",
-			d.SafeString(), dns.TypeToString[question.Qtype])
-		return nil
+	if resp.err != nil {
+		return nil, fmt.Errorf("resolve domain %s: %w", d.SafeString(), resp.err)
 	}
-
-	now := time.Now()
-	m.mutex.Lock()
-	if m.records[question] != expected {
-		m.mutex.Unlock()
-		log.Debugf("skipping refresh write for domain=%s type=%s: entry changed during refresh",
-			d.SafeString(), dns.TypeToString[question.Qtype])
-		return nil
-	}
-	m.records[question] = &cachedRecord{records: records, cachedAt: now}
-	m.mutex.Unlock()
-
-	log.Infof("refreshed mgmt cache domain=%s type=%s",
-		d.SafeString(), dns.TypeToString[question.Qtype])
-	return nil
-}
-
-func (m *Resolver) markRefreshing(question dns.Question) {
-	m.mutex.Lock()
-	m.refreshing[question] = &atomic.Bool{}
-	m.mutex.Unlock()
-}
-
-func (m *Resolver) clearRefreshing(question dns.Question) {
-	m.mutex.Lock()
-	delete(m.refreshing, question)
-	m.mutex.Unlock()
-}
-
-// markRefreshFailed arms the backoff and returns the new consecutive-failure
-// count so callers can downgrade subsequent failure logs to debug.
-func (m *Resolver) markRefreshFailed(question dns.Question, expected *cachedRecord) int {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-	c, ok := m.records[question]
-	if !ok || c != expected {
-		return 0
-	}
-	c.lastFailedRefresh = time.Now()
-	c.consecFailures++
-	return c.consecFailures
-}
-
-// lookupBoth resolves A and AAAA via chain or OS. Per-family errors let
-// callers tell records, NODATA (nil err, no records), and failure apart.
-func (m *Resolver) lookupBoth(ctx context.Context, d domain.Domain, dnsName string) (aRecords, aaaaRecords []dns.RR, errA, errAAAA error) {
-	m.mutex.RLock()
-	chain := m.chain
-	maxPriority := m.chainMaxPriority
-	m.mutex.RUnlock()
-
-	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
-		aRecords, errA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeA)
-		aaaaRecords, errAAAA = m.lookupViaChain(ctx, chain, maxPriority, dnsName, dns.TypeAAAA)
-		return
-	}
-
-	// TODO: drop once every supported OS registers a fallback resolver. Safe
-	// today: no root handler at priority ≤ PriorityUpstream means NetBird is
-	// not the system resolver, so net.DefaultResolver will not loop back.
-	aRecords, errA = m.osLookup(ctx, d, dnsName, dns.TypeA)
-	aaaaRecords, errAAAA = m.osLookup(ctx, d, dnsName, dns.TypeAAAA)
-	return
-}
-
-// lookupRecords resolves a single record type via chain or OS. The OS branch
-// arms the loop detector for the duration of its call so that ServeDNS can
-// spot the OS resolver routing the recursive query back to us.
-func (m *Resolver) lookupRecords(ctx context.Context, d domain.Domain, q dns.Question) ([]dns.RR, error) {
-	m.mutex.RLock()
-	chain := m.chain
-	maxPriority := m.chainMaxPriority
-	m.mutex.RUnlock()
-
-	if chain != nil && chain.HasRootHandlerAtOrBelow(maxPriority) {
-		return m.lookupViaChain(ctx, chain, maxPriority, q.Name, q.Qtype)
-	}
-
-	// TODO: drop once every supported OS registers a fallback resolver.
-	m.markRefreshing(q)
-	defer m.clearRefreshing(q)
-
-	return m.osLookup(ctx, d, q.Name, q.Qtype)
-}
-
-// lookupViaChain resolves via the handler chain and rewrites each RR to use
-// dnsName as owner and m.cacheTTL as TTL, so CNAME-backed domains don't cache
-// target-owned records or upstream TTLs. NODATA returns (nil, nil).
-func (m *Resolver) lookupViaChain(ctx context.Context, chain ChainResolver, maxPriority int, dnsName string, qtype uint16) ([]dns.RR, error) {
-	msg := &dns.Msg{}
-	msg.SetQuestion(dnsName, qtype)
-	msg.RecursionDesired = true
-
-	resp, err := chain.ResolveInternal(ctx, msg, maxPriority)
-	if err != nil {
-		return nil, fmt.Errorf("chain resolve: %w", err)
-	}
-	if resp == nil {
-		return nil, fmt.Errorf("chain resolve returned nil response")
-	}
-	if resp.Rcode != dns.RcodeSuccess {
-		return nil, fmt.Errorf("chain resolve rcode=%s", dns.RcodeToString[resp.Rcode])
-	}
-
-	ttl := uint32(m.cacheTTL.Seconds())
-	owners := cnameOwners(dnsName, resp.Answer)
-	var filtered []dns.RR
-	for _, rr := range resp.Answer {
-		h := rr.Header()
-		if h.Class != dns.ClassINET || h.Rrtype != qtype {
-			continue
-		}
-		if !owners[strings.ToLower(dns.Fqdn(h.Name))] {
-			continue
-		}
-		if cp := cloneIPRecord(rr, dnsName, ttl); cp != nil {
-			filtered = append(filtered, cp)
-		}
-	}
-	return filtered, nil
-}
-
-// osLookup resolves a single family via net.DefaultResolver using resutil,
-// which disambiguates NODATA from NXDOMAIN and Unmaps v4-mapped-v6. NODATA
-// returns (nil, nil).
-func (m *Resolver) osLookup(ctx context.Context, d domain.Domain, dnsName string, qtype uint16) ([]dns.RR, error) {
-	network := resutil.NetworkForQtype(qtype)
-	if network == "" {
-		return nil, fmt.Errorf("unsupported qtype %s", dns.TypeToString[qtype])
-	}
-
-	log.Infof("looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
-	defer log.Infof("done looking up IP for mgmt domain=%s type=%s", d.SafeString(), dns.TypeToString[qtype])
-
-	result := resutil.LookupIP(ctx, net.DefaultResolver, network, d.PunycodeString(), qtype)
-	if result.Rcode == dns.RcodeSuccess {
-		return resutil.IPsToRRs(dnsName, result.IPs, uint32(m.cacheTTL.Seconds())), nil
-	}
-
-	if result.Err != nil {
-		return nil, fmt.Errorf("resolve %s type=%s: %w", d.SafeString(), dns.TypeToString[qtype], result.Err)
-	}
-	return nil, fmt.Errorf("resolve %s type=%s: rcode=%s", d.SafeString(), dns.TypeToString[qtype], dns.RcodeToString[result.Rcode])
-}
-
-// responseTTL returns the remaining cache lifetime in seconds (rounded up),
-// so downstream resolvers don't cache an answer for longer than we will.
-func (m *Resolver) responseTTL(cachedAt time.Time) uint32 {
-	remaining := m.cacheTTL - time.Since(cachedAt)
-	if remaining <= 0 {
-		return 0
-	}
-	return uint32((remaining + time.Second - 1) / time.Second)
+	return resp.ips, nil
 }
 
 // PopulateFromConfig extracts and caches domains from the client configuration.
@@ -456,12 +224,19 @@ func (m *Resolver) RemoveDomain(d domain.Domain) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	qA := dns.Question{Name: dnsName, Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	qAAAA := dns.Question{Name: dnsName, Qtype: dns.TypeAAAA, Qclass: dns.ClassINET}
-	delete(m.records, qA)
-	delete(m.records, qAAAA)
-	delete(m.refreshing, qA)
-	delete(m.refreshing, qAAAA)
+	aQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aQuestion)
+
+	aaaaQuestion := dns.Question{
+		Name:   dnsName,
+		Qtype:  dns.TypeAAAA,
+		Qclass: dns.ClassINET,
+	}
+	delete(m.records, aaaaQuestion)
 
 	log.Debugf("removed domain=%s from cache", d.SafeString())
 	return nil
@@ -619,73 +394,3 @@ func (m *Resolver) extractDomainsFromServerDomains(serverDomains dnsconfig.Serve
 
 	return domains
 }
-
-// cloneIPRecord returns a deep copy of rr retargeted to owner with ttl. Non
-// A/AAAA records return nil.
-func cloneIPRecord(rr dns.RR, owner string, ttl uint32) dns.RR {
-	switch r := rr.(type) {
-	case *dns.A:
-		cp := *r
-		cp.Hdr.Name = owner
-		cp.Hdr.Ttl = ttl
-		cp.A = slices.Clone(r.A)
-		return &cp
-	case *dns.AAAA:
-		cp := *r
-		cp.Hdr.Name = owner
-		cp.Hdr.Ttl = ttl
-		cp.AAAA = slices.Clone(r.AAAA)
-		return &cp
-	}
-	return nil
-}
-
-// cloneRecordsWithTTL clones A/AAAA records preserving their owner and
-// stamping ttl so the response shares no memory with the cached slice.
-func cloneRecordsWithTTL(records []dns.RR, ttl uint32) []dns.RR {
-	out := make([]dns.RR, 0, len(records))
-	for _, rr := range records {
-		if cp := cloneIPRecord(rr, rr.Header().Name, ttl); cp != nil {
-			out = append(out, cp)
-		}
-	}
-	return out
-}
-
-// cnameOwners returns dnsName plus every target reachable by following CNAMEs
-// in answer, iterating until fixed point so out-of-order chains resolve.
-func cnameOwners(dnsName string, answer []dns.RR) map[string]bool {
-	owners := map[string]bool{dnsName: true}
-	for {
-		added := false
-		for _, rr := range answer {
-			cname, ok := rr.(*dns.CNAME)
-			if !ok {
-				continue
-			}
-			name := strings.ToLower(dns.Fqdn(cname.Hdr.Name))
-			if !owners[name] {
-				continue
-			}
-			target := strings.ToLower(dns.Fqdn(cname.Target))
-			if !owners[target] {
-				owners[target] = true
-				added = true
-			}
-		}
-		if !added {
-			return owners
-		}
-	}
-}
-
-// resolveCacheTTL reads the cache TTL override env var; invalid or empty
-// values fall back to defaultTTL. Called once per Resolver from NewResolver.
-func resolveCacheTTL() time.Duration {
-	if v := os.Getenv(envMgmtCacheTTL); v != "" {
-		if d, err := time.ParseDuration(v); err == nil && d > 0 {
-			return d
-		}
-	}
-	return defaultTTL
-}

client/internal/dns/mgmt/mgmt_refresh_test.go

@@ -1,408 +0,0 @@
-package mgmt
-
-import (
-	"context"
-	"errors"
-	"net"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-type fakeChain struct {
-	mu       sync.Mutex
-	calls    map[string]int
-	answers  map[string][]dns.RR
-	err      error
-	hasRoot  bool
-	onLookup func()
-}
-
-func newFakeChain() *fakeChain {
-	return &fakeChain{
-		calls:   map[string]int{},
-		answers: map[string][]dns.RR{},
-		hasRoot: true,
-	}
-}
-
-func (f *fakeChain) HasRootHandlerAtOrBelow(maxPriority int) bool {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	return f.hasRoot
-}
-
-func (f *fakeChain) ResolveInternal(ctx context.Context, msg *dns.Msg, maxPriority int) (*dns.Msg, error) {
-	f.mu.Lock()
-	q := msg.Question[0]
-	key := q.Name + "|" + dns.TypeToString[q.Qtype]
-	f.calls[key]++
-	answers := f.answers[key]
-	err := f.err
-	onLookup := f.onLookup
-	f.mu.Unlock()
-
-	if onLookup != nil {
-		onLookup()
-	}
-	if err != nil {
-		return nil, err
-	}
-	resp := &dns.Msg{}
-	resp.SetReply(msg)
-	resp.Answer = answers
-	return resp, nil
-}
-
-func (f *fakeChain) setAnswer(name string, qtype uint16, ip string) {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	key := name + "|" + dns.TypeToString[qtype]
-	hdr := dns.RR_Header{Name: name, Rrtype: qtype, Class: dns.ClassINET, Ttl: 60}
-	switch qtype {
-	case dns.TypeA:
-		f.answers[key] = []dns.RR{&dns.A{Hdr: hdr, A: net.ParseIP(ip).To4()}}
-	case dns.TypeAAAA:
-		f.answers[key] = []dns.RR{&dns.AAAA{Hdr: hdr, AAAA: net.ParseIP(ip).To16()}}
-	}
-}
-
-func (f *fakeChain) callCount(name string, qtype uint16) int {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	return f.calls[name+"|"+dns.TypeToString[qtype]]
-}
-
-// waitFor polls the predicate until it returns true or the deadline passes.
-func waitFor(t *testing.T, d time.Duration, fn func() bool) {
-	t.Helper()
-	deadline := time.Now().Add(d)
-	for time.Now().Before(deadline) {
-		if fn() {
-			return
-		}
-		time.Sleep(5 * time.Millisecond)
-	}
-	t.Fatalf("condition not met within %s", d)
-}
-
-func queryA(t *testing.T, r *Resolver, name string) *dns.Msg {
-	t.Helper()
-	msg := new(dns.Msg)
-	msg.SetQuestion(name, dns.TypeA)
-	w := &test.MockResponseWriter{}
-	r.ServeDNS(w, msg)
-	return w.GetLastResponse()
-}
-
-func firstA(t *testing.T, resp *dns.Msg) string {
-	t.Helper()
-	require.NotNil(t, resp)
-	require.Greater(t, len(resp.Answer), 0, "expected at least one answer")
-	a, ok := resp.Answer[0].(*dns.A)
-	require.True(t, ok, "expected A record")
-	return a.A.String()
-}
-
-func TestResolver_CacheTTLGatesRefresh(t *testing.T) {
-	// Same cached entry age, different cacheTTL values: the shorter TTL must
-	// trigger a background refresh, the longer one must not. Proves that the
-	// per-Resolver cacheTTL field actually drives the stale decision.
-	cachedAt := time.Now().Add(-100 * time.Millisecond)
-
-	newRec := func() *cachedRecord {
-		return &cachedRecord{
-			records: []dns.RR{&dns.A{
-				Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-				A:   net.ParseIP("10.0.0.1").To4(),
-			}},
-			cachedAt: cachedAt,
-		}
-	}
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-
-	t.Run("short TTL treats entry as stale and refreshes", func(t *testing.T) {
-		r := NewResolver()
-		r.cacheTTL = 10 * time.Millisecond
-		chain := newFakeChain()
-		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
-		r.SetChainResolver(chain, 50)
-		r.records[q] = newRec()
-
-		resp := queryA(t, r, q.Name)
-		assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
-
-		waitFor(t, time.Second, func() bool {
-			return chain.callCount(q.Name, dns.TypeA) >= 1
-		})
-	})
-
-	t.Run("long TTL keeps entry fresh and skips refresh", func(t *testing.T) {
-		r := NewResolver()
-		r.cacheTTL = time.Hour
-		chain := newFakeChain()
-		chain.setAnswer(q.Name, dns.TypeA, "10.0.0.2")
-		r.SetChainResolver(chain, 50)
-		r.records[q] = newRec()
-
-		resp := queryA(t, r, q.Name)
-		assert.Equal(t, "10.0.0.1", firstA(t, resp))
-
-		time.Sleep(50 * time.Millisecond)
-		assert.Equal(t, 0, chain.callCount(q.Name, dns.TypeA), "fresh entry must not trigger refresh")
-	})
-}
-
-func TestResolver_ServeFresh_NoRefresh(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
-	r.SetChainResolver(chain, 50)
-
-	r.records[dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: "mgmt.example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now(), // fresh
-	}
-
-	resp := queryA(t, r, "mgmt.example.com.")
-	assert.Equal(t, "10.0.0.1", firstA(t, resp))
-
-	time.Sleep(20 * time.Millisecond)
-	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA), "fresh entry must not trigger refresh")
-}
-
-func TestResolver_StaleTriggersAsyncRefresh(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
-	r.SetChainResolver(chain, 50)
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now().Add(-2 * defaultTTL), // stale
-	}
-
-	// First query: serves stale immediately.
-	resp := queryA(t, r, "mgmt.example.com.")
-	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must be served while refresh runs")
-
-	waitFor(t, time.Second, func() bool {
-		return chain.callCount("mgmt.example.com.", dns.TypeA) >= 1
-	})
-
-	// Next query should now return the refreshed IP.
-	waitFor(t, time.Second, func() bool {
-		resp := queryA(t, r, "mgmt.example.com.")
-		return resp != nil && len(resp.Answer) > 0 && firstA(t, resp) == "10.0.0.2"
-	})
-}
-
-func TestResolver_ConcurrentStaleHitsCollapseRefresh(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
-
-	var inflight atomic.Int32
-	var maxInflight atomic.Int32
-	chain.onLookup = func() {
-		cur := inflight.Add(1)
-		defer inflight.Add(-1)
-		for {
-			prev := maxInflight.Load()
-			if cur <= prev || maxInflight.CompareAndSwap(prev, cur) {
-				break
-			}
-		}
-		time.Sleep(50 * time.Millisecond) // hold inflight long enough to collide
-	}
-
-	r.SetChainResolver(chain, 50)
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now().Add(-2 * defaultTTL),
-	}
-
-	var wg sync.WaitGroup
-	for i := 0; i < 50; i++ {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			queryA(t, r, "mgmt.example.com.")
-		}()
-	}
-	wg.Wait()
-
-	waitFor(t, 2*time.Second, func() bool {
-		return inflight.Load() == 0
-	})
-
-	calls := chain.callCount("mgmt.example.com.", dns.TypeA)
-	assert.LessOrEqual(t, calls, 2, "singleflight must collapse concurrent refreshes (got %d)", calls)
-	assert.Equal(t, int32(1), maxInflight.Load(), "only one refresh should run concurrently")
-}
-
-func TestResolver_RefreshFailureArmsBackoff(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.err = errors.New("boom")
-	r.SetChainResolver(chain, 50)
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now().Add(-2 * defaultTTL),
-	}
-
-	// First stale hit triggers a refresh attempt that fails.
-	resp := queryA(t, r, "mgmt.example.com.")
-	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry served while refresh fails")
-
-	waitFor(t, time.Second, func() bool {
-		return chain.callCount("mgmt.example.com.", dns.TypeA) == 1
-	})
-	waitFor(t, time.Second, func() bool {
-		r.mutex.RLock()
-		defer r.mutex.RUnlock()
-		c, ok := r.records[q]
-		return ok && !c.lastFailedRefresh.IsZero()
-	})
-
-	// Subsequent stale hits within backoff window should not schedule more refreshes.
-	for i := 0; i < 10; i++ {
-		queryA(t, r, "mgmt.example.com.")
-	}
-	time.Sleep(50 * time.Millisecond)
-	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA), "backoff must suppress further refreshes")
-}
-
-func TestResolver_NoRootHandler_SkipsChain(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.hasRoot = false
-	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
-	r.SetChainResolver(chain, 50)
-
-	// With hasRoot=false the chain must not be consulted. Use a short
-	// deadline so the OS fallback returns quickly without waiting on a
-	// real network call in CI.
-	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
-	defer cancel()
-	_, _, _, _ = r.lookupBoth(ctx, domain.Domain("mgmt.example.com"), "mgmt.example.com.")
-
-	assert.Equal(t, 0, chain.callCount("mgmt.example.com.", dns.TypeA),
-		"chain must not be used when no root handler is registered at the bound priority")
-}
-
-func TestResolver_ServeDuringRefreshSetsLoopFlag(t *testing.T) {
-	// ServeDNS being invoked for a question while a refresh for that question
-	// is inflight indicates a resolver loop (OS resolver sent the recursive
-	// query back to us). The inflightRefresh.loopLoggedOnce flag must be set.
-	r := NewResolver()
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now(),
-	}
-
-	// Simulate an inflight refresh.
-	r.markRefreshing(q)
-	defer r.clearRefreshing(q)
-
-	resp := queryA(t, r, "mgmt.example.com.")
-	assert.Equal(t, "10.0.0.1", firstA(t, resp), "stale entry must still be served to avoid breaking external queries")
-
-	r.mutex.RLock()
-	inflight := r.refreshing[q]
-	r.mutex.RUnlock()
-	require.NotNil(t, inflight)
-	assert.True(t, inflight.Load(), "loop flag must be set once a ServeDNS during refresh was observed")
-}
-
-func TestResolver_LoopFlagOnlyTrippedOncePerRefresh(t *testing.T) {
-	r := NewResolver()
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now(),
-	}
-
-	r.markRefreshing(q)
-	defer r.clearRefreshing(q)
-
-	// Multiple ServeDNS calls during the same refresh must not re-set the flag
-	// (CompareAndSwap from false -> true returns true only on the first call).
-	for range 5 {
-		queryA(t, r, "mgmt.example.com.")
-	}
-
-	r.mutex.RLock()
-	inflight := r.refreshing[q]
-	r.mutex.RUnlock()
-	assert.True(t, inflight.Load())
-}
-
-func TestResolver_NoLoopFlagWhenNotRefreshing(t *testing.T) {
-	r := NewResolver()
-
-	q := dns.Question{Name: "mgmt.example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET}
-	r.records[q] = &cachedRecord{
-		records: []dns.RR{&dns.A{
-			Hdr: dns.RR_Header{Name: q.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1").To4(),
-		}},
-		cachedAt: time.Now(),
-	}
-
-	queryA(t, r, "mgmt.example.com.")
-
-	r.mutex.RLock()
-	_, ok := r.refreshing[q]
-	r.mutex.RUnlock()
-	assert.False(t, ok, "no refresh inflight means no loop tracking")
-}
-
-func TestResolver_AddDomain_UsesChainWhenRootRegistered(t *testing.T) {
-	r := NewResolver()
-	chain := newFakeChain()
-	chain.setAnswer("mgmt.example.com.", dns.TypeA, "10.0.0.2")
-	chain.setAnswer("mgmt.example.com.", dns.TypeAAAA, "fd00::2")
-	r.SetChainResolver(chain, 50)
-
-	require.NoError(t, r.AddDomain(context.Background(), domain.Domain("mgmt.example.com")))
-
-	resp := queryA(t, r, "mgmt.example.com.")
-	assert.Equal(t, "10.0.0.2", firstA(t, resp))
-	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeA))
-	assert.Equal(t, 1, chain.callCount("mgmt.example.com.", dns.TypeAAAA))
-}

client/internal/dns/mgmt/mgmt_test.go

@@ -6,7 +6,6 @@ import (
 	"net/url"
 	"strings"
 	"testing"
-	"time"
 
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -24,60 +23,6 @@ func TestResolver_NewResolver(t *testing.T) {
 	assert.False(t, resolver.MatchSubdomains())
 }
 
-func TestResolveCacheTTL(t *testing.T) {
-	tests := []struct {
-		name  string
-		value string
-		want  time.Duration
-	}{
-		{"unset falls back to default", "", defaultTTL},
-		{"valid duration", "45s", 45 * time.Second},
-		{"valid minutes", "2m", 2 * time.Minute},
-		{"malformed falls back to default", "not-a-duration", defaultTTL},
-		{"zero falls back to default", "0s", defaultTTL},
-		{"negative falls back to default", "-5s", defaultTTL},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(envMgmtCacheTTL, tc.value)
-			got := resolveCacheTTL()
-			assert.Equal(t, tc.want, got, "parsed TTL should match")
-		})
-	}
-}
-
-func TestNewResolver_CacheTTLFromEnv(t *testing.T) {
-	t.Setenv(envMgmtCacheTTL, "7s")
-	r := NewResolver()
-	assert.Equal(t, 7*time.Second, r.cacheTTL, "NewResolver should evaluate cacheTTL once from env")
-}
-
-func TestResolver_ResponseTTL(t *testing.T) {
-	now := time.Now()
-	tests := []struct {
-		name     string
-		cacheTTL time.Duration
-		cachedAt time.Time
-		wantMin  uint32
-		wantMax  uint32
-	}{
-		{"fresh entry returns full TTL", 60 * time.Second, now, 59, 60},
-		{"half-aged entry returns half TTL", 60 * time.Second, now.Add(-30 * time.Second), 29, 31},
-		{"expired entry returns zero", 60 * time.Second, now.Add(-61 * time.Second), 0, 0},
-		{"exactly expired returns zero", 10 * time.Second, now.Add(-10 * time.Second), 0, 0},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			r := &Resolver{cacheTTL: tc.cacheTTL}
-			got := r.responseTTL(tc.cachedAt)
-			assert.GreaterOrEqual(t, got, tc.wantMin, "remaining TTL should be >= wantMin")
-			assert.LessOrEqual(t, got, tc.wantMax, "remaining TTL should be <= wantMax")
-		})
-	}
-}
-
 func TestResolver_ExtractDomainFromURL(t *testing.T) {
 	tests := []struct {
 		name        string

client/internal/dns/server.go

@@ -212,7 +212,6 @@ func newDefaultServer(
 	ctx, stop := context.WithCancel(ctx)
 
 	mgmtCacheResolver := mgmt.NewResolver()
-	mgmtCacheResolver.SetChainResolver(handlerChain, PriorityUpstream)
 
 	defaultServer := &DefaultServer{
 		ctx:               ctx,

client/internal/engine.go

@@ -26,7 +26,6 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -571,7 +570,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.connMgr.Start(e.ctx)
 
 	e.srWatcher = guard.NewSRWatcher(e.signal, e.relayManager, e.mobileDep.IFaceDiscover, iceCfg)
-	e.srWatcher.Start(peer.IsForceRelayed())
+	e.srWatcher.Start()
 
 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
@@ -605,8 +604,6 @@ func (e *Engine) createFirewall() error {
 		return nil
 	}
 
-	firewalld.SetParentContext(e.ctx)
-
 	var err error
 	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil {

client/internal/engine_test.go

@@ -25,7 +25,6 @@ import (
 	"google.golang.org/grpc/keepalive"
 
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	"github.com/netbirdio/netbird/management/server/job"
 
 	"github.com/netbirdio/management-integrations/integrations"
@@ -58,6 +57,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -1632,7 +1632,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 
 	permissionsManager := permissions.NewManager(store)
-	peersManager := peers.NewManager(store)
+	peersManager := peers.NewManager(store, permissionsManager)
 	jobManager := job.NewJobManager(nil, store, peersManager)
 
 	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)

client/internal/peer/conn.go

@@ -185,20 +185,17 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 
 	conn.workerRelay = NewWorkerRelay(conn.ctx, conn.Log, isController(conn.config), conn.config, conn, conn.relayManager)
 
-	forceRelay := IsForceRelayed()
-	if !forceRelay {
-		relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
-		workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
-		if err != nil {
-			return err
-		}
-		conn.workerICE = workerICE
+	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
+	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
+	if err != nil {
+		return err
 	}
+	conn.workerICE = workerICE
 
 	conn.handshaker = NewHandshaker(conn.Log, conn.config, conn.signaler, conn.workerICE, conn.workerRelay, conn.metricsStages)
 
 	conn.handshaker.AddRelayListener(conn.workerRelay.OnNewOffer)
-	if !forceRelay {
+	if !isForceRelayed() {
 		conn.handshaker.AddICEListener(conn.workerICE.OnNewOffer)
 	}
 
@@ -254,9 +251,7 @@ func (conn *Conn) Close(signalToRemote bool) {
 		conn.wgWatcherCancel()
 	}
 	conn.workerRelay.CloseConn()
-	if conn.workerICE != nil {
-		conn.workerICE.Close()
-	}
+	conn.workerICE.Close()
 
 	if conn.wgProxyRelay != nil {
 		err := conn.wgProxyRelay.CloseConn()
@@ -299,9 +294,7 @@ func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) {
 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
 func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
 	conn.dumpState.RemoteCandidate()
-	if conn.workerICE != nil {
-		conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
-	}
+	conn.workerICE.OnRemoteCandidate(candidate, haRoutes)
 }
 
 // SetOnConnected sets a handler function to be triggered by Conn when a new connection to a remote peer established
@@ -719,35 +712,33 @@ func (conn *Conn) evalStatus() ConnStatus {
 	return StatusConnecting
 }
 
-// isConnectedOnAllWay evaluates the overall connection status based on ICE and Relay transports.
-//
-// The result is a tri-state:
-//   - ConnStatusConnected:          all available transports are up
-//   - ConnStatusPartiallyConnected: relay is up but ICE is still pending/reconnecting
-//   - ConnStatusDisconnected:       no working transport
-func (conn *Conn) isConnectedOnAllWay() (status guard.ConnStatus) {
+func (conn *Conn) isConnectedOnAllWay() (connected bool) {
+	// would be better to protect this with a mutex, but it could cause deadlock with Close function
+
 	defer func() {
-		if status == guard.ConnStatusDisconnected {
+		if !connected {
 			conn.logTraceConnState()
 		}
 	}()
 
-	iceWorkerCreated := conn.workerICE != nil
-
-	var iceInProgress bool
-	if iceWorkerCreated {
-		iceInProgress = conn.workerICE.InProgress()
+	// For JS platform: only relay connection is supported
+	if runtime.GOOS == "js" {
+		return conn.statusRelay.Get() == worker.StatusConnected
 	}
 
-	return evalConnStatus(connStatusInputs{
-		forceRelay:          IsForceRelayed(),
-		peerUsesRelay:       conn.workerRelay.IsRelayConnectionSupportedWithPeer(),
-		relayConnected:      conn.statusRelay.Get() == worker.StatusConnected,
-		remoteSupportsICE:   conn.handshaker.RemoteICESupported(),
-		iceWorkerCreated:    iceWorkerCreated,
-		iceStatusConnecting: conn.statusICE.Get() != worker.StatusDisconnected,
-		iceInProgress:       iceInProgress,
-	})
+	// For non-JS platforms: check ICE connection status
+	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+		return false
+	}
+
+	// If relay is supported with peer, it must also be connected
+	if conn.workerRelay.IsRelayConnectionSupportedWithPeer() {
+		if conn.statusRelay.Get() == worker.StatusDisconnected {
+			return false
+		}
+	}
+
+	return true
 }
 
 func (conn *Conn) enableWgWatcherIfNeeded(enabledTime time.Time) {
@@ -935,43 +926,3 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
-
-func evalConnStatus(in connStatusInputs) guard.ConnStatus {
-	// "Relay up and needed" — the peer uses relay and the transport is connected.
-	relayUsedAndUp := in.peerUsesRelay && in.relayConnected
-
-	// Force-relay mode: ICE never runs. Relay is the only transport and must be up.
-	if in.forceRelay {
-		return boolToConnStatus(relayUsedAndUp)
-	}
-
-	// Remote peer doesn't support ICE, or we haven't created the worker yet:
-	// relay is the only possible transport.
-	if !in.remoteSupportsICE || !in.iceWorkerCreated {
-		return boolToConnStatus(relayUsedAndUp)
-	}
-
-	// ICE counts as "up" when the status is anything other than Disconnected, OR
-	// when a negotiation is currently in progress (so we don't spam offers while one is in flight).
-	iceUp := in.iceStatusConnecting || in.iceInProgress
-
-	// Relay side is acceptable if the peer doesn't rely on relay, or relay is connected.
-	relayOK := !in.peerUsesRelay || in.relayConnected
-
-	switch {
-	case iceUp && relayOK:
-		return guard.ConnStatusConnected
-	case relayUsedAndUp:
-		// Relay is up but ICE is down — partially connected.
-		return guard.ConnStatusPartiallyConnected
-	default:
-		return guard.ConnStatusDisconnected
-	}
-}
-
-func boolToConnStatus(connected bool) guard.ConnStatus {
-	if connected {
-		return guard.ConnStatusConnected
-	}
-	return guard.ConnStatusDisconnected
-}

client/internal/peer/conn_status.go

@@ -13,20 +13,6 @@ const (
 	StatusConnected
 )
 
-// connStatusInputs is the primitive-valued snapshot of the state that drives the
-// tri-state connection classification. Extracted so the decision logic can be unit-tested
-// without constructing full Worker/Handshaker objects.
-type connStatusInputs struct {
-	forceRelay          bool // NB_FORCE_RELAY or JS/WASM
-	peerUsesRelay       bool // remote peer advertises relay support AND local has relay
-	relayConnected      bool // statusRelay reports Connected (independent of whether peer uses relay)
-	remoteSupportsICE   bool // remote peer sent ICE credentials
-	iceWorkerCreated    bool // local WorkerICE exists (false in force-relay mode)
-	iceStatusConnecting bool // statusICE is anything other than Disconnected
-	iceInProgress       bool // a negotiation is currently in flight
-}
-
-
 // ConnStatus describe the status of a peer's connection
 type ConnStatus int32
 

client/internal/peer/conn_status_eval_test.go

@@ -1,201 +0,0 @@
-package peer
-
-import (
-	"testing"
-
-	"github.com/netbirdio/netbird/client/internal/peer/guard"
-)
-
-func TestEvalConnStatus_ForceRelay(t *testing.T) {
-	tests := []struct {
-		name string
-		in   connStatusInputs
-		want guard.ConnStatus
-	}{
-		{
-			name: "force relay, peer uses relay, relay up",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  true,
-				relayConnected: true,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "force relay, peer uses relay, relay down",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  true,
-				relayConnected: false,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "force relay, peer does NOT use relay - disconnected forever",
-			in: connStatusInputs{
-				forceRelay:     true,
-				peerUsesRelay:  false,
-				relayConnected: true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := evalConnStatus(tc.in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestEvalConnStatus_ICEUnavailable(t *testing.T) {
-	tests := []struct {
-		name string
-		in   connStatusInputs
-		want guard.ConnStatus
-	}{
-		{
-			name: "remote does not support ICE, peer uses relay, relay up",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    true,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "remote does not support ICE, peer uses relay, relay down",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    false,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE worker not yet created, relay up",
-			in: connStatusInputs{
-				peerUsesRelay:     true,
-				relayConnected:    true,
-				remoteSupportsICE: true,
-				iceWorkerCreated:  false,
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "remote does not support ICE, peer does not use relay",
-			in: connStatusInputs{
-				peerUsesRelay:     false,
-				relayConnected:    false,
-				remoteSupportsICE: false,
-				iceWorkerCreated:  true,
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			if got := evalConnStatus(tc.in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v", got, tc.want)
-			}
-		})
-	}
-}
-
-func TestEvalConnStatus_FullyAvailable(t *testing.T) {
-	base := connStatusInputs{
-		remoteSupportsICE: true,
-		iceWorkerCreated:  true,
-	}
-
-	tests := []struct {
-		name    string
-		mutator func(*connStatusInputs)
-		want    guard.ConnStatus
-	}{
-		{
-			name: "ICE connected, relay connected, peer uses relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = true
-				in.iceStatusConnecting = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE connected, peer does NOT use relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = false
-				in.iceStatusConnecting = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE InProgress only, peer does NOT use relay",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.iceStatusConnecting = false
-				in.iceInProgress = true
-			},
-			want: guard.ConnStatusConnected,
-		},
-		{
-			name: "ICE down, relay up, peer uses relay -> partial",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = true
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusPartiallyConnected,
-		},
-		{
-			name: "ICE down, peer does NOT use relay -> disconnected",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = false
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE up, peer uses relay but relay down -> partial (relay required, ICE ignored)",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = true
-				in.relayConnected = false
-				in.iceStatusConnecting = true
-			},
-			// relayOK = false (peer uses relay but it's down), iceUp = true
-			// first switch arm fails (relayOK false), relayUsedAndUp = false (relay down),
-			// falls into default: Disconnected.
-			want: guard.ConnStatusDisconnected,
-		},
-		{
-			name: "ICE down, relay up but peer does not use relay -> disconnected",
-			mutator: func(in *connStatusInputs) {
-				in.peerUsesRelay = false
-				in.relayConnected = true // not actually used since peer doesn't rely on it
-				in.iceStatusConnecting = false
-				in.iceInProgress = false
-			},
-			want: guard.ConnStatusDisconnected,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			in := base
-			tc.mutator(&in)
-			if got := evalConnStatus(in); got != tc.want {
-				t.Fatalf("evalConnStatus = %v, want %v (inputs: %+v)", got, tc.want, in)
-			}
-		})
-	}
-}

client/internal/peer/env.go

@@ -10,7 +10,7 @@ const (
 	EnvKeyNBForceRelay = "NB_FORCE_RELAY"
 )
 
-func IsForceRelayed() bool {
+func isForceRelayed() bool {
 	if runtime.GOOS == "js" {
 		return true
 	}

client/internal/peer/guard/guard.go

@@ -8,19 +8,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// ConnStatus represents the connection state as seen by the guard.
-type ConnStatus int
-
-const (
-	// ConnStatusDisconnected means neither ICE nor Relay is connected.
-	ConnStatusDisconnected ConnStatus = iota
-	// ConnStatusPartiallyConnected means Relay is connected but ICE is not.
-	ConnStatusPartiallyConnected
-	// ConnStatusConnected means all required connections are established.
-	ConnStatusConnected
-)
-
-type connStatusFunc func() ConnStatus
+type isConnectedFunc func() bool
 
 // Guard is responsible for the reconnection logic.
 // It will trigger to send an offer to the peer then has connection issues.
@@ -32,14 +20,14 @@ type connStatusFunc func() ConnStatus
 // - ICE candidate changes
 type Guard struct {
 	log                     *log.Entry
-	isConnectedOnAllWay     connStatusFunc
+	isConnectedOnAllWay     isConnectedFunc
 	timeout                 time.Duration
 	srWatcher               *SRWatcher
 	relayedConnDisconnected chan struct{}
 	iCEConnDisconnected     chan struct{}
 }
 
-func NewGuard(log *log.Entry, isConnectedFn connStatusFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
+func NewGuard(log *log.Entry, isConnectedFn isConnectedFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
 	return &Guard{
 		log:                     log,
 		isConnectedOnAllWay:     isConnectedFn,
@@ -69,17 +57,8 @@ func (g *Guard) SetICEConnDisconnected() {
 	}
 }
 
-// reconnectLoopWithRetry periodically checks the connection status and sends offers to re-establish connectivity.
-//
-// Behavior depends on the connection state reported by isConnectedOnAllWay:
-//   - Connected: no action, the peer is fully reachable.
-//   - Disconnected (neither ICE nor Relay): retries aggressively with exponential backoff (800ms doubling
-//     up to timeout), never gives up. This ensures rapid recovery when the peer has no connectivity at all.
-//   - PartiallyConnected (Relay up, ICE not): retries up to 3 times with exponential backoff, then switches
-//     to one attempt per hour. This limits signaling traffic when relay already provides connectivity.
-//
-// External events (relay/ICE disconnect, signal/relay reconnect, candidate changes) reset the retry
-// counter and backoff ticker, giving ICE a fresh chance after network conditions change.
+// reconnectLoopWithRetry periodically check the connection status.
+// Try to send offer while the P2P is not established or while the Relay is not connected if is it supported
 func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 	srReconnectedChan := g.srWatcher.NewListener()
 	defer g.srWatcher.RemoveListener(srReconnectedChan)
@@ -89,47 +68,36 @@ func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 
 	tickerChannel := ticker.C
 
-	iceState := &iceRetryState{log: g.log}
-	defer iceState.reset()
-
 	for {
 		select {
-		case <-tickerChannel:
-			switch g.isConnectedOnAllWay() {
-			case ConnStatusConnected:
-				// all good, nothing to do
-			case ConnStatusDisconnected:
-				callback()
-			case ConnStatusPartiallyConnected:
-				if iceState.shouldRetry() {
-					callback()
-				} else {
-					iceState.enterHourlyMode()
-					ticker.Stop()
-					tickerChannel = iceState.hourlyC()
-				}
+		case t := <-tickerChannel:
+			if t.IsZero() {
+				g.log.Infof("retry timed out, stop periodic offer sending")
+				// after backoff timeout the ticker.C will be closed. We need to a dummy channel to avoid loop
+				tickerChannel = make(<-chan time.Time)
+				continue
 			}
 
+			if !g.isConnectedOnAllWay() {
+				callback()
+			}
 		case <-g.relayedConnDisconnected:
 			g.log.Debugf("Relay connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-g.iCEConnDisconnected:
 			g.log.Debugf("ICE connection changed, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-srReconnectedChan:
 			g.log.Debugf("has network changes, reset reconnection ticker")
 			ticker.Stop()
-			ticker = g.newReconnectTicker(ctx)
+			ticker = g.prepareExponentTicker(ctx)
 			tickerChannel = ticker.C
-			iceState.reset()
 
 		case <-ctx.Done():
 			g.log.Debugf("context is done, stop reconnect loop")
@@ -152,7 +120,7 @@ func (g *Guard) initialTicker(ctx context.Context) *backoff.Ticker {
 	return backoff.NewTicker(bo)
 }
 
-func (g *Guard) newReconnectTicker(ctx context.Context) *backoff.Ticker {
+func (g *Guard) prepareExponentTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: 0.1,

client/internal/peer/guard/ice_retry_state.go

@@ -1,61 +0,0 @@
-package guard
-
-import (
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	// maxICERetries is the maximum number of ICE offer attempts when relay is connected
-	maxICERetries = 3
-	// iceRetryInterval is the periodic retry interval after ICE retries are exhausted
-	iceRetryInterval = 1 * time.Hour
-)
-
-// iceRetryState tracks the limited ICE retry attempts when relay is already connected.
-// After maxICERetries attempts it switches to a periodic hourly retry.
-type iceRetryState struct {
-	log     *log.Entry
-	retries int
-	hourly  *time.Ticker
-}
-
-func (s *iceRetryState) reset() {
-	s.retries = 0
-	if s.hourly != nil {
-		s.hourly.Stop()
-		s.hourly = nil
-	}
-}
-
-// shouldRetry reports whether the caller should send another ICE offer on this tick.
-// Returns false when the per-cycle retry budget is exhausted and the caller must switch
-// to the hourly ticker via enterHourlyMode + hourlyC.
-func (s *iceRetryState) shouldRetry() bool {
-	if s.hourly != nil {
-		s.log.Debugf("hourly ICE retry attempt")
-		return true
-	}
-
-	s.retries++
-	if s.retries <= maxICERetries {
-		s.log.Debugf("ICE retry attempt %d/%d", s.retries, maxICERetries)
-		return true
-	}
-
-	return false
-}
-
-// enterHourlyMode starts the hourly retry ticker. Must be called after shouldRetry returns false.
-func (s *iceRetryState) enterHourlyMode() {
-	s.log.Infof("ICE retries exhausted (%d/%d), switching to hourly retry", maxICERetries, maxICERetries)
-	s.hourly = time.NewTicker(iceRetryInterval)
-}
-
-func (s *iceRetryState) hourlyC() <-chan time.Time {
-	if s.hourly == nil {
-		return nil
-	}
-	return s.hourly.C
-}

client/internal/peer/guard/ice_retry_state_test.go

@@ -1,103 +0,0 @@
-package guard
-
-import (
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func newTestRetryState() *iceRetryState {
-	return &iceRetryState{log: log.NewEntry(log.StandardLogger())}
-}
-
-func TestICERetryState_AllowsInitialBudget(t *testing.T) {
-	s := newTestRetryState()
-
-	for i := 1; i <= maxICERetries; i++ {
-		if !s.shouldRetry() {
-			t.Fatalf("shouldRetry returned false on attempt %d, want true (budget = %d)", i, maxICERetries)
-		}
-	}
-}
-
-func TestICERetryState_ExhaustsAfterBudget(t *testing.T) {
-	s := newTestRetryState()
-
-	for i := 0; i < maxICERetries; i++ {
-		_ = s.shouldRetry()
-	}
-
-	if s.shouldRetry() {
-		t.Fatalf("shouldRetry returned true after budget exhausted, want false")
-	}
-}
-
-func TestICERetryState_HourlyCNilBeforeEnterHourlyMode(t *testing.T) {
-	s := newTestRetryState()
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC returned non-nil channel before enterHourlyMode")
-	}
-}
-
-func TestICERetryState_EnterHourlyModeArmsTicker(t *testing.T) {
-	s := newTestRetryState()
-	for i := 0; i < maxICERetries+1; i++ {
-		_ = s.shouldRetry()
-	}
-
-	s.enterHourlyMode()
-	defer s.reset()
-
-	if s.hourlyC() == nil {
-		t.Fatalf("hourlyC returned nil after enterHourlyMode")
-	}
-}
-
-func TestICERetryState_ShouldRetryTrueInHourlyMode(t *testing.T) {
-	s := newTestRetryState()
-	s.enterHourlyMode()
-	defer s.reset()
-
-	if !s.shouldRetry() {
-		t.Fatalf("shouldRetry returned false in hourly mode, want true")
-	}
-
-	// Subsequent calls also return true — we keep retrying on each hourly tick.
-	if !s.shouldRetry() {
-		t.Fatalf("second shouldRetry returned false in hourly mode, want true")
-	}
-}
-
-func TestICERetryState_ResetRestoresBudget(t *testing.T) {
-	s := newTestRetryState()
-	for i := 0; i < maxICERetries+1; i++ {
-		_ = s.shouldRetry()
-	}
-	s.enterHourlyMode()
-
-	s.reset()
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC returned non-nil channel after reset")
-	}
-	if s.retries != 0 {
-		t.Fatalf("retries = %d after reset, want 0", s.retries)
-	}
-
-	for i := 1; i <= maxICERetries; i++ {
-		if !s.shouldRetry() {
-			t.Fatalf("shouldRetry returned false on attempt %d after reset, want true", i)
-		}
-	}
-}
-
-func TestICERetryState_ResetIsIdempotent(t *testing.T) {
-	s := newTestRetryState()
-	s.reset()
-	s.reset() // second call must not panic or re-stop a nil ticker
-
-	if s.hourlyC() != nil {
-		t.Fatalf("hourlyC non-nil after double reset")
-	}
-}

client/internal/peer/guard/sr_watcher.go

@@ -39,7 +39,7 @@ func NewSRWatcher(signalClient chNotifier, relayManager chNotifier, iFaceDiscove
 	return srw
 }
 
-func (w *SRWatcher) Start(disableICEMonitor bool) {
+func (w *SRWatcher) Start() {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -50,10 +50,8 @@ func (w *SRWatcher) Start(disableICEMonitor bool) {
 	ctx, cancel := context.WithCancel(context.Background())
 	w.cancelIceMonitor = cancel
 
-	if !disableICEMonitor {
-		iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
-		go iceMonitor.Start(ctx, w.onICEChanged)
-	}
+	iceMonitor := NewICEMonitor(w.iFaceDiscover, w.iceConfig, GetICEMonitorPeriod())
+	go iceMonitor.Start(ctx, w.onICEChanged)
 	w.signalClient.SetOnReconnectedListener(w.onReconnected)
 	w.relayManager.SetOnReconnectedListener(w.onReconnected)
 

client/internal/peer/handshaker.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"sync"
-	"sync/atomic"
 
 	log "github.com/sirupsen/logrus"
 
@@ -44,10 +43,6 @@ type OfferAnswer struct {
 	SessionID *ICESessionID
 }
 
-func (o *OfferAnswer) hasICECredentials() bool {
-	return o.IceCredentials.UFrag != "" && o.IceCredentials.Pwd != ""
-}
-
 type Handshaker struct {
 	mu            sync.Mutex
 	log           *log.Entry
@@ -64,10 +59,6 @@ type Handshaker struct {
 	relayListener *AsyncOfferListener
 	iceListener   func(remoteOfferAnswer *OfferAnswer)
 
-	// remoteICESupported tracks whether the remote peer includes ICE credentials in its offers/answers.
-	// When false, the local side skips ICE listener dispatch and suppresses ICE credentials in responses.
-	remoteICESupported atomic.Bool
-
 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
 	remoteOffersCh chan OfferAnswer
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
@@ -75,7 +66,7 @@ type Handshaker struct {
 }
 
 func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *WorkerICE, relay *WorkerRelay, metricsStages *MetricsStages) *Handshaker {
-	h := &Handshaker{
+	return &Handshaker{
 		log:            log,
 		config:         config,
 		signaler:       signaler,
@@ -85,13 +76,6 @@ func NewHandshaker(log *log.Entry, config ConnConfig, signaler *Signaler, ice *W
 		remoteOffersCh: make(chan OfferAnswer),
 		remoteAnswerCh: make(chan OfferAnswer),
 	}
-	// assume remote supports ICE until we learn otherwise from received offers
-	h.remoteICESupported.Store(ice != nil)
-	return h
-}
-
-func (h *Handshaker) RemoteICESupported() bool {
-	return h.remoteICESupported.Load()
 }
 
 func (h *Handshaker) AddRelayListener(offer func(remoteOfferAnswer *OfferAnswer)) {
@@ -106,20 +90,18 @@ func (h *Handshaker) Listen(ctx context.Context) {
 	for {
 		select {
 		case remoteOfferAnswer := <-h.remoteOffersCh:
-			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())
+			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 
 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 
@@ -128,20 +110,18 @@ func (h *Handshaker) Listen(ctx context.Context) {
 				continue
 			}
 		case remoteOfferAnswer := <-h.remoteAnswerCh:
-			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s, remote ICE supported: %t", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString(), remoteOfferAnswer.hasICECredentials())
+			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
 
 			// Record signaling received for reconnection attempts
 			if h.metricsStages != nil {
 				h.metricsStages.RecordSignalingReceived()
 			}
 
-			h.updateRemoteICEState(&remoteOfferAnswer)
-
 			if h.relayListener != nil {
 				h.relayListener.Notify(&remoteOfferAnswer)
 			}
 
-			if h.iceListener != nil && h.RemoteICESupported() {
+			if h.iceListener != nil {
 				h.iceListener(&remoteOfferAnswer)
 			}
 		case <-ctx.Done():
@@ -203,18 +183,15 @@ func (h *Handshaker) sendAnswer() error {
 }
 
 func (h *Handshaker) buildOfferAnswer() OfferAnswer {
+	uFrag, pwd := h.ice.GetLocalUserCredentials()
+	sid := h.ice.SessionID()
 	answer := OfferAnswer{
+		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
 		RosenpassAddr:   h.config.RosenpassConfig.Addr,
-	}
-
-	if h.ice != nil && h.RemoteICESupported() {
-		uFrag, pwd := h.ice.GetLocalUserCredentials()
-		sid := h.ice.SessionID()
-		answer.IceCredentials = IceCredentials{uFrag, pwd}
-		answer.SessionID = &sid
+		SessionID:       &sid,
 	}
 
 	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
@@ -223,18 +200,3 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {
 
 	return answer
 }
-
-func (h *Handshaker) updateRemoteICEState(offer *OfferAnswer) {
-	hasICE := offer.hasICECredentials()
-	prev := h.remoteICESupported.Swap(hasICE)
-	if prev != hasICE {
-		if hasICE {
-			h.log.Infof("remote peer started sending ICE credentials")
-		} else {
-			h.log.Infof("remote peer stopped sending ICE credentials")
-			if h.ice != nil {
-				h.ice.Close()
-			}
-		}
-	}
-}

client/internal/peer/signaler.go

@@ -46,13 +46,9 @@ func (s *Signaler) Ready() bool {
 
 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
-	var sessionIDBytes []byte
-	if offerAnswer.SessionID != nil {
-		var err error
-		sessionIDBytes, err = offerAnswer.SessionID.Bytes()
-		if err != nil {
-			log.Warnf("failed to get session ID bytes: %v", err)
-		}
+	sessionIDBytes, err := offerAnswer.SessionID.Bytes()
+	if err != nil {
+		log.Warnf("failed to get session ID bytes: %v", err)
 	}
 	msg, err := signal.MarshalCredential(
 		s.wgPrivateKey,

client/server/server_test.go

@@ -15,8 +15,6 @@ import (
 
 	"github.com/netbirdio/management-integrations/integrations"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
@@ -40,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -306,7 +305,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	t.Cleanup(ctrl.Finish)
 
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
-	peersManager := peers.NewManager(store)
+	peersManager := peers.NewManager(store, permissionsManagerMock)
 	settingsManagerMock := settings.NewMockManager(ctrl)
 
 	jobManager := job.NewJobManager(nil, store, peersManager)

combined/config.yaml.example

@@ -119,8 +119,6 @@ server:
 
   # Reverse proxy settings (optional)
   # reverseProxy:
-  #   trustedHTTPProxies: []           # CIDRs of trusted reverse proxies (e.g. ["10.0.0.0/8"])
-  #   trustedHTTPProxiesCount: 0       # Number of trusted proxies in front of the server (alternative to trustedHTTPProxies)
-  #   trustedPeers: []                 # CIDRs of trusted peer networks (e.g. ["100.64.0.0/10"])
-  #   accessLogRetentionDays: 7        # Days to retain HTTP access logs. 0 (or unset) defaults to 7. Negative values disable cleanup (logs kept indefinitely).
-  #   accessLogCleanupIntervalHours: 24 # How often (in hours) to run the access-log cleanup job. 0 (or unset) is treated as "not set" and defaults to 24 hours; cleanup remains enabled. To disable cleanup, set accessLogRetentionDays to a negative value.
+  #   trustedHTTPProxies: []
+  #   trustedHTTPProxiesCount: 0
+  #   trustedPeers: []

flow/client/client_test.go

@@ -457,18 +457,6 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
 
 	client, err := flow.NewClient("http://"+server.addr, "test-payload", "test-signature", 1*time.Second)
 	require.NoError(t, err)
-
-	// Cleanups run LIFO: the goroutine-drain registered here runs after Close below,
-	// which is when Receive has actually returned. Without this, the Receive goroutine
-	// can outlive the test and call t.Logf after teardown, panicking.
-	receiveDone := make(chan struct{})
-	t.Cleanup(func() {
-		select {
-		case <-receiveDone:
-		case <-time.After(2 * time.Second):
-			t.Error("Receive goroutine did not exit after Close")
-		}
-	})
 	t.Cleanup(func() {
 		err := client.Close()
 		assert.NoError(t, err, "failed to close flow")
@@ -480,7 +468,6 @@ func TestReceive_ProtocolErrorStreamReconnect(t *testing.T) {
 	receivedAfterReconnect := make(chan struct{})
 
 	go func() {
-		defer close(receiveDone)
 		err := client.Receive(ctx, 1*time.Second, func(msg *proto.FlowEventAck) error {
 			if msg.IsInitiator || len(msg.EventId) == 0 {
 				return nil

go.mod

@@ -71,7 +71,7 @@ require (
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416163311-004852ffaf34
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
@@ -323,5 +323,3 @@ replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184
 replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
 
 replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0
-
-replace github.com/mailru/easyjson => github.com/netbirdio/easyjson v0.9.0

go.sum

@@ -400,6 +400,8 @@ github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tA
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
+github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
 github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
@@ -447,14 +449,12 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
 github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
-github.com/netbirdio/easyjson v0.9.0 h1:6Nw2lghSVuy8RSkAYDhDv1thBVEmfVbKZnV7T7Z6Aus=
-github.com/netbirdio/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260416163311-004852ffaf34 h1:g74mB64wnjCagzE1spKgPfTI/ont1SdSL3uX5bOecgM=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260416163311-004852ffaf34/go.mod h1:lCOq5d1i19AQjEEW2d7aNK0Nn0KC0MKyfMz/PLwVBFg=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42 h1:F3zS5fT9xzD1OFLfcdAE+3FfyiwjGukF1hvj0jErgs8=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42/go.mod h1:n47r67ZSPgwSmT/Z1o48JjZQW9YJ6m/6Bd/uAXkL3Pg=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=

infrastructure_files/getting-started.sh

@@ -472,7 +472,7 @@ start_services_and_show_instructions() {
       if [[ "$ENABLE_CROWDSEC" == "true" ]]; then
         echo "Registering CrowdSec bouncer..."
         local cs_retries=0
-        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli lapi status >/dev/null 2>&1; do
+        while ! $DOCKER_COMPOSE_COMMAND exec -T crowdsec cscli capi status >/dev/null 2>&1; do
           cs_retries=$((cs_retries + 1))
           if [[ $cs_retries -ge 30 ]]; then
             echo "WARNING: CrowdSec did not become ready. Skipping CrowdSec setup." > /dev/stderr

management/internals/modules/peers/manager.go

@@ -16,6 +16,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
@@ -35,15 +38,17 @@ type Manager interface {
 
 type managerImpl struct {
 	store                   store.Store
+	permissionsManager      permissions.Manager
 	integratedPeerValidator integrated_validator.IntegratedValidator
 	accountManager          account.Manager
 
 	networkMapController network_map.Controller
 }
 
-func NewManager(store store.Store) Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager) Manager {
 	return &managerImpl{
-		store: store,
+		store:              store,
+		permissionsManager: permissionsManager,
 	}
 }
 
@@ -60,10 +65,28 @@ func (m *managerImpl) SetAccountManager(accountManager account.Manager) {
 }
 
 func (m *managerImpl) GetPeer(ctx context.Context, accountID, userID, peerID string) (*peer.Peer, error) {
+	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetPeerByID(ctx, store.LockingStrengthNone, accountID, peerID)
 }
 
 func (m *managerImpl) GetAllPeers(ctx context.Context, accountID, userID string) ([]*peer.Peer, error) {
+	allowed, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Read)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return m.store.GetUserPeers(ctx, store.LockingStrengthNone, accountID, userID)
+	}
+
 	return m.store.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
 }
 

management/internals/modules/reverseproxy/accesslogs/manager/api.go

@@ -5,11 +5,8 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -18,15 +15,21 @@ type handler struct {
 	manager accesslogs.Manager
 }
 
-func RegisterEndpoints(router *mux.Router, manager accesslogs.Manager, permissionsManager permissions.Manager) {
+func RegisterEndpoints(router *mux.Router, manager accesslogs.Manager) {
 	h := &handler{
 		manager: manager,
 	}
 
-	router.HandleFunc("/events/proxy", permissionsManager.WithPermission(modules.Services, operations.Read, h.getAccessLogs)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/events/proxy", h.getAccessLogs).Methods("GET", "OPTIONS")
 }
 
-func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAccessLogs(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	var filter accesslogs.AccessLogFilter
 	filter.ParseFromRequest(r)
 

management/internals/modules/reverseproxy/accesslogs/manager/manager.go

@@ -9,19 +9,25 @@ import (
 
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	"github.com/netbirdio/netbird/management/server/geolocation"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 type managerImpl struct {
-	store         store.Store
-	geo           geolocation.Geolocation
-	cleanupCancel context.CancelFunc
+	store              store.Store
+	permissionsManager permissions.Manager
+	geo                geolocation.Geolocation
+	cleanupCancel      context.CancelFunc
 }
 
-func NewManager(store store.Store, geo geolocation.Geolocation) accesslogs.Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager, geo geolocation.Geolocation) accesslogs.Manager {
 	return &managerImpl{
-		store: store,
-		geo:   geo,
+		store:              store,
+		permissionsManager: permissionsManager,
+		geo:                geo,
 	}
 }
 
@@ -57,6 +63,14 @@ func (m *managerImpl) SaveAccessLog(ctx context.Context, logEntry *accesslogs.Ac
 
 // GetAllAccessLogs retrieves access logs for an account with pagination and filtering
 func (m *managerImpl) GetAllAccessLogs(ctx context.Context, accountID, userID string, filter *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, 0, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, 0, status.NewPermissionDeniedError()
+	}
+
 	if err := m.resolveUserFilters(ctx, accountID, filter); err != nil {
 		log.WithContext(ctx).Warnf("failed to resolve user filters: %v", err)
 	}

management/internals/modules/reverseproxy/domain/manager/api.go

@@ -6,11 +6,8 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -20,15 +17,15 @@ type handler struct {
 	manager Manager
 }
 
-func RegisterEndpoints(router *mux.Router, manager Manager, permissionsManager permissions.Manager) {
+func RegisterEndpoints(router *mux.Router, manager Manager) {
 	h := &handler{
 		manager: manager,
 	}
 
-	router.HandleFunc("/domains", permissionsManager.WithPermission(modules.Services, operations.Read, h.getAllDomains)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/domains", permissionsManager.WithPermission(modules.Services, operations.Create, h.createCustomDomain)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/domains/{domainId}", permissionsManager.WithPermission(modules.Services, operations.Delete, h.deleteCustomDomain)).Methods("DELETE", "OPTIONS")
-	router.HandleFunc("/domains/{domainId}/validate", permissionsManager.WithPermission(modules.Services, operations.Create, h.triggerCustomDomainValidation)).Methods("GET", "OPTIONS") // TODO: this should be a POST
+	router.HandleFunc("/domains", h.getAllDomains).Methods("GET", "OPTIONS")
+	router.HandleFunc("/domains", h.createCustomDomain).Methods("POST", "OPTIONS")
+	router.HandleFunc("/domains/{domainId}", h.deleteCustomDomain).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
 }
 
 func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
@@ -59,7 +56,13 @@ func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
 	return resp
 }
 
-func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -74,7 +77,13 @@ func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, ret)
 }
 
-func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	var req api.PostApiReverseProxiesDomainsJSONRequestBody
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
@@ -90,7 +99,13 @@ func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request, use
 	util.WriteJSONObject(r.Context(), w, domainToApi(domain))
 }
 
-func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	domainID := mux.Vars(r)["domainId"]
 	if domainID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)
@@ -105,7 +120,13 @@ func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request, use
 	w.WriteHeader(http.StatusNoContent)
 }
 
-func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	domainID := mux.Vars(r)["domainId"]
 	if domainID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "domain ID is required"), w)

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -11,7 +11,11 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 type store interface {
@@ -33,22 +37,32 @@ type proxyManager interface {
 }
 
 type Manager struct {
-	store          store
-	validator      domain.Validator
-	proxyManager   proxyManager
-	accountManager account.Manager
+	store              store
+	validator          domain.Validator
+	proxyManager       proxyManager
+	permissionsManager permissions.Manager
+	accountManager     account.Manager
 }
 
-func NewManager(store store, proxyMgr proxyManager, accountManager account.Manager) Manager {
+func NewManager(store store, proxyMgr proxyManager, permissionsManager permissions.Manager, accountManager account.Manager) Manager {
 	return Manager{
-		store:          store,
-		proxyManager:   proxyMgr,
-		validator:      domain.Validator{Resolver: net.DefaultResolver},
-		accountManager: accountManager,
+		store:              store,
+		proxyManager:       proxyMgr,
+		validator:          domain.Validator{Resolver: net.DefaultResolver},
+		permissionsManager: permissionsManager,
+		accountManager:     accountManager,
 	}
 }
 
 func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*domain.Domain, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	domains, err := m.store.ListCustomDomains(ctx, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("list custom domains: %w", err)
@@ -104,6 +118,14 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d
 }
 
 func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*domain.Domain, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	// Verify the target cluster is in the available clusters
 	allowList, err := m.proxyManager.GetActiveClusterAddresses(ctx)
 	if err != nil {
@@ -137,6 +159,14 @@ func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName
 }
 
 func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	d, err := m.store.GetCustomDomain(ctx, accountID, domainID)
 	if err != nil {
 		return fmt.Errorf("get domain from store: %w", err)
@@ -153,6 +183,21 @@ func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID s
 }
 
 func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID string) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("validate domain")
+		return
+	}
+	if !ok {
+		log.WithFields(log.Fields{
+			"accountID": accountID,
+			"domainID":  domainID,
+		}).WithError(err).Error("validate domain")
+	}
+
 	log.WithFields(log.Fields{
 		"accountID": accountID,
 		"domainID":  domainID,

management/internals/modules/reverseproxy/proxy/proxy.go

@@ -23,7 +23,7 @@ type Proxy struct {
 	LastSeen       time.Time `gorm:"not null;index:idx_proxy_last_seen"`
 	ConnectedAt    *time.Time
 	DisconnectedAt *time.Time
-	Status         string       `gorm:"type:varchar(20);not null;index:idx_proxy_cluster_status"`
+	Status         string `gorm:"type:varchar(20);not null;index:idx_proxy_cluster_status"`
 	Capabilities   Capabilities `gorm:"embedded"`
 	CreatedAt      time.Time
 	UpdatedAt      time.Time

management/internals/modules/reverseproxy/service/manager/api.go

@@ -6,14 +6,12 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
 	domainmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
 	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -32,19 +30,25 @@ func RegisterEndpoints(manager rpservice.Manager, domainManager domainmanager.Ma
 	}
 
 	domainRouter := router.PathPrefix("/reverse-proxies").Subrouter()
-	domainmanager.RegisterEndpoints(domainRouter, domainManager, permissionsManager)
+	domainmanager.RegisterEndpoints(domainRouter, domainManager)
 
-	accesslogsmanager.RegisterEndpoints(router, accessLogsManager, permissionsManager)
+	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
 
-	router.HandleFunc("/reverse-proxies/clusters", permissionsManager.WithPermission(modules.Services, operations.Read, h.getClusters)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services", permissionsManager.WithPermission(modules.Services, operations.Read, h.getAllServices)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services", permissionsManager.WithPermission(modules.Services, operations.Create, h.createService)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", permissionsManager.WithPermission(modules.Services, operations.Read, h.getService)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", permissionsManager.WithPermission(modules.Services, operations.Update, h.updateService)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", permissionsManager.WithPermission(modules.Services, operations.Delete, h.deleteService)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/clusters", h.getClusters).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services", h.getAllServices).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services", h.createService).Methods("POST", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
 }
 
-func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	allServices, err := h.manager.GetAllServices(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -59,7 +63,13 @@ func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request, userAut
 	util.WriteJSONObject(r.Context(), w, apiServices)
 }
 
-func (h *handler) createService(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createService(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	var req api.ServiceRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
@@ -67,13 +77,12 @@ func (h *handler) createService(w http.ResponseWriter, r *http.Request, userAuth
 	}
 
 	service := new(rpservice.Service)
-	var err error
 	if err = service.FromAPIRequest(&req, userAuth.AccountId); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
 
-	if err := service.Validate(); err != nil {
+	if err = service.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -87,7 +96,13 @@ func (h *handler) createService(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, createdService.ToAPIResponse())
 }
 
-func (h *handler) getService(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getService(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	serviceID := mux.Vars(r)["serviceId"]
 	if serviceID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
@@ -103,7 +118,13 @@ func (h *handler) getService(w http.ResponseWriter, r *http.Request, userAuth *a
 	util.WriteJSONObject(r.Context(), w, service.ToAPIResponse())
 }
 
-func (h *handler) updateService(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateService(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	serviceID := mux.Vars(r)["serviceId"]
 	if serviceID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
@@ -118,13 +139,12 @@ func (h *handler) updateService(w http.ResponseWriter, r *http.Request, userAuth
 
 	service := new(rpservice.Service)
 	service.ID = serviceID
-	var err error
 	if err = service.FromAPIRequest(&req, userAuth.AccountId); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
 
-	if err := service.Validate(); err != nil {
+	if err = service.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -138,7 +158,13 @@ func (h *handler) updateService(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, updatedService.ToAPIResponse())
 }
 
-func (h *handler) deleteService(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteService(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	serviceID := mux.Vars(r)["serviceId"]
 	if serviceID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "service ID is required"), w)
@@ -153,7 +179,13 @@ func (h *handler) deleteService(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }
 
-func (h *handler) getClusters(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getClusters(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	clusters, err := h.manager.GetActiveClusters(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)

management/internals/modules/reverseproxy/service/manager/l4_port_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 )
@@ -85,17 +86,18 @@ func setupL4Test(t *testing.T, customPortsSupported *bool) (*Manager, store.Stor
 	accountMgr := &mock_server.MockAccountManager{
 		StoreEventFunc:         func(_ context.Context, _, _, _ string, _ activity.ActivityDescriber, _ map[string]any) {},
 		UpdateAccountPeersFunc: func(_ context.Context, _ string) {},
-		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID string) (*types.Group, error) {
+		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
 			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, accountID, groupName)
 		},
 	}
 
 	mgr := &Manager{
-		store:           testStore,
-		accountManager:  accountMgr,
-		proxyController: mockCtrl,
-		capabilities:    mockCaps,
-		clusterDeriver:  &testClusterDeriver{domains: []string{"test.netbird.io"}},
+		store:              testStore,
+		accountManager:     accountMgr,
+		permissionsManager: permissions.NewManager(testStore),
+		proxyController:    mockCtrl,
+		capabilities:       mockCaps,
+		clusterDeriver:     &testClusterDeriver{domains: []string{"test.netbird.io"}},
 	}
 	mgr.exposeReaper = &exposeReaper{manager: mgr}
 

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -21,6 +21,9 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/sessionkey"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
@@ -79,22 +82,24 @@ type CapabilityProvider interface {
 }
 
 type Manager struct {
-	store           store.Store
-	accountManager  account.Manager
-	proxyController proxy.Controller
-	capabilities    CapabilityProvider
-	clusterDeriver  ClusterDeriver
-	exposeReaper    *exposeReaper
+	store              store.Store
+	accountManager     account.Manager
+	permissionsManager permissions.Manager
+	proxyController    proxy.Controller
+	capabilities       CapabilityProvider
+	clusterDeriver     ClusterDeriver
+	exposeReaper       *exposeReaper
 }
 
 // NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, proxyController proxy.Controller, capabilities CapabilityProvider, clusterDeriver ClusterDeriver) *Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyController proxy.Controller, capabilities CapabilityProvider, clusterDeriver ClusterDeriver) *Manager {
 	mgr := &Manager{
-		store:           store,
-		accountManager:  accountManager,
-		proxyController: proxyController,
-		capabilities:    capabilities,
-		clusterDeriver:  clusterDeriver,
+		store:              store,
+		accountManager:     accountManager,
+		permissionsManager: permissionsManager,
+		proxyController:    proxyController,
+		capabilities:       capabilities,
+		clusterDeriver:     clusterDeriver,
 	}
 	mgr.exposeReaper = &exposeReaper{manager: mgr}
 	return mgr
@@ -107,10 +112,26 @@ func (m *Manager) StartExposeReaper(ctx context.Context) {
 
 // GetActiveClusters returns all active proxy clusters with their connected proxy count.
 func (m *Manager) GetActiveClusters(ctx context.Context, accountID, userID string) ([]proxy.Cluster, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetActiveProxyClusters(ctx)
 }
 
 func (m *Manager) GetAllServices(ctx context.Context, accountID, userID string) ([]*service.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	services, err := m.store.GetAccountServices(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get services: %w", err)
@@ -164,6 +185,14 @@ func (m *Manager) replaceHostByLookup(ctx context.Context, accountID string, s *
 }
 
 func (m *Manager) GetService(ctx context.Context, accountID, userID, serviceID string) (*service.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	service, err := m.store.GetServiceByID(ctx, store.LockingStrengthNone, accountID, serviceID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get service: %w", err)
@@ -177,6 +206,14 @@ func (m *Manager) GetService(ctx context.Context, accountID, userID, serviceID s
 }
 
 func (m *Manager) CreateService(ctx context.Context, accountID, userID string, s *service.Service) (*service.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	if err := m.initializeServiceForCreate(ctx, accountID, s); err != nil {
 		return nil, err
 	}
@@ -187,7 +224,7 @@ func (m *Manager) CreateService(ctx context.Context, accountID, userID string, s
 
 	m.accountManager.StoreEvent(ctx, userID, s.ID, accountID, activity.ServiceCreated, s.EventMeta())
 
-	err := m.replaceHostByLookup(ctx, accountID, s)
+	err = m.replaceHostByLookup(ctx, accountID, s)
 	if err != nil {
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", s.ID, err)
 	}
@@ -454,6 +491,14 @@ func (m *Manager) checkDomainAvailable(ctx context.Context, transaction store.St
 }
 
 func (m *Manager) UpdateService(ctx context.Context, accountID, userID string, service *service.Service) (*service.Service, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	if err := service.Auth.HashSecrets(); err != nil {
 		return nil, fmt.Errorf("hash secrets: %w", err)
 	}
@@ -740,8 +785,16 @@ func validateResourceTargetType(target *service.Target, resource *resourcetypes.
 }
 
 func (m *Manager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	var s *service.Service
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var err error
 		s, err = transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, serviceID)
 		if err != nil {
@@ -772,8 +825,16 @@ func (m *Manager) DeleteService(ctx context.Context, accountID, userID, serviceI
 }
 
 func (m *Manager) DeleteAllServices(ctx context.Context, accountID, userID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	var services []*service.Service
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var err error
 		services, err = transaction.GetAccountServices(ctx, store.LockingStrengthUpdate, accountID)
 		if err != nil {
@@ -1058,7 +1119,7 @@ func (m *Manager) getGroupIDsFromNames(ctx context.Context, accountID string, gr
 	}
 	groupIDs := make([]string, 0, len(groupNames))
 	for _, groupName := range groupNames {
-		g, err := m.accountManager.GetGroupByName(ctx, groupName, accountID)
+		g, err := m.accountManager.GetGroupByName(ctx, groupName, accountID, activity.SystemInitiator)
 		if err != nil {
 			return nil, fmt.Errorf("failed to get group by name %s: %w", groupName, err)
 		}

management/internals/modules/reverseproxy/service/manager/manager_test.go

@@ -23,6 +23,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	resourcetypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -697,10 +700,12 @@ func setupIntegrationTest(t *testing.T) (*Manager, store.Store) {
 	err = testStore.AddPeerToGroup(ctx, testAccountID, testPeerID, testGroupID)
 	require.NoError(t, err)
 
+	permsMgr := permissions.NewManager(testStore)
+
 	accountMgr := &mock_server.MockAccountManager{
 		StoreEventFunc:         func(_ context.Context, _, _, _ string, _ activity.ActivityDescriber, _ map[string]any) {},
 		UpdateAccountPeersFunc: func(_ context.Context, _ string) {},
-		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID string) (*types.Group, error) {
+		GetGroupByNameFunc: func(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
 			return testStore.GetGroupByName(ctx, store.LockingStrengthNone, accountID, groupName)
 		},
 	}
@@ -713,9 +718,10 @@ func setupIntegrationTest(t *testing.T) (*Manager, store.Store) {
 	require.NoError(t, err)
 
 	mgr := &Manager{
-		store:           testStore,
-		accountManager:  accountMgr,
-		proxyController: proxyController,
+		store:              testStore,
+		accountManager:     accountMgr,
+		permissionsManager: permsMgr,
+		proxyController:    proxyController,
 		clusterDeriver: &testClusterDeriver{
 			domains: []string{"test.netbird.io"},
 		},
@@ -1124,6 +1130,7 @@ func TestDeleteService_DeletesTargets(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
+	mockPerms := permissions.NewMockManager(ctrl)
 	mockAcct := account.NewMockManager(ctrl)
 
 	tokenStore := nbgrpc.NewOneTimeTokenStore(ctx, testCacheStore(t))
@@ -1134,9 +1141,10 @@ func TestDeleteService_DeletesTargets(t *testing.T) {
 	require.NoError(t, err)
 
 	mgr := &Manager{
-		store:           sqlStore,
-		accountManager:  mockAcct,
-		proxyController: proxyController,
+		store:              sqlStore,
+		permissionsManager: mockPerms,
+		accountManager:     mockAcct,
+		proxyController:    proxyController,
 	}
 
 	service := &rpservice.Service{
@@ -1159,6 +1167,9 @@ func TestDeleteService_DeletesTargets(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, retrievedService.Targets, 3, "Service should have 3 targets before deletion")
 
+	mockPerms.EXPECT().
+		ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete).
+		Return(true, nil)
 	mockAcct.EXPECT().
 		StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceDeleted, gomock.Any())
 	mockAcct.EXPECT().

management/internals/modules/zones/manager/api.go

@@ -6,11 +6,8 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -20,19 +17,25 @@ type handler struct {
 	manager zones.Manager
 }
 
-func RegisterEndpoints(router *mux.Router, manager zones.Manager, permissionsManager permissions.Manager) {
+func RegisterEndpoints(router *mux.Router, manager zones.Manager) {
 	h := &handler{
 		manager: manager,
 	}
 
-	router.HandleFunc("/dns/zones", permissionsManager.WithPermission(modules.Dns, operations.Read, h.getAllZones)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/zones", permissionsManager.WithPermission(modules.Dns, operations.Create, h.createZone)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}", permissionsManager.WithPermission(modules.Dns, operations.Read, h.getZone)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}", permissionsManager.WithPermission(modules.Dns, operations.Update, h.updateZone)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}", permissionsManager.WithPermission(modules.Dns, operations.Delete, h.deleteZone)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/dns/zones", h.getAllZones).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/zones", h.createZone).Methods("POST", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}", h.getZone).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}", h.updateZone).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}", h.deleteZone).Methods("DELETE", "OPTIONS")
 }
 
-func (h *handler) getAllZones(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAllZones(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	allZones, err := h.manager.GetAllZones(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -47,7 +50,13 @@ func (h *handler) getAllZones(w http.ResponseWriter, r *http.Request, userAuth *
 	util.WriteJSONObject(r.Context(), w, apiZones)
 }
 
-func (h *handler) createZone(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createZone(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	var req api.PostApiDnsZonesJSONRequestBody
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
@@ -57,7 +66,7 @@ func (h *handler) createZone(w http.ResponseWriter, r *http.Request, userAuth *a
 	zone := new(zones.Zone)
 	zone.FromAPIRequest(&req)
 
-	if err := zone.Validate(); err != nil {
+	if err = zone.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -71,7 +80,13 @@ func (h *handler) createZone(w http.ResponseWriter, r *http.Request, userAuth *a
 	util.WriteJSONObject(r.Context(), w, createdZone.ToAPIResponse())
 }
 
-func (h *handler) getZone(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getZone(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -87,7 +102,13 @@ func (h *handler) getZone(w http.ResponseWriter, r *http.Request, userAuth *auth
 	util.WriteJSONObject(r.Context(), w, zone.ToAPIResponse())
 }
 
-func (h *handler) updateZone(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateZone(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -95,7 +116,7 @@ func (h *handler) updateZone(w http.ResponseWriter, r *http.Request, userAuth *a
 	}
 
 	var req api.PutApiDnsZonesZoneIdJSONRequestBody
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
 	}
@@ -104,7 +125,7 @@ func (h *handler) updateZone(w http.ResponseWriter, r *http.Request, userAuth *a
 	zone.FromAPIRequest(&req)
 	zone.ID = zoneID
 
-	if err := zone.Validate(); err != nil {
+	if err = zone.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -118,14 +139,20 @@ func (h *handler) updateZone(w http.ResponseWriter, r *http.Request, userAuth *a
 	util.WriteJSONObject(r.Context(), w, updatedZone.ToAPIResponse())
 }
 
-func (h *handler) deleteZone(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteZone(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
 		return
 	}
 
-	if err := h.manager.DeleteZone(r.Context(), userAuth.AccountId, userAuth.UserId, zoneID); err != nil {
+	if err = h.manager.DeleteZone(r.Context(), userAuth.AccountId, userAuth.UserId, zoneID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

management/internals/modules/zones/manager/manager.go

@@ -7,34 +7,62 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 type managerImpl struct {
-	store          store.Store
-	accountManager account.Manager
-	dnsDomain      string
+	store              store.Store
+	accountManager     account.Manager
+	permissionsManager permissions.Manager
+	dnsDomain          string
 }
 
-func NewManager(store store.Store, accountManager account.Manager, dnsDomain string) zones.Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, dnsDomain string) zones.Manager {
 	return &managerImpl{
-		store:          store,
-		accountManager: accountManager,
-		dnsDomain:      dnsDomain,
+		store:              store,
+		accountManager:     accountManager,
+		permissionsManager: permissionsManager,
+		dnsDomain:          dnsDomain,
 	}
 }
 
 func (m *managerImpl) GetAllZones(ctx context.Context, accountID, userID string) ([]*zones.Zone, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetAccountZones(ctx, store.LockingStrengthNone, accountID)
 }
 
 func (m *managerImpl) GetZone(ctx context.Context, accountID, userID, zoneID string) (*zones.Zone, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetZoneByID(ctx, store.LockingStrengthNone, accountID, zoneID)
 }
 
 func (m *managerImpl) CreateZone(ctx context.Context, accountID, userID string, zone *zones.Zone) (*zones.Zone, error) {
-	var err error
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	if err = m.validateZoneDomainConflict(ctx, accountID, zone.Domain); err != nil {
 		return nil, err
 	}
@@ -74,6 +102,14 @@ func (m *managerImpl) CreateZone(ctx context.Context, accountID, userID string,
 }
 
 func (m *managerImpl) UpdateZone(ctx context.Context, accountID, userID string, updatedZone *zones.Zone) (*zones.Zone, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	zone, err := m.store.GetZoneByID(ctx, store.LockingStrengthUpdate, accountID, updatedZone.ID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get zone: %w", err)
@@ -114,6 +150,14 @@ func (m *managerImpl) UpdateZone(ctx context.Context, accountID, userID string,
 }
 
 func (m *managerImpl) DeleteZone(ctx context.Context, accountID, userID, zoneID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	zone, err := m.store.GetZoneByID(ctx, store.LockingStrengthUpdate, accountID, zoneID)
 	if err != nil {
 		return fmt.Errorf("failed to get zone: %w", err)

management/internals/modules/zones/manager/manager_test.go

@@ -13,6 +13,9 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -26,7 +29,7 @@ const (
 	testDNSDomain = "netbird.selfhosted"
 )
 
-func setupTest(t *testing.T) (*managerImpl, store.Store, *mock_server.MockAccountManager, *gomock.Controller, func()) {
+func setupTest(t *testing.T) (*managerImpl, store.Store, *mock_server.MockAccountManager, *permissions.MockManager, *gomock.Controller, func()) {
 	t.Helper()
 
 	ctx := context.Background()
@@ -46,17 +49,23 @@ func setupTest(t *testing.T) (*managerImpl, store.Store, *mock_server.MockAccoun
 
 	ctrl := gomock.NewController(t)
 	mockAccountManager := &mock_server.MockAccountManager{}
+	mockPermissionsManager := permissions.NewMockManager(ctrl)
 
-	manager := NewManager(testStore, mockAccountManager, testDNSDomain).(*managerImpl)
+	manager := &managerImpl{
+		store:              testStore,
+		accountManager:     mockAccountManager,
+		permissionsManager: mockPermissionsManager,
+		dnsDomain:          testDNSDomain,
+	}
 
-	return manager, testStore, mockAccountManager, ctrl, cleanup
+	return manager, testStore, mockAccountManager, mockPermissionsManager, ctrl, cleanup
 }
 
 func TestManagerImpl_GetAllZones(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -68,6 +77,10 @@ func TestManagerImpl_GetAllZones(t *testing.T) {
 		err = testStore.CreateZone(ctx, zone2)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(true, nil)
+
 		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
 		require.NoError(t, err)
 		assert.Len(t, result, 2)
@@ -75,13 +88,43 @@ func TestManagerImpl_GetAllZones(t *testing.T) {
 		assert.Equal(t, zone2.ID, result[1].ID)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, nil)
+
+		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
+	t.Run("permission validation error", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, status.Errorf(status.Internal, "permission check failed"))
+
+		result, err := manager.GetAllZones(ctx, testAccountID, testUserID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+	})
 }
 
 func TestManagerImpl_GetZone(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -89,6 +132,10 @@ func TestManagerImpl_GetZone(t *testing.T) {
 		err := testStore.CreateZone(ctx, zone)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(true, nil)
+
 		result, err := manager.GetZone(ctx, testAccountID, testUserID, zone.ID)
 		require.NoError(t, err)
 		assert.Equal(t, zone.ID, result.ID)
@@ -96,13 +143,29 @@ func TestManagerImpl_GetZone(t *testing.T) {
 		assert.Equal(t, zone.Domain, result.Domain)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, nil)
+
+		result, err := manager.GetZone(ctx, testAccountID, testUserID, testZoneID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
 }
 
 func TestManagerImpl_CreateZone(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, _, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, _, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -114,6 +177,10 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
 			assert.Equal(t, testAccountID, accountID)
@@ -132,8 +199,31 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 		assert.Equal(t, inputZone.DistributionGroups, result.DistributionGroups)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		inputZone := &zones.Zone{
+			Name:               "New Zone",
+			Domain:             "new.example.com",
+			DistributionGroups: []string{testGroupID},
+		}
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(false, nil)
+
+		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
 	t.Run("invalid group", func(t *testing.T) {
-		manager, _, _, ctrl, cleanup := setupTest(t)
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -143,13 +233,17 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 			DistributionGroups: []string{"invalid-group"},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
 	})
 
 	t.Run("duplicate domain", func(t *testing.T) {
-		manager, testStore, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -165,6 +259,10 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -175,7 +273,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 	})
 
 	t.Run("peer DNS domain conflict", func(t *testing.T) {
-		manager, testStore, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -193,6 +291,10 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -203,7 +305,7 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 	})
 
 	t.Run("default DNS domain conflict", func(t *testing.T) {
-		manager, _, _, ctrl, cleanup := setupTest(t)
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -215,6 +317,10 @@ func TestManagerImpl_CreateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateZone(ctx, testAccountID, testUserID, inputZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -229,7 +335,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -246,6 +352,10 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			storeEventCalled = true
@@ -265,7 +375,7 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 	})
 
 	t.Run("domain change not allowed", func(t *testing.T) {
-		manager, testStore, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -282,6 +392,10 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 			DistributionGroups: []string{testGroupID},
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -291,8 +405,31 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 		assert.Equal(t, status.InvalidArgument, s.Type())
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		updatedZone := &zones.Zone{
+			ID:     testZoneID,
+			Name:   "Updated Name",
+			Domain: "example.com",
+		}
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(false, nil)
+
+		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
 	t.Run("zone not found", func(t *testing.T) {
-		manager, _, _, ctrl, cleanup := setupTest(t)
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -302,6 +439,10 @@ func TestManagerImpl_UpdateZone(t *testing.T) {
 			Domain: "example.com",
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		result, err := manager.UpdateZone(ctx, testAccountID, testUserID, updatedZone)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -312,7 +453,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success with records", func(t *testing.T) {
-		manager, testStore, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -328,6 +469,10 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 		err = testStore.CreateDNSRecord(ctx, record2)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(true, nil)
+
 		storeEventCallCount := 0
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			storeEventCallCount++
@@ -348,7 +493,7 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 	})
 
 	t.Run("success without records", func(t *testing.T) {
-		manager, testStore, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -356,6 +501,10 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 		err := testStore.CreateZone(ctx, zone)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(true, nil)
+
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			storeEventCalled = true
@@ -373,11 +522,31 @@ func TestManagerImpl_DeleteZone(t *testing.T) {
 		require.Error(t, err)
 	})
 
-	t.Run("zone not found", func(t *testing.T) {
-		manager, _, _, ctrl, cleanup := setupTest(t)
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(false, nil)
+
+		err := manager.DeleteZone(ctx, testAccountID, testUserID, testZoneID)
+		require.Error(t, err)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
+	t.Run("zone not found", func(t *testing.T) {
+		manager, _, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(true, nil)
+
 		err := manager.DeleteZone(ctx, testAccountID, testUserID, "non-existent-zone")
 		require.Error(t, err)
 	})

management/internals/modules/zones/records/manager/api.go

@@ -6,11 +6,8 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -20,19 +17,25 @@ type handler struct {
 	manager records.Manager
 }
 
-func RegisterEndpoints(router *mux.Router, manager records.Manager, permissionsManager permissions.Manager) {
+func RegisterEndpoints(router *mux.Router, manager records.Manager) {
 	h := &handler{
 		manager: manager,
 	}
 
-	router.HandleFunc("/dns/zones/{zoneId}/records", permissionsManager.WithPermission(modules.Dns, operations.Read, h.getAllRecords)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}/records", permissionsManager.WithPermission(modules.Dns, operations.Create, h.createRecord)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", permissionsManager.WithPermission(modules.Dns, operations.Read, h.getRecord)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", permissionsManager.WithPermission(modules.Dns, operations.Update, h.updateRecord)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", permissionsManager.WithPermission(modules.Dns, operations.Delete, h.deleteRecord)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}/records", h.getAllRecords).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}/records", h.createRecord).Methods("POST", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", h.getRecord).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", h.updateRecord).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/dns/zones/{zoneId}/records/{recordId}", h.deleteRecord).Methods("DELETE", "OPTIONS")
 }
 
-func (h *handler) getAllRecords(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAllRecords(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -53,7 +56,13 @@ func (h *handler) getAllRecords(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, apiRecords)
 }
 
-func (h *handler) createRecord(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createRecord(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -69,7 +78,7 @@ func (h *handler) createRecord(w http.ResponseWriter, r *http.Request, userAuth
 	record := new(records.Record)
 	record.FromAPIRequest(&req)
 
-	if err := record.Validate(); err != nil {
+	if err = record.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -83,7 +92,13 @@ func (h *handler) createRecord(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, createdRecord.ToAPIResponse())
 }
 
-func (h *handler) getRecord(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getRecord(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -105,7 +120,13 @@ func (h *handler) getRecord(w http.ResponseWriter, r *http.Request, userAuth *au
 	util.WriteJSONObject(r.Context(), w, record.ToAPIResponse())
 }
 
-func (h *handler) updateRecord(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateRecord(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -119,7 +140,7 @@ func (h *handler) updateRecord(w http.ResponseWriter, r *http.Request, userAuth
 	}
 
 	var req api.PutApiDnsZonesZoneIdRecordsRecordIdJSONRequestBody
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+	if err = json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
 	}
@@ -128,7 +149,7 @@ func (h *handler) updateRecord(w http.ResponseWriter, r *http.Request, userAuth
 	record.FromAPIRequest(&req)
 	record.ID = recordID
 
-	if err := record.Validate(); err != nil {
+	if err = record.Validate(); err != nil {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "%s", err.Error()), w)
 		return
 	}
@@ -142,7 +163,13 @@ func (h *handler) updateRecord(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, updatedRecord.ToAPIResponse())
 }
 
-func (h *handler) deleteRecord(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteRecord(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	zoneID := mux.Vars(r)["zoneId"]
 	if zoneID == "" {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "zone ID is required"), w)
@@ -155,7 +182,7 @@ func (h *handler) deleteRecord(w http.ResponseWriter, r *http.Request, userAuth
 		return
 	}
 
-	if err := h.manager.DeleteRecord(r.Context(), userAuth.AccountId, userAuth.UserId, zoneID, recordID); err != nil {
+	if err = h.manager.DeleteRecord(r.Context(), userAuth.AccountId, userAuth.UserId, zoneID, recordID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

management/internals/modules/zones/records/manager/manager.go

@@ -9,36 +9,64 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 type managerImpl struct {
-	store          store.Store
-	accountManager account.Manager
+	store              store.Store
+	accountManager     account.Manager
+	permissionsManager permissions.Manager
 }
 
-func NewManager(store store.Store, accountManager account.Manager) records.Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager) records.Manager {
 	return &managerImpl{
-		store:          store,
-		accountManager: accountManager,
+		store:              store,
+		accountManager:     accountManager,
+		permissionsManager: permissionsManager,
 	}
 }
 
 func (m *managerImpl) GetAllRecords(ctx context.Context, accountID, userID, zoneID string) ([]*records.Record, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetZoneDNSRecords(ctx, store.LockingStrengthNone, accountID, zoneID)
 }
 
 func (m *managerImpl) GetRecord(ctx context.Context, accountID, userID, zoneID, recordID string) (*records.Record, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return m.store.GetDNSRecordByID(ctx, store.LockingStrengthNone, accountID, zoneID, recordID)
 }
 
 func (m *managerImpl) CreateRecord(ctx context.Context, accountID, userID, zoneID string, record *records.Record) (*records.Record, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Create)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	var zone *zones.Zone
 
 	record = records.NewRecord(accountID, zoneID, record.Name, record.Type, record.Content, record.TTL)
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		zone, err = transaction.GetZoneByID(ctx, store.LockingStrengthUpdate, accountID, zoneID)
 		if err != nil {
 			return fmt.Errorf("failed to get zone: %w", err)
@@ -73,11 +101,18 @@ func (m *managerImpl) CreateRecord(ctx context.Context, accountID, userID, zoneI
 }
 
 func (m *managerImpl) UpdateRecord(ctx context.Context, accountID, userID, zoneID string, updatedRecord *records.Record) (*records.Record, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	var zone *zones.Zone
 	var record *records.Record
 
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		zone, err = transaction.GetZoneByID(ctx, store.LockingStrengthUpdate, accountID, zoneID)
 		if err != nil {
 			return fmt.Errorf("failed to get zone: %w", err)
@@ -125,11 +160,18 @@ func (m *managerImpl) UpdateRecord(ctx context.Context, accountID, userID, zoneI
 }
 
 func (m *managerImpl) DeleteRecord(ctx context.Context, accountID, userID, zoneID, recordID string) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !ok {
+		return status.NewPermissionDeniedError()
+	}
+
 	var record *records.Record
 	var zone *zones.Zone
 
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		zone, err = transaction.GetZoneByID(ctx, store.LockingStrengthUpdate, accountID, zoneID)
 		if err != nil {
 			return fmt.Errorf("failed to get zone: %w", err)

management/internals/modules/zones/records/manager/manager_test.go

@@ -12,8 +12,12 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/zones/records"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 const (
@@ -23,7 +27,7 @@ const (
 	testGroupID   = "test-group-id"
 )
 
-func setupTest(t *testing.T) (*managerImpl, store.Store, *zones.Zone, *mock_server.MockAccountManager, *gomock.Controller, func()) {
+func setupTest(t *testing.T) (*managerImpl, store.Store, *zones.Zone, *mock_server.MockAccountManager, *permissions.MockManager, *gomock.Controller, func()) {
 	t.Helper()
 
 	ctx := context.Background()
@@ -47,17 +51,22 @@ func setupTest(t *testing.T) (*managerImpl, store.Store, *zones.Zone, *mock_serv
 
 	ctrl := gomock.NewController(t)
 	mockAccountManager := &mock_server.MockAccountManager{}
+	mockPermissionsManager := permissions.NewMockManager(ctrl)
 
-	manager := NewManager(testStore, mockAccountManager).(*managerImpl)
+	manager := &managerImpl{
+		store:              testStore,
+		accountManager:     mockAccountManager,
+		permissionsManager: mockPermissionsManager,
+	}
 
-	return manager, testStore, zone, mockAccountManager, ctrl, cleanup
+	return manager, testStore, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup
 }
 
 func TestManagerImpl_GetAllRecords(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, zone, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -69,6 +78,10 @@ func TestManagerImpl_GetAllRecords(t *testing.T) {
 		err = testStore.CreateDNSRecord(ctx, record2)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(true, nil)
+
 		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
 		require.NoError(t, err)
 		assert.Len(t, result, 2)
@@ -76,13 +89,43 @@ func TestManagerImpl_GetAllRecords(t *testing.T) {
 		assert.Equal(t, record2.ID, result[1].ID)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, nil)
+
+		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
+	t.Run("permission validation error", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, status.Errorf(status.Internal, "permission check failed"))
+
+		result, err := manager.GetAllRecords(ctx, testAccountID, testUserID, zone.ID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+	})
 }
 
 func TestManagerImpl_GetRecord(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, zone, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -90,6 +133,10 @@ func TestManagerImpl_GetRecord(t *testing.T) {
 		err := testStore.CreateDNSRecord(ctx, record)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(true, nil)
+
 		result, err := manager.GetRecord(ctx, testAccountID, testUserID, zone.ID, record.ID)
 		require.NoError(t, err)
 		assert.Equal(t, record.ID, result.ID)
@@ -99,13 +146,29 @@ func TestManagerImpl_GetRecord(t *testing.T) {
 		assert.Equal(t, record.TTL, result.TTL)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Read).
+			Return(false, nil)
+
+		result, err := manager.GetRecord(ctx, testAccountID, testUserID, zone.ID, testRecordID)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
 }
 
 func TestManagerImpl_CreateRecord(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success - A record", func(t *testing.T) {
-		manager, _, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, _, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -116,6 +179,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
 			assert.Equal(t, testAccountID, accountID)
@@ -135,7 +202,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 	})
 
 	t.Run("success - AAAA record", func(t *testing.T) {
-		manager, _, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, _, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -146,6 +213,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     600,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
 			assert.Equal(t, testAccountID, accountID)
@@ -160,7 +231,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 	})
 
 	t.Run("success - CNAME record", func(t *testing.T) {
-		manager, _, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, _, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -171,6 +242,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			assert.Equal(t, testUserID, initiatorID)
 			assert.Equal(t, testAccountID, accountID)
@@ -184,8 +259,32 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 		assert.Equal(t, inputRecord.Content, result.Content)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		inputRecord := &records.Record{
+			Name:    "api.example.com",
+			Type:    records.RecordTypeA,
+			Content: "192.168.1.1",
+			TTL:     300,
+		}
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(false, nil)
+
+		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
 	t.Run("record name not in zone", func(t *testing.T) {
-		manager, _, zone, _, ctrl, cleanup := setupTest(t)
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -196,6 +295,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -203,7 +306,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 	})
 
 	t.Run("duplicate record", func(t *testing.T) {
-		manager, testStore, zone, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -218,6 +321,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -225,7 +332,7 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 	})
 
 	t.Run("CNAME conflict with existing A record", func(t *testing.T) {
-		manager, testStore, zone, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -240,6 +347,10 @@ func TestManagerImpl_CreateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Create).
+			Return(true, nil)
+
 		result, err := manager.CreateRecord(ctx, testAccountID, testUserID, zone.ID, inputRecord)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -251,7 +362,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -267,6 +378,10 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 			TTL:     600,             // Changed TTL
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			storeEventCalled = true
@@ -285,7 +400,7 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 	})
 
 	t.Run("update only TTL - no validation", func(t *testing.T) {
-		manager, testStore, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -301,6 +416,10 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 			TTL:     600, // Only TTL changed
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			// Event should be stored
 		}
@@ -311,8 +430,33 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 		assert.Equal(t, 600, result.TTL)
 	})
 
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		updatedRecord := &records.Record{
+			ID:      testRecordID,
+			Name:    "api.example.com",
+			Type:    records.RecordTypeA,
+			Content: "192.168.1.100",
+			TTL:     600,
+		}
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(false, nil)
+
+		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
+		require.Error(t, err)
+		assert.Nil(t, result)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
 	t.Run("record not found", func(t *testing.T) {
-		manager, _, zone, _, ctrl, cleanup := setupTest(t)
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -324,13 +468,17 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 			TTL:     600,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
 		require.Error(t, err)
 		assert.Nil(t, result)
 	})
 
 	t.Run("update creates duplicate", func(t *testing.T) {
-		manager, testStore, zone, _, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -350,6 +498,10 @@ func TestManagerImpl_UpdateRecord(t *testing.T) {
 			TTL:     300,
 		}
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Update).
+			Return(true, nil)
+
 		result, err := manager.UpdateRecord(ctx, testAccountID, testUserID, zone.ID, updatedRecord)
 		require.Error(t, err)
 		assert.Nil(t, result)
@@ -361,7 +513,7 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 	ctx := context.Background()
 
 	t.Run("success", func(t *testing.T) {
-		manager, testStore, zone, mockAccountManager, ctrl, cleanup := setupTest(t)
+		manager, testStore, zone, mockAccountManager, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
@@ -369,6 +521,10 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 		err := testStore.CreateDNSRecord(ctx, record)
 		require.NoError(t, err)
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(true, nil)
+
 		storeEventCalled := false
 		mockAccountManager.StoreEventFunc = func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 			storeEventCalled = true
@@ -386,11 +542,31 @@ func TestManagerImpl_DeleteRecord(t *testing.T) {
 		require.Error(t, err)
 	})
 
-	t.Run("record not found", func(t *testing.T) {
-		manager, _, zone, _, ctrl, cleanup := setupTest(t)
+	t.Run("permission denied", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
 		defer cleanup()
 		defer ctrl.Finish()
 
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(false, nil)
+
+		err := manager.DeleteRecord(ctx, testAccountID, testUserID, zone.ID, testRecordID)
+		require.Error(t, err)
+		s, ok := status.FromError(err)
+		assert.True(t, ok)
+		assert.Equal(t, status.PermissionDenied, s.Type())
+	})
+
+	t.Run("record not found", func(t *testing.T) {
+		manager, _, zone, _, mockPermissionsManager, ctrl, cleanup := setupTest(t)
+		defer cleanup()
+		defer ctrl.Finish()
+
+		mockPermissionsManager.EXPECT().
+			ValidateUserPermissions(ctx, testAccountID, testUserID, modules.Dns, operations.Delete).
+			Return(true, nil)
+
 		err := manager.DeleteRecord(ctx, testAccountID, testUserID, zone.ID, "non-existent-record")
 		require.Error(t, err)
 	})

management/internals/server/boot.go

@@ -30,7 +30,6 @@ import (
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	nbContext "github.com/netbirdio/netbird/management/server/context"
 	nbhttp "github.com/netbirdio/netbird/management/server/http"
-	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
@@ -110,7 +109,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies, s.RateLimiter())
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ServiceManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies)
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}
@@ -118,15 +117,6 @@ func (s *BaseServer) APIHandler() http.Handler {
 	})
 }
 
-func (s *BaseServer) RateLimiter() *middleware.APIRateLimiter {
-	return Create(s, func() *middleware.APIRateLimiter {
-		cfg, enabled := middleware.RateLimiterConfigFromEnv()
-		limiter := middleware.NewAPIRateLimiter(cfg)
-		limiter.SetEnabled(enabled)
-		return limiter
-	})
-}
-
 func (s *BaseServer) GRPCServer() *grpc.Server {
 	return Create(s, func() *grpc.Server {
 		trustedPeers := s.Config.ReverseProxy.TrustedPeers
@@ -233,7 +223,7 @@ func (s *BaseServer) PKCEVerifierStore() *nbgrpc.PKCEVerifierStore {
 
 func (s *BaseServer) AccessLogsManager() accesslogs.Manager {
 	return Create(s, func() accesslogs.Manager {
-		accessLogManager := accesslogsmanager.NewManager(s.Store(), s.GeoLocationManager())
+		accessLogManager := accesslogsmanager.NewManager(s.Store(), s.PermissionsManager(), s.GeoLocationManager())
 		accessLogManager.StartPeriodicCleanup(
 			context.Background(),
 			s.Config.ReverseProxy.AccessLogRetentionDays,

management/internals/server/modules.go

@@ -9,7 +9,6 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy"
 	proxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/proxy/manager"
@@ -28,6 +27,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
 
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/users"
 )
@@ -82,13 +82,13 @@ func (s *BaseServer) SettingsManager() settings.Manager {
 			idpConfig.LocalAuthDisabled = s.Config.EmbeddedIdP.LocalAuthDisabled
 		}
 
-		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, idpConfig)
+		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager(), idpConfig)
 	})
 }
 
 func (s *BaseServer) PeersManager() peers.Manager {
 	return Create(s, func() peers.Manager {
-		manager := peers.NewManager(s.Store())
+		manager := peers.NewManager(s.Store(), s.PermissionsManager())
 		s.AfterInit(func(s *BaseServer) {
 			manager.SetNetworkMapController(s.NetworkMapController())
 			manager.SetIntegratedPeerValidator(s.IntegratedValidator())
@@ -161,43 +161,43 @@ func (s *BaseServer) OAuthConfigProvider() idp.OAuthConfigProvider {
 
 func (s *BaseServer) GroupsManager() groups.Manager {
 	return Create(s, func() groups.Manager {
-		return groups.NewManager(s.Store(), s.AccountManager())
+		return groups.NewManager(s.Store(), s.PermissionsManager(), s.AccountManager())
 	})
 }
 
 func (s *BaseServer) ResourcesManager() resources.Manager {
 	return Create(s, func() resources.Manager {
-		return resources.NewManager(s.Store(), s.GroupsManager(), s.AccountManager(), s.ServiceManager())
+		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager(), s.ServiceManager())
 	})
 }
 
 func (s *BaseServer) RoutesManager() routers.Manager {
 	return Create(s, func() routers.Manager {
-		return routers.NewManager(s.Store(), s.AccountManager())
+		return routers.NewManager(s.Store(), s.PermissionsManager(), s.AccountManager())
 	})
 }
 
 func (s *BaseServer) NetworksManager() networks.Manager {
 	return Create(s, func() networks.Manager {
-		return networks.NewManager(s.Store(), s.ResourcesManager(), s.RoutesManager(), s.AccountManager())
+		return networks.NewManager(s.Store(), s.PermissionsManager(), s.ResourcesManager(), s.RoutesManager(), s.AccountManager())
 	})
 }
 
 func (s *BaseServer) ZonesManager() zones.Manager {
 	return Create(s, func() zones.Manager {
-		return zonesManager.NewManager(s.Store(), s.AccountManager(), s.DNSDomain())
+		return zonesManager.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.DNSDomain())
 	})
 }
 
 func (s *BaseServer) RecordsManager() records.Manager {
 	return Create(s, func() records.Manager {
-		return recordsManager.NewManager(s.Store(), s.AccountManager())
+		return recordsManager.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager())
 	})
 }
 
 func (s *BaseServer) ServiceManager() service.Manager {
 	return Create(s, func() service.Manager {
-		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.ServiceProxyController(), s.ProxyManager(), s.ReverseProxyDomainManager())
+		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ServiceProxyController(), s.ProxyManager(), s.ReverseProxyDomainManager())
 	})
 }
 
@@ -213,7 +213,7 @@ func (s *BaseServer) ProxyManager() proxy.Manager {
 
 func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
 	return Create(s, func() *manager.Manager {
-		m := manager.NewManager(s.Store(), s.ProxyManager(), s.AccountManager())
+		m := manager.NewManager(s.Store(), s.ProxyManager(), s.PermissionsManager(), s.AccountManager())
 		return &m
 	})
 }

management/server/account.go

@@ -15,7 +15,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/shared/auth"
@@ -40,6 +39,9 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -280,14 +282,22 @@ func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
 // User that performs the update has to belong to the account.
 // Returns an updated Settings
 func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	var oldSettings *types.Settings
 	var updateAccountPeers bool
 	var groupChangesAffectPeers bool
 	var reloadReverseProxy bool
 
-	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var groupsUpdated bool
-		var err error
 
 		oldSettings, err = transaction.GetAccountSettings(ctx, store.LockingStrengthUpdate, accountID)
 		if err != nil {
@@ -715,6 +725,15 @@ func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, u
 		return err
 	}
 
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Delete)
+	if err != nil {
+		return fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
+	}
+
 	userInfosMap, err := am.BuildUserInfosForAccount(ctx, accountID, userID, maps.Values(account.Users))
 	if err != nil {
 		return status.Errorf(status.Internal, "failed to build user infos for account %s: %v", accountID, err)
@@ -957,10 +976,6 @@ func (am *DefaultAccountManager) lookupUserInCache(ctx context.Context, userID s
 		return nil, err
 	}
 
-	if user.AccountID != accountID {
-		return nil, fmt.Errorf("user %s does not belong to account %s", userID, accountID)
-	}
-
 	key := user.IntegrationReference.CacheKey(accountID, userID)
 	ud, err := am.externalCacheManager.Get(am.ctx, key)
 	if err != nil {
@@ -1272,16 +1287,41 @@ func (am *DefaultAccountManager) GetAccount(ctx context.Context, accountID strin
 
 // GetAccountByID returns an account associated with this account ID.
 func (am *DefaultAccountManager) GetAccountByID(ctx context.Context, accountID string, userID string) (*types.Account, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return am.Store.GetAccount(ctx, accountID)
 }
 
 // GetAccountMeta returns the account metadata associated with this account ID.
 func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return am.Store.GetAccountMeta(ctx, store.LockingStrengthNone, accountID)
 }
 
 // GetAccountOnboarding retrieves the onboarding information for a specific account.
 func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	onboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
 	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
 		log.Errorf("failed to get account onboarding for account %s: %v", accountID, err)
@@ -1298,6 +1338,15 @@ func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accou
 }
 
 func (am *DefaultAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	oldOnboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
 	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
 		return nil, fmt.Errorf("failed to get account onboarding: %w", err)
@@ -1356,8 +1405,9 @@ func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, u
 		return accountID, user.Id, nil
 	}
 
-	// Permission checks are now handled by the HTTP middleware via WithPermission wrapper
-	// User account association is already validated above by GetUserByUserID
+	if err := am.permissionsManager.ValidateAccountAccess(ctx, accountID, user, false); err != nil {
+		return "", "", err
+	}
 
 	if !user.IsServiceUser && userAuth.Invited {
 		err = am.redeemInvite(ctx, accountID, user.Id)
@@ -1799,6 +1849,13 @@ func (am *DefaultAccountManager) handleUserPeer(ctx context.Context, transaction
 }
 
 func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, accountID string, userID string) (*types.Settings, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
 	return am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 }
 
@@ -2140,6 +2197,14 @@ func (am *DefaultAccountManager) validateIPForUpdate(account *types.Account, pee
 }
 
 func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
+	if err != nil {
+		return fmt.Errorf("validate user permissions: %w", err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	updateNetworkMap, err := am.updatePeerIPInTransaction(ctx, accountID, userID, peerID, newIP)
 	if err != nil {
 		return fmt.Errorf("update peer IP transaction: %w", err)

management/server/account/manager.go

@@ -60,7 +60,7 @@ type Manager interface {
 	GetUserByID(ctx context.Context, id string) (*types.User, error)
 	GetUserFromUserAuth(ctx context.Context, userAuth auth.UserAuth) (*types.User, error)
 	ListUsers(ctx context.Context, accountID string) ([]*types.User, error)
-	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string, all bool) ([]*nbpeer.Peer, error)
+	GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
 	MarkPeerConnected(ctx context.Context, peerKey string, connected bool, realIP net.IP, accountID string, syncTime time.Time) error
 	DeletePeer(ctx context.Context, accountID, peerID, userID string) error
 	UpdatePeer(ctx context.Context, accountID, userID string, p *nbpeer.Peer) (*nbpeer.Peer, error)
@@ -75,7 +75,7 @@ type Manager interface {
 	GetUsersFromAccount(ctx context.Context, accountID, userID string) (map[string]*types.UserInfo, error)
 	GetGroup(ctx context.Context, accountId, groupID, userID string) (*types.Group, error)
 	GetAllGroups(ctx context.Context, accountID, userID string) ([]*types.Group, error)
-	GetGroupByName(ctx context.Context, groupName, accountID string) (*types.Group, error)
+	GetGroupByName(ctx context.Context, groupName, accountID, userID string) (*types.Group, error)
 	CreateGroup(ctx context.Context, accountID, userID string, group *types.Group) error
 	UpdateGroup(ctx context.Context, accountID, userID string, group *types.Group) error
 	CreateGroups(ctx context.Context, accountID, userID string, newGroups []*types.Group) error

management/server/account/manager_mock.go

@@ -736,18 +736,18 @@ func (mr *MockManagerMockRecorder) GetGroup(ctx, accountId, groupID, userID inte
 }
 
 // GetGroupByName mocks base method.
-func (m *MockManager) GetGroupByName(ctx context.Context, groupName, accountID string) (*types.Group, error) {
+func (m *MockManager) GetGroupByName(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetGroupByName", ctx, groupName, accountID)
+	ret := m.ctrl.Call(m, "GetGroupByName", ctx, groupName, accountID, userID)
 	ret0, _ := ret[0].(*types.Group)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // GetGroupByName indicates an expected call of GetGroupByName.
-func (mr *MockManagerMockRecorder) GetGroupByName(ctx, groupName, accountID interface{}) *gomock.Call {
+func (mr *MockManagerMockRecorder) GetGroupByName(ctx, groupName, accountID, userID interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGroupByName", reflect.TypeOf((*MockManager)(nil).GetGroupByName), ctx, groupName, accountID)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGroupByName", reflect.TypeOf((*MockManager)(nil).GetGroupByName), ctx, groupName, accountID, userID)
 }
 
 // GetIdentityProvider mocks base method.
@@ -946,18 +946,18 @@ func (mr *MockManagerMockRecorder) GetPeerNetwork(ctx, peerID interface{}) *gomo
 }
 
 // GetPeers mocks base method.
-func (m *MockManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string, all bool) ([]*peer.Peer, error) {
+func (m *MockManager) GetPeers(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*peer.Peer, error) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetPeers", ctx, accountID, userID, nameFilter, ipFilter, all)
+	ret := m.ctrl.Call(m, "GetPeers", ctx, accountID, userID, nameFilter, ipFilter)
 	ret0, _ := ret[0].([]*peer.Peer)
 	ret1, _ := ret[1].(error)
 	return ret0, ret1
 }
 
 // GetPeers indicates an expected call of GetPeers.
-func (mr *MockManagerMockRecorder) GetPeers(ctx, accountID, userID, nameFilter, ipFilter, all interface{}) *gomock.Call {
+func (mr *MockManagerMockRecorder) GetPeers(ctx, accountID, userID, nameFilter, ipFilter interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeers", reflect.TypeOf((*MockManager)(nil).GetPeers), ctx, accountID, userID, nameFilter, ipFilter, all)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPeers", reflect.TypeOf((*MockManager)(nil).GetPeers), ctx, accountID, userID, nameFilter, ipFilter)
 }
 
 // GetPolicy mocks base method.

management/server/account_test.go

@@ -22,10 +22,8 @@ import (
 	"go.opentelemetry.io/otel/metric/noop"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/shared/management/status"
-
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
+	"github.com/netbirdio/netbird/shared/management/status"
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
@@ -51,6 +49,7 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -2312,29 +2311,6 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 	}
 }
 
-func TestGetExpiredPeers_SkipsAlreadyExpired(t *testing.T) {
-	ctx := context.Background()
-
-	testStore, cleanUp, err := store.NewTestStoreFromSQL(ctx, "testdata/store_with_expired_peers.sql", t.TempDir())
-	t.Cleanup(cleanUp)
-	require.NoError(t, err)
-
-	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
-
-	// Verify the already-expired peer is excluded at the store level
-	peers, err := testStore.GetAccountPeersWithExpiration(ctx, store.LockingStrengthNone, accountID)
-	require.NoError(t, err)
-
-	for _, peer := range peers {
-		assert.NotEqual(t, "cg05lnblo1hkg2j514p0", peer.ID, "already expired peer should be excluded by the store query")
-		assert.False(t, peer.Status.LoginExpired, "returned peers should not already be marked as login expired")
-	}
-
-	// Only the non-expired peer with expiration enabled should be returned
-	require.Len(t, peers, 1)
-	assert.Equal(t, "notexpired01", peers[0].ID)
-}
-
 func TestAccount_GetInactivePeers(t *testing.T) {
 	type test struct {
 		name          string
@@ -3148,7 +3124,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 		AnyTimes()
 
 	permissionsManager := permissions.NewManager(store)
-	peersManager := peers.NewManager(store)
+	peersManager := peers.NewManager(store, permissionsManager)
 
 	proxyManager := proxy.NewMockManager(ctrl)
 	proxyManager.EXPECT().
@@ -3165,7 +3141,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
 	manager, err := BuildManager(ctx, &config.Config{}, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	if err != nil {
 		return nil, nil, err
@@ -3176,7 +3152,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 	if err != nil {
 		return nil, nil, err
 	}
-	manager.SetServiceManager(reverseproxymanager.NewManager(store, manager, proxyController, proxyManager, nil))
+	manager.SetServiceManager(reverseproxymanager.NewManager(store, manager, permissionsManager, proxyController, proxyManager, nil))
 
 	return manager, updateManager, nil
 }

management/server/dns.go

@@ -8,6 +8,8 @@ import (
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
@@ -20,6 +22,14 @@ const (
 
 // GetDNSSettings validates a user role and returns the DNS settings for the provided account ID
 func (am *DefaultAccountManager) GetDNSSettings(ctx context.Context, accountID string, userID string) (*types.DNSSettings, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	return am.Store.GetAccountDNSSettings(ctx, store.LockingStrengthNone, accountID)
 }
 
@@ -29,11 +39,18 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
 		return status.Errorf(status.InvalidArgument, "the dns settings provided are nil")
 	}
 
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Dns, operations.Update)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var updateAccountPeers bool
 	var eventsToStore []func()
 
-	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateDNSSettings(ctx, transaction, accountID, dnsSettingsToSave); err != nil {
 			return err
 		}

management/server/dns_test.go

@@ -14,11 +14,11 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -28,6 +28,7 @@ import (
 
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 const (
@@ -78,6 +79,16 @@ func TestGetDNSSettings(t *testing.T) {
 	if len(dnsSettings.DisabledManagementGroups) != 1 {
 		t.Errorf("DNS settings should have one disabled mgmt group, groups: %s", dnsSettings.DisabledManagementGroups)
 	}
+
+	_, err = am.GetDNSSettings(context.Background(), account.Id, dnsRegularUserID)
+	if err == nil {
+		t.Errorf("An error should be returned when getting the DNS settings with a regular user")
+	}
+
+	s, ok := status.FromError(err)
+	if !ok && s.Type() != status.PermissionDenied {
+		t.Errorf("returned error should be Permission Denied, got err: %s", err)
+	}
 }
 
 func TestSaveDNSSettings(t *testing.T) {
@@ -212,7 +223,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	// return empty extra settings for expected calls to UpdateAccountPeers
 	settingsMockManager.EXPECT().GetExtraSettings(gomock.Any(), gomock.Any()).Return(&types.ExtraSettings{}, nil).AnyTimes()
 	permissionsManager := permissions.NewManager(store)
-	peersManager := peers.NewManager(store)
+	peersManager := peers.NewManager(store, permissionsManager)
 
 	ctx := context.Background()
 
@@ -223,7 +234,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store)), &config.Config{})
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock(), ephemeral_manager.NewEphemeralManager(store, peers.NewManager(store, permissionsManager)), &config.Config{})
 
 	return BuildManager(context.Background(), nil, store, networkMapController, job.NewJobManager(nil, store, peersManager), nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 }

management/server/event.go

@@ -9,8 +9,11 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/status"
 )
 
 func isEnabled() bool {
@@ -20,6 +23,14 @@ func isEnabled() bool {
 
 // GetEvents returns a list of activity events of an account
 func (am *DefaultAccountManager) GetEvents(ctx context.Context, accountID, userID string) ([]*activity.Event, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Events, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
 	events, err := am.eventStore.Get(ctx, accountID, 0, 10000, true)
 	if err != nil {
 		return nil, err

management/server/group.go

@@ -12,6 +12,8 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/util"
@@ -30,24 +32,13 @@ func (e *GroupLinkError) Error() string {
 
 // CheckGroupPermissions validates if a user has the necessary permissions to view groups
 func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, accountID, userID string) error {
-	// Permission checks are now handled by the HTTP middleware via WithPermission wrapper
-	// This method is called from authenticated/authorized handlers, so we just validate
-	// that the user exists and is part of the account
-	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
 	if err != nil {
 		return err
 	}
 
-	if user == nil {
-		return status.NewUserNotFoundError(userID)
-	}
-
-	if user.AccountID != accountID {
-		return status.NewUserNotPartOfAccountError()
-	}
-
-	if user.IsBlocked() {
-		return status.NewUserBlockedError()
+	if !allowed {
+		return status.NewPermissionDeniedError()
 	}
 
 	return nil
@@ -70,17 +61,27 @@ func (am *DefaultAccountManager) GetAllGroups(ctx context.Context, accountID, us
 }
 
 // GetGroupByName filters all groups in an account by name and returns the one with the most peers
-func (am *DefaultAccountManager) GetGroupByName(ctx context.Context, groupName, accountID string) (*types.Group, error) {
+func (am *DefaultAccountManager) GetGroupByName(ctx context.Context, groupName, accountID, userID string) (*types.Group, error) {
+	if err := am.CheckGroupPermissions(ctx, accountID, userID); err != nil {
+		return nil, err
+	}
 	return am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, groupName)
 }
 
 // CreateGroup object of the peers
 func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var eventsToStore []func()
 	var updateAccountPeers bool
 
-	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		var err error
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 			return err
 		}
@@ -124,11 +125,19 @@ func (am *DefaultAccountManager) CreateGroup(ctx context.Context, accountID, use
 
 // UpdateGroup object of the peers
 func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, userID string, newGroup *types.Group) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var eventsToStore []func()
 	var updateAccountPeers bool
 
-	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err := validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 			return err
 		}
 
@@ -187,24 +196,33 @@ func (am *DefaultAccountManager) UpdateGroup(ctx context.Context, accountID, use
 // It is the caller's responsibility to ensure proper locking is in place before invoking this method.
 // This method will not create group peer membership relations. Use AddPeerToGroup or RemovePeerFromGroup methods for that.
 func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, userID string, groups []*types.Group) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Create)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var eventsToStore []func()
 	var updateAccountPeers bool
 
 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
 	for _, newGroup := range groups {
-		err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-			if err := validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
+		err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+			if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 				return err
 			}
 
 			newGroup.AccountID = accountID
 
-			if err := transaction.CreateGroup(ctx, newGroup); err != nil {
+			if err = transaction.CreateGroup(ctx, newGroup); err != nil {
 				return err
 			}
 
-			if err := transaction.IncrementNetworkSerial(ctx, accountID); err != nil {
+			err = transaction.IncrementNetworkSerial(ctx, accountID)
+			if err != nil {
 				return err
 			}
 
@@ -225,7 +243,6 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 		}
 	}
 
-	var err error
 	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
 	if err != nil {
 		return err
@@ -247,14 +264,21 @@ func (am *DefaultAccountManager) CreateGroups(ctx context.Context, accountID, us
 // It is the caller's responsibility to ensure proper locking is in place before invoking this method.
 // This method will not create group peer membership relations. Use AddPeerToGroup or RemovePeerFromGroup methods for that.
 func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, userID string, groups []*types.Group) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var eventsToStore []func()
 	var updateAccountPeers bool
 
 	var globalErr error
 	groupIDs := make([]string, 0, len(groups))
 	for _, newGroup := range groups {
-		err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-			var err error
+		err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 			if err = validateNewGroup(ctx, transaction, accountID, newGroup); err != nil {
 				return err
 			}
@@ -287,7 +311,6 @@ func (am *DefaultAccountManager) UpdateGroups(ctx context.Context, accountID, us
 		}
 	}
 
-	var err error
 	updateAccountPeers, err = areGroupChangesAffectPeers(ctx, am.Store, accountID, groupIDs)
 	if err != nil {
 		return err
@@ -393,6 +416,14 @@ func (am *DefaultAccountManager) DeleteGroup(ctx context.Context, accountID, use
 // If an error occurs while deleting a group, the function skips it and continues deleting other groups.
 // Errors are collected and returned at the end.
 func (am *DefaultAccountManager) DeleteGroups(ctx context.Context, accountID, userID string, groupIDs []string) error {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
 	var allErrors error
 	var groupIDsToDelete []string
 	var deletedGroups []*types.Group

management/server/group_test.go

@@ -26,6 +26,7 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	peer2 "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -763,10 +764,11 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 
 	// Saving a group linked to network router should update account peers and send peer update
 	t.Run("saving group linked to network router", func(t *testing.T) {
-		groupsManager := groups.NewManager(manager.Store, manager)
-		resourcesManager := resources.NewManager(manager.Store, groupsManager, manager, manager.serviceManager)
-		routersManager := routers.NewManager(manager.Store, manager)
-		networksManager := networks.NewManager(manager.Store, resourcesManager, routersManager, manager)
+		permissionsManager := permissions.NewManager(manager.Store)
+		groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
+		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager, manager.serviceManager)
+		routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
+		networksManager := networks.NewManager(manager.Store, permissionsManager, resourcesManager, routersManager, manager)
 
 		network, err := networksManager.CreateNetwork(context.Background(), userID, &networkTypes.Network{
 			ID:          "network_test",

management/server/groups/manager.go

@@ -6,6 +6,9 @@ import (
 
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -22,21 +25,31 @@ type Manager interface {
 }
 
 type managerImpl struct {
-	store          store.Store
-	accountManager account.Manager
+	store              store.Store
+	permissionsManager permissions.Manager
+	accountManager     account.Manager
 }
 
 type mockManager struct {
 }
 
-func NewManager(store store.Store, accountManager account.Manager) Manager {
+func NewManager(store store.Store, permissionsManager permissions.Manager, accountManager account.Manager) Manager {
 	return &managerImpl{
-		store:          store,
-		accountManager: accountManager,
+		store:              store,
+		permissionsManager: permissionsManager,
+		accountManager:     accountManager,
 	}
 }
 
 func (m *managerImpl) GetAllGroups(ctx context.Context, accountID, userID string) ([]*types.Group, error) {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Read)
+	if err != nil {
+		return nil, err
+	}
+	if !ok {
+		return nil, err
+	}
+
 	groups, err := m.store.GetAccountGroups(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("error getting account groups: %w", err)
@@ -60,6 +73,14 @@ func (m *managerImpl) GetAllGroupsMap(ctx context.Context, accountID, userID str
 }
 
 func (m *managerImpl) AddResourceToGroup(ctx context.Context, accountID, userID, groupID string, resource *types.Resource) error {
+	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Groups, operations.Update)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return err
+	}
+
 	event, err := m.AddResourceToGroupInTransaction(ctx, m.store, accountID, userID, groupID, resource)
 	if err != nil {
 		return fmt.Errorf("error adding resource to group: %w", err)

management/server/http/handler.go

@@ -5,12 +5,14 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
+	"os"
+	"strconv"
+	"time"
 
 	"github.com/gorilla/mux"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
 
 	"github.com/netbirdio/netbird/management/server/types"
@@ -32,8 +34,10 @@ import (
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/settings"
 
-	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/permissions"
+
+	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 
 	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
@@ -62,11 +66,14 @@ import (
 )
 
 const (
-	apiPrefix = "/api"
+	apiPrefix              = "/api"
+	rateLimitingEnabledKey = "NB_API_RATE_LIMITING_ENABLED"
+	rateLimitingBurstKey   = "NB_API_RATE_LIMITING_BURST"
+	rateLimitingRPMKey     = "NB_API_RATE_LIMITING_RPM"
 )
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix, rateLimiter *middleware.APIRateLimiter) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, serviceManager service.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -87,10 +94,34 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
 
-	if rateLimiter == nil {
-		log.Warn("NewAPIHandler: nil rate limiter, rate limiting disabled")
-		rateLimiter = middleware.NewAPIRateLimiter(nil)
-		rateLimiter.SetEnabled(false)
+	var rateLimitingConfig *middleware.RateLimiterConfig
+	if os.Getenv(rateLimitingEnabledKey) == "true" {
+		rpm := 6
+		if v := os.Getenv(rateLimitingRPMKey); v != "" {
+			value, err := strconv.Atoi(v)
+			if err != nil {
+				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingRPMKey, err, rpm)
+			} else {
+				rpm = value
+			}
+		}
+
+		burst := 500
+		if v := os.Getenv(rateLimitingBurstKey); v != "" {
+			value, err := strconv.Atoi(v)
+			if err != nil {
+				log.Warnf("parsing %s env var: %v, using default %d", rateLimitingBurstKey, err, burst)
+			} else {
+				burst = value
+			}
+		}
+
+		rateLimitingConfig = &middleware.RateLimiterConfig{
+			RequestsPerMinute: float64(rpm),
+			Burst:             burst,
+			CleanupInterval:   6 * time.Hour,
+			LimiterTTL:        24 * time.Hour,
+		}
 	}
 
 	authMiddleware := middleware.NewAuthMiddleware(
@@ -98,7 +129,7 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		accountManager.GetAccountIDFromUserAuth,
 		accountManager.SyncUserJWTGroups,
 		accountManager.GetUserFromUserAuth,
-		rateLimiter,
+		rateLimitingConfig,
 		appMetrics.GetMeter(),
 	)
 
@@ -123,25 +154,25 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 		return nil, fmt.Errorf("failed to create instance manager: %w", err)
 	}
 
-	accounts.AddEndpoints(accountManager, settingsManager, router, permissionsManager)
+	accounts.AddEndpoints(accountManager, settingsManager, router)
 	peers.AddEndpoints(accountManager, router, networkMapController, permissionsManager)
-	users.AddEndpoints(accountManager, router, permissionsManager)
-	users.AddInvitesEndpoints(accountManager, router, permissionsManager)
+	users.AddEndpoints(accountManager, router)
+	users.AddInvitesEndpoints(accountManager, router)
 	users.AddPublicInvitesEndpoints(accountManager, router)
-	setup_keys.AddEndpoints(accountManager, router, permissionsManager)
-	policies.AddEndpoints(accountManager, LocationManager, router, permissionsManager)
-	policies.AddPostureCheckEndpoints(accountManager, LocationManager, router, permissionsManager)
+	setup_keys.AddEndpoints(accountManager, router)
+	policies.AddEndpoints(accountManager, LocationManager, router)
+	policies.AddPostureCheckEndpoints(accountManager, LocationManager, router)
 	policies.AddLocationsEndpoints(accountManager, LocationManager, permissionsManager, router)
-	groups.AddEndpoints(accountManager, router, permissionsManager)
-	routes.AddEndpoints(accountManager, router, permissionsManager)
-	dns.AddEndpoints(accountManager, router, permissionsManager)
-	events.AddEndpoints(accountManager, router, permissionsManager)
-	networks.AddEndpoints(networksManager, resourceManager, routerManager, groupsManager, accountManager, permissionsManager, router)
-	zonesManager.RegisterEndpoints(router, zManager, permissionsManager)
-	recordsManager.RegisterEndpoints(router, rManager, permissionsManager)
-	idp.AddEndpoints(accountManager, router, permissionsManager)
+	groups.AddEndpoints(accountManager, router)
+	routes.AddEndpoints(accountManager, router)
+	dns.AddEndpoints(accountManager, router)
+	events.AddEndpoints(accountManager, router)
+	networks.AddEndpoints(networksManager, resourceManager, routerManager, groupsManager, accountManager, router)
+	zonesManager.RegisterEndpoints(router, zManager)
+	recordsManager.RegisterEndpoints(router, rManager)
+	idp.AddEndpoints(accountManager, router)
 	instance.AddEndpoints(instanceManager, router)
-	instance.AddVersionEndpoint(instanceManager, router, permissionsManager)
+	instance.AddVersionEndpoint(instanceManager, router)
 	if serviceManager != nil && reverseProxyDomainManager != nil {
 		reverseproxymanager.RegisterEndpoints(serviceManager, *reverseProxyDomainManager, reverseProxyAccessLogsManager, permissionsManager, router)
 	}

management/server/http/handlers/accounts/accounts_handler.go

@@ -12,13 +12,10 @@ import (
 
 	goversion "github.com/hashicorp/go-version"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -43,11 +40,11 @@ type handler struct {
 	settingsManager settings.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, settingsManager settings.Manager, router *mux.Router) {
 	accountsHandler := newHandler(accountManager, settingsManager)
-	router.HandleFunc("/accounts/{accountId}", permissionsManager.WithPermission(modules.Accounts, operations.Update, accountsHandler.updateAccount)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/accounts/{accountId}", permissionsManager.WithPermission(modules.Accounts, operations.Delete, accountsHandler.deleteAccount)).Methods("DELETE", "OPTIONS")
-	router.HandleFunc("/accounts", permissionsManager.WithPermission(modules.Accounts, operations.Read, accountsHandler.getAllAccounts)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/accounts/{accountId}", accountsHandler.updateAccount).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/accounts/{accountId}", accountsHandler.deleteAccount).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/accounts", accountsHandler.getAllAccounts).Methods("GET", "OPTIONS")
 }
 
 // newHandler creates a new handler HTTP handler
@@ -102,7 +99,7 @@ func (h *handler) validateNetworkRange(ctx context.Context, accountID, userID st
 }
 
 func (h *handler) validateCapacity(ctx context.Context, accountID, userID string, prefix netip.Prefix) error {
-	peers, err := h.accountManager.GetPeers(ctx, accountID, userID, "", "", true)
+	peers, err := h.accountManager.GetPeers(ctx, accountID, userID, "", "")
 	if err != nil {
 		return status.Errorf(status.Internal, "get peer count: %v", err)
 	}
@@ -139,26 +136,34 @@ func calculateRequiredAddresses(peerCount int) int64 {
 }
 
 // getAllAccounts is HTTP GET handler that returns a list of accounts. Effectively returns just a single account.
-func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	meta, err := h.accountManager.GetAccountMeta(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	settings, err := h.settingsManager.GetSettings(r.Context(), userAuth.AccountId, userAuth.UserId)
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	meta, err := h.accountManager.GetAccountMeta(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	onboarding, err := h.accountManager.GetAccountOnboarding(r.Context(), userAuth.AccountId, userAuth.UserId)
+	settings, err := h.settingsManager.GetSettings(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	resp := toAccountResponse(userAuth.AccountId, settings, meta, onboarding)
+	onboarding, err := h.accountManager.GetAccountOnboarding(r.Context(), accountID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	resp := toAccountResponse(accountID, settings, meta, onboarding)
 	util.WriteJSONObject(r.Context(), w, []*api.Account{resp})
 }
 
@@ -228,15 +233,24 @@ func (h *handler) updateAccountRequestSettings(req api.PutApiAccountsAccountIdJS
 }
 
 // updateAccount is HTTP PUT handler that updates the provided account. Updates only account settings (server.Settings)
-func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	accountID := mux.Vars(r)["accountId"]
-	if accountID != userAuth.AccountId {
-		util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "account ID mismatch"), w)
+func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	_, userID := userAuth.AccountId, userAuth.UserId
+
+	vars := mux.Vars(r)
+	accountID := vars["accountId"]
+	if len(accountID) == 0 {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid accountID ID"), w)
 		return
 	}
 
 	var req api.PutApiAccountsAccountIdJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -253,7 +267,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request, userAuth
 			util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid CIDR format: %v", err), w)
 			return
 		}
-		if err := h.validateNetworkRange(r.Context(), accountID, userAuth.UserId, prefix); err != nil {
+		if err := h.validateNetworkRange(r.Context(), accountID, userID, prefix); err != nil {
 			util.WriteError(r.Context(), err, w)
 			return
 		}
@@ -268,19 +282,19 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request, userAuth
 		}
 	}
 
-	updatedOnboarding, err := h.accountManager.UpdateAccountOnboarding(r.Context(), accountID, userAuth.UserId, onboarding)
+	updatedOnboarding, err := h.accountManager.UpdateAccountOnboarding(r.Context(), accountID, userID, onboarding)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	updatedSettings, err := h.accountManager.UpdateAccountSettings(r.Context(), accountID, userAuth.UserId, settings)
+	updatedSettings, err := h.accountManager.UpdateAccountSettings(r.Context(), accountID, userID, settings)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	meta, err := h.accountManager.GetAccountMeta(r.Context(), accountID, userAuth.UserId)
+	meta, err := h.accountManager.GetAccountMeta(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -292,14 +306,21 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request, userAuth
 }
 
 // deleteAccount is a HTTP DELETE handler to delete an account
-func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	accountID := mux.Vars(r)["accountId"]
-	if accountID != userAuth.AccountId {
-		util.WriteError(r.Context(), status.Errorf(status.PermissionDenied, "account ID mismatch"), w)
+func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	err := h.accountManager.DeleteAccount(r.Context(), userAuth.AccountId, userAuth.UserId)
+	vars := mux.Vars(r)
+	targetAccountID := vars["accountId"]
+	if len(targetAccountID) == 0 {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid account ID"), w)
+		return
+	}
+
+	err = h.accountManager.DeleteAccount(r.Context(), targetAccountID, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/accounts/accounts_handler_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -291,8 +290,8 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/accounts", permissions.WrapHandler(handler.getAllAccounts)).Methods("GET")
-			router.HandleFunc("/api/accounts/{accountId}", permissions.WrapHandler(handler.updateAccount)).Methods("PUT")
+			router.HandleFunc("/api/accounts", handler.getAllAccounts).Methods("GET")
+			router.HandleFunc("/api/accounts/{accountId}", handler.updateAccount).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/dns/dns_settings_handler.go

@@ -5,13 +5,11 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -21,15 +19,15 @@ type dnsSettingsHandler struct {
 	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
-	addDNSSettingEndpoint(accountManager, router, permissionsManager)
-	addDNSNameserversEndpoint(accountManager, router, permissionsManager)
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
+	addDNSSettingEndpoint(accountManager, router)
+	addDNSNameserversEndpoint(accountManager, router)
 }
 
-func addDNSSettingEndpoint(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func addDNSSettingEndpoint(accountManager account.Manager, router *mux.Router) {
 	dnsSettingsHandler := newDNSSettingsHandler(accountManager)
-	router.HandleFunc("/dns/settings", permissionsManager.WithPermission(modules.Dns, operations.Read, dnsSettingsHandler.getDNSSettings)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/settings", permissionsManager.WithPermission(modules.Dns, operations.Update, dnsSettingsHandler.updateDNSSettings)).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/dns/settings", dnsSettingsHandler.getDNSSettings).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/settings", dnsSettingsHandler.updateDNSSettings).Methods("PUT", "OPTIONS")
 }
 
 // newDNSSettingsHandler returns a new instance of dnsSettingsHandler handler
@@ -38,8 +36,17 @@ func newDNSSettingsHandler(accountManager account.Manager) *dnsSettingsHandler {
 }
 
 // getDNSSettings returns the DNS settings for the account
-func (h *dnsSettingsHandler) getDNSSettings(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	dnsSettings, err := h.accountManager.GetDNSSettings(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *dnsSettingsHandler) getDNSSettings(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		log.WithContext(r.Context()).Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	dnsSettings, err := h.accountManager.GetDNSSettings(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -53,9 +60,17 @@ func (h *dnsSettingsHandler) getDNSSettings(w http.ResponseWriter, r *http.Reque
 }
 
 // updateDNSSettings handles update to DNS settings of an account
-func (h *dnsSettingsHandler) updateDNSSettings(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *dnsSettingsHandler) updateDNSSettings(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.PutApiDnsSettingsJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -65,7 +80,7 @@ func (h *dnsSettingsHandler) updateDNSSettings(w http.ResponseWriter, r *http.Re
 		DisabledManagementGroups: req.DisabledManagementGroups,
 	}
 
-	err = h.accountManager.SaveDNSSettings(r.Context(), userAuth.AccountId, userAuth.UserId, updateDNSSettings)
+	err = h.accountManager.SaveDNSSettings(r.Context(), accountID, userID, updateDNSSettings)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/dns/dns_settings_handler_test.go

@@ -17,7 +17,6 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/auth"
 
@@ -116,8 +115,8 @@ func TestDNSSettingsHandlers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/dns/settings", permissions.WrapHandler(p.getDNSSettings)).Methods("GET")
-			router.HandleFunc("/api/dns/settings", permissions.WrapHandler(p.updateDNSSettings)).Methods("PUT")
+			router.HandleFunc("/api/dns/settings", p.getDNSSettings).Methods("GET")
+			router.HandleFunc("/api/dns/settings", p.updateDNSSettings).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/dns/nameservers_handler.go

@@ -6,13 +6,11 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
 
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -23,13 +21,13 @@ type nameserversHandler struct {
 	accountManager account.Manager
 }
 
-func addDNSNameserversEndpoint(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func addDNSNameserversEndpoint(accountManager account.Manager, router *mux.Router) {
 	nameserversHandler := newNameserversHandler(accountManager)
-	router.HandleFunc("/dns/nameservers", permissionsManager.WithPermission(modules.Nameservers, operations.Read, nameserversHandler.getAllNameservers)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/nameservers", permissionsManager.WithPermission(modules.Nameservers, operations.Create, nameserversHandler.createNameserverGroup)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/dns/nameservers/{nsgroupId}", permissionsManager.WithPermission(modules.Nameservers, operations.Update, nameserversHandler.updateNameserverGroup)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/dns/nameservers/{nsgroupId}", permissionsManager.WithPermission(modules.Nameservers, operations.Read, nameserversHandler.getNameserverGroup)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/dns/nameservers/{nsgroupId}", permissionsManager.WithPermission(modules.Nameservers, operations.Delete, nameserversHandler.deleteNameserverGroup)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/dns/nameservers", nameserversHandler.getAllNameservers).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/nameservers", nameserversHandler.createNameserverGroup).Methods("POST", "OPTIONS")
+	router.HandleFunc("/dns/nameservers/{nsgroupId}", nameserversHandler.updateNameserverGroup).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/dns/nameservers/{nsgroupId}", nameserversHandler.getNameserverGroup).Methods("GET", "OPTIONS")
+	router.HandleFunc("/dns/nameservers/{nsgroupId}", nameserversHandler.deleteNameserverGroup).Methods("DELETE", "OPTIONS")
 }
 
 // newNameserversHandler returns a new instance of nameserversHandler handler
@@ -38,8 +36,17 @@ func newNameserversHandler(accountManager account.Manager) *nameserversHandler {
 }
 
 // getAllNameservers returns the list of nameserver groups for the account
-func (h *nameserversHandler) getAllNameservers(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	nsGroups, err := h.accountManager.ListNameServerGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *nameserversHandler) getAllNameservers(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		log.WithContext(r.Context()).Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	nsGroups, err := h.accountManager.ListNameServerGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -54,9 +61,17 @@ func (h *nameserversHandler) getAllNameservers(w http.ResponseWriter, r *http.Re
 }
 
 // createNameserverGroup handles nameserver group creation request
-func (h *nameserversHandler) createNameserverGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *nameserversHandler) createNameserverGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.PostApiDnsNameserversJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -68,7 +83,7 @@ func (h *nameserversHandler) createNameserverGroup(w http.ResponseWriter, r *htt
 		return
 	}
 
-	nsGroup, err := h.accountManager.CreateNameServerGroup(r.Context(), userAuth.AccountId, req.Name, req.Description, nsList, req.Groups, req.Primary, req.Domains, req.Enabled, userAuth.UserId, req.SearchDomainsEnabled)
+	nsGroup, err := h.accountManager.CreateNameServerGroup(r.Context(), accountID, req.Name, req.Description, nsList, req.Groups, req.Primary, req.Domains, req.Enabled, userID, req.SearchDomainsEnabled)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -80,7 +95,15 @@ func (h *nameserversHandler) createNameserverGroup(w http.ResponseWriter, r *htt
 }
 
 // updateNameserverGroup handles update to a nameserver group identified by a given ID
-func (h *nameserversHandler) updateNameserverGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *nameserversHandler) updateNameserverGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	nsGroupID := mux.Vars(r)["nsgroupId"]
 	if len(nsGroupID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid nameserver group ID"), w)
@@ -88,7 +111,7 @@ func (h *nameserversHandler) updateNameserverGroup(w http.ResponseWriter, r *htt
 	}
 
 	var req api.PutApiDnsNameserversNsgroupIdJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -112,7 +135,7 @@ func (h *nameserversHandler) updateNameserverGroup(w http.ResponseWriter, r *htt
 		SearchDomainsEnabled: req.SearchDomainsEnabled,
 	}
 
-	err = h.accountManager.SaveNameServerGroup(r.Context(), userAuth.AccountId, userAuth.UserId, updatedNSGroup)
+	err = h.accountManager.SaveNameServerGroup(r.Context(), accountID, userID, updatedNSGroup)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -124,14 +147,22 @@ func (h *nameserversHandler) updateNameserverGroup(w http.ResponseWriter, r *htt
 }
 
 // deleteNameserverGroup handles nameserver group deletion request
-func (h *nameserversHandler) deleteNameserverGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *nameserversHandler) deleteNameserverGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	nsGroupID := mux.Vars(r)["nsgroupId"]
 	if len(nsGroupID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid nameserver group ID"), w)
 		return
 	}
 
-	err := h.accountManager.DeleteNameServerGroup(r.Context(), userAuth.AccountId, nsGroupID, userAuth.UserId)
+	err = h.accountManager.DeleteNameServerGroup(r.Context(), accountID, nsGroupID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -141,14 +172,22 @@ func (h *nameserversHandler) deleteNameserverGroup(w http.ResponseWriter, r *htt
 }
 
 // getNameserverGroup handles a nameserver group Get request identified by ID
-func (h *nameserversHandler) getNameserverGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *nameserversHandler) getNameserverGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	nsGroupID := mux.Vars(r)["nsgroupId"]
 	if len(nsGroupID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid nameserver group ID"), w)
 		return
 	}
 
-	nsGroup, err := h.accountManager.GetNameServerGroup(r.Context(), userAuth.AccountId, userAuth.UserId, nsGroupID)
+	nsGroup, err := h.accountManager.GetNameServerGroup(r.Context(), accountID, userID, nsGroupID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/dns/nameservers_handler_test.go

@@ -18,7 +18,6 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/auth"
 
@@ -202,10 +201,10 @@ func TestNameserversHandlers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", permissions.WrapHandler(p.getNameserverGroup)).Methods("GET")
-			router.HandleFunc("/api/dns/nameservers", permissions.WrapHandler(p.createNameserverGroup)).Methods("POST")
-			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", permissions.WrapHandler(p.deleteNameserverGroup)).Methods("DELETE")
-			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", permissions.WrapHandler(p.updateNameserverGroup)).Methods("PUT")
+			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", p.getNameserverGroup).Methods("GET")
+			router.HandleFunc("/api/dns/nameservers", p.createNameserverGroup).Methods("POST")
+			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", p.deleteNameserverGroup).Methods("DELETE")
+			router.HandleFunc("/api/dns/nameservers/{nsgroupId}", p.updateNameserverGroup).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/events/events_handler.go

@@ -5,13 +5,11 @@ import (
 	"net/http"
 
 	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/shared/auth"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -21,10 +19,10 @@ type handler struct {
 	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
 	eventsHandler := newHandler(accountManager)
-	router.HandleFunc("/events", permissionsManager.WithPermission(modules.Events, operations.Read, eventsHandler.getAllEvents)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/events/audit", permissionsManager.WithPermission(modules.Events, operations.Read, eventsHandler.getAllEvents)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/events", eventsHandler.getAllEvents).Methods("GET", "OPTIONS")
+	router.HandleFunc("/events/audit", eventsHandler.getAllEvents).Methods("GET", "OPTIONS")
 }
 
 // newHandler creates a new events handler
@@ -33,8 +31,17 @@ func newHandler(accountManager account.Manager) *handler {
 }
 
 // getAllEvents list of the given account
-func (h *handler) getAllEvents(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	accountEvents, err := h.accountManager.GetEvents(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllEvents(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		log.WithContext(r.Context()).Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	accountEvents, err := h.accountManager.GetEvents(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/events/events_handler_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/auth"
 
@@ -197,7 +196,7 @@ func TestEvents_GetEvents(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/events/", permissions.WrapHandler(handler.getAllEvents)).Methods("GET")
+			router.HandleFunc("/api/events/", handler.getAllEvents).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/groups/groups_handler.go

@@ -7,13 +7,11 @@ import (
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -21,45 +19,46 @@ import (
 
 // handler is a handler that returns groups of the account
 type handler struct {
-	accountManager     account.Manager
-	permissionsManager permissions.Manager
+	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
-	groupsHandler := newHandler(accountManager, permissionsManager)
-	router.HandleFunc("/groups", permissionsManager.WithPermission(modules.Groups, operations.Read, groupsHandler.getAllGroups)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/groups", permissionsManager.WithPermission(modules.Groups, operations.Create, groupsHandler.createGroup)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/groups/{groupId}", permissionsManager.WithPermission(modules.Groups, operations.Update, groupsHandler.updateGroup)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/groups/{groupId}", permissionsManager.WithPermission(modules.Groups, operations.Read, groupsHandler.getGroup)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/groups/{groupId}", permissionsManager.WithPermission(modules.Groups, operations.Delete, groupsHandler.deleteGroup)).Methods("DELETE", "OPTIONS")
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
+	groupsHandler := newHandler(accountManager)
+	router.HandleFunc("/groups", groupsHandler.getAllGroups).Methods("GET", "OPTIONS")
+	router.HandleFunc("/groups", groupsHandler.createGroup).Methods("POST", "OPTIONS")
+	router.HandleFunc("/groups/{groupId}", groupsHandler.updateGroup).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/groups/{groupId}", groupsHandler.getGroup).Methods("GET", "OPTIONS")
+	router.HandleFunc("/groups/{groupId}", groupsHandler.deleteGroup).Methods("DELETE", "OPTIONS")
 }
 
 // newHandler creates a new groups handler
-func newHandler(accountManager account.Manager, permissionsManager permissions.Manager) *handler {
+func newHandler(accountManager account.Manager) *handler {
 	return &handler{
-		accountManager:     accountManager,
-		permissionsManager: permissionsManager,
+		accountManager: accountManager,
 	}
 }
 
-func (h *handler) canReadPeers(r *http.Request, userAuth *auth.UserAuth) bool {
-	allowed, err := h.permissionsManager.ValidateUserPermissions(r.Context(), userAuth.AccountId, userAuth.UserId, modules.Peers, operations.Read)
-	return err == nil && allowed
-}
-
 // getAllGroups list for the account
-func (h *handler) getAllGroups(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getAllGroups(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		log.WithContext(r.Context()).Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	// Check if filtering by name
 	groupName := r.URL.Query().Get("name")
 	if groupName != "" {
 		// Get single group by name
-		group, err := h.accountManager.GetGroupByName(r.Context(), groupName, userAuth.AccountId)
+		group, err := h.accountManager.GetGroupByName(r.Context(), groupName, accountID, userID)
 		if err != nil {
 			util.WriteError(r.Context(), err, w)
 			return
 		}
 
-		accountPeers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, "", "", h.canReadPeers(r, userAuth))
+		accountPeers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, "", "")
 		if err != nil {
 			util.WriteError(r.Context(), err, w)
 			return
@@ -72,13 +71,13 @@ func (h *handler) getAllGroups(w http.ResponseWriter, r *http.Request, userAuth
 	}
 
 	// Get all groups
-	groups, err := h.accountManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	groups, err := h.accountManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	accountPeers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, "", "", h.canReadPeers(r, userAuth))
+	accountPeers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, "", "")
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -93,7 +92,15 @@ func (h *handler) getAllGroups(w http.ResponseWriter, r *http.Request, userAuth
 }
 
 // updateGroup handles update to a group identified by a given ID
-func (h *handler) updateGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	groupID, ok := vars["groupId"]
 	if !ok {
@@ -105,13 +112,13 @@ func (h *handler) updateGroup(w http.ResponseWriter, r *http.Request, userAuth *
 		return
 	}
 
-	existingGroup, err := h.accountManager.GetGroup(r.Context(), userAuth.AccountId, groupID, userAuth.UserId)
+	existingGroup, err := h.accountManager.GetGroup(r.Context(), accountID, groupID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	allGroup, err := h.accountManager.GetGroupByName(r.Context(), "All", userAuth.AccountId)
+	allGroup, err := h.accountManager.GetGroupByName(r.Context(), "All", accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -159,13 +166,13 @@ func (h *handler) updateGroup(w http.ResponseWriter, r *http.Request, userAuth *
 		IntegrationReference: existingGroup.IntegrationReference,
 	}
 
-	if err := h.accountManager.UpdateGroup(r.Context(), userAuth.AccountId, userAuth.UserId, &group); err != nil {
-		log.WithContext(r.Context()).Errorf("failed updating group %s under account %s %v", groupID, userAuth.AccountId, err)
+	if err := h.accountManager.UpdateGroup(r.Context(), accountID, userID, &group); err != nil {
+		log.WithContext(r.Context()).Errorf("failed updating group %s under account %s %v", groupID, accountID, err)
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	accountPeers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, "", "", h.canReadPeers(r, userAuth))
+	accountPeers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, "", "")
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -175,9 +182,17 @@ func (h *handler) updateGroup(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // createGroup handles group creation request
-func (h *handler) createGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.PostApiGroupsJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -211,13 +226,13 @@ func (h *handler) createGroup(w http.ResponseWriter, r *http.Request, userAuth *
 		Issued:    types.GroupIssuedAPI,
 	}
 
-	err = h.accountManager.CreateGroup(r.Context(), userAuth.AccountId, userAuth.UserId, &group)
+	err = h.accountManager.CreateGroup(r.Context(), accountID, userID, &group)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	accountPeers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, "", "", h.canReadPeers(r, userAuth))
+	accountPeers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, "", "")
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -227,14 +242,22 @@ func (h *handler) createGroup(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // deleteGroup handles group deletion request
-func (h *handler) deleteGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	groupID := mux.Vars(r)["groupId"]
 	if len(groupID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid group ID"), w)
 		return
 	}
 
-	err := h.accountManager.DeleteGroup(r.Context(), userAuth.AccountId, userAuth.UserId, groupID)
+	err = h.accountManager.DeleteGroup(r.Context(), accountID, userID, groupID)
 	if err != nil {
 		wrappedErr, ok := err.(interface{ Unwrap() []error })
 		if ok && len(wrappedErr.Unwrap()) > 0 {
@@ -250,26 +273,34 @@ func (h *handler) deleteGroup(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // getGroup returns a group
-func (h *handler) getGroup(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getGroup(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	groupID := mux.Vars(r)["groupId"]
 	if len(groupID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid group ID"), w)
 		return
 	}
 
-	group, err := h.accountManager.GetGroup(r.Context(), userAuth.AccountId, groupID, userAuth.UserId)
+	group, err := h.accountManager.GetGroup(r.Context(), accountID, groupID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	accountPeers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, "", "", h.canReadPeers(r, userAuth))
+	accountPeers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, "", "")
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
 	util.WriteJSONObject(r.Context(), w, toGroupResponse(accountPeers, group))
+
 }
 
 func toGroupResponse(peers []*nbpeer.Peer, group *types.Group) *api.Group {

management/server/http/handlers/groups/groups_handler_test.go

@@ -13,14 +13,10 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/exp/maps"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
@@ -37,18 +33,8 @@ var TestPeers = map[string]*nbpeer.Peer{
 	"B": {Key: "B", ID: "peer-B-ID", IP: net.ParseIP("200.200.200.200")},
 }
 
-func initGroupTestData(t *testing.T, initGroups ...*types.Group) *handler {
-	t.Helper()
-
-	ctrl := gomock.NewController(t)
-	permissionsManagerMock := permissions.NewMockManager(ctrl)
-	permissionsManagerMock.EXPECT().
-		ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Eq(modules.Peers), gomock.Eq(operations.Read)).
-		Return(true, nil).
-		AnyTimes()
-
+func initGroupTestData(initGroups ...*types.Group) *handler {
 	return &handler{
-		permissionsManager: permissionsManagerMock,
 		accountManager: &mock_server.MockAccountManager{
 			SaveGroupFunc: func(_ context.Context, accountID, userID string, group *types.Group, create bool) error {
 				if !strings.HasPrefix(group.ID, "id-") {
@@ -85,14 +71,14 @@ func initGroupTestData(t *testing.T, initGroups ...*types.Group) *handler {
 
 				return groups, nil
 			},
-			GetGroupByNameFunc: func(ctx context.Context, groupName, _ string) (*types.Group, error) {
+			GetGroupByNameFunc: func(ctx context.Context, groupName, _, _ string) (*types.Group, error) {
 				if groupName == "All" {
 					return &types.Group{ID: "id-all", Name: "All", Issued: types.GroupIssuedAPI}, nil
 				}
 
 				return nil, status.Errorf(status.NotFound, "unknown group name")
 			},
-			GetPeersFunc: func(ctx context.Context, accountID, userID, nameFilter, ipFilter string, _ bool) ([]*nbpeer.Peer, error) {
+			GetPeersFunc: func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 				return maps.Values(TestPeers), nil
 			},
 			DeleteGroupFunc: func(_ context.Context, accountID, userId, groupID string) error {
@@ -142,7 +128,7 @@ func TestGetGroup(t *testing.T) {
 		Name: "Group",
 	}
 
-	p := initGroupTestData(t, group)
+	p := initGroupTestData(group)
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
@@ -155,7 +141,7 @@ func TestGetGroup(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups/{groupId}", permissions.WrapHandler(p.getGroup)).Methods("GET")
+			router.HandleFunc("/api/groups/{groupId}", p.getGroup).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -268,7 +254,7 @@ func TestWriteGroup(t *testing.T) {
 		},
 	}
 
-	p := initGroupTestData(t)
+	p := initGroupTestData()
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
@@ -281,8 +267,8 @@ func TestWriteGroup(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups", permissions.WrapHandler(p.createGroup)).Methods("POST")
-			router.HandleFunc("/api/groups/{groupId}", permissions.WrapHandler(p.updateGroup)).Methods("PUT")
+			router.HandleFunc("/api/groups", p.createGroup).Methods("POST")
+			router.HandleFunc("/api/groups/{groupId}", p.updateGroup).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -346,7 +332,7 @@ func TestGetAllGroups(t *testing.T) {
 		},
 	}
 
-	p := initGroupTestData(t)
+	p := initGroupTestData()
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
@@ -359,7 +345,7 @@ func TestGetAllGroups(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups", permissions.WrapHandler(p.getAllGroups)).Methods("GET")
+			router.HandleFunc("/api/groups", p.getAllGroups).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -428,7 +414,7 @@ func TestDeleteGroup(t *testing.T) {
 		},
 	}
 
-	p := initGroupTestData(t)
+	p := initGroupTestData()
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
@@ -440,7 +426,7 @@ func TestDeleteGroup(t *testing.T) {
 				AccountId: "test_id",
 			})
 			router := mux.NewRouter()
-			router.HandleFunc("/api/groups/{groupId}", permissions.WrapHandler(p.deleteGroup)).Methods("DELETE")
+			router.HandleFunc("/api/groups/{groupId}", p.deleteGroup).Methods("DELETE")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/idp/idp_handler.go

@@ -6,12 +6,9 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -23,13 +20,13 @@ type handler struct {
 }
 
 // AddEndpoints registers identity provider endpoints
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
 	h := newHandler(accountManager)
-	router.HandleFunc("/identity-providers", permissionsManager.WithPermission(modules.IdentityProviders, operations.Read, h.getAllIdentityProviders)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/identity-providers", permissionsManager.WithPermission(modules.IdentityProviders, operations.Create, h.createIdentityProvider)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/identity-providers/{idpId}", permissionsManager.WithPermission(modules.IdentityProviders, operations.Read, h.getIdentityProvider)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/identity-providers/{idpId}", permissionsManager.WithPermission(modules.IdentityProviders, operations.Update, h.updateIdentityProvider)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/identity-providers/{idpId}", permissionsManager.WithPermission(modules.IdentityProviders, operations.Delete, h.deleteIdentityProvider)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/identity-providers", h.getAllIdentityProviders).Methods("GET", "OPTIONS")
+	router.HandleFunc("/identity-providers", h.createIdentityProvider).Methods("POST", "OPTIONS")
+	router.HandleFunc("/identity-providers/{idpId}", h.getIdentityProvider).Methods("GET", "OPTIONS")
+	router.HandleFunc("/identity-providers/{idpId}", h.updateIdentityProvider).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/identity-providers/{idpId}", h.deleteIdentityProvider).Methods("DELETE", "OPTIONS")
 }
 
 func newHandler(accountManager account.Manager) *handler {
@@ -39,8 +36,16 @@ func newHandler(accountManager account.Manager) *handler {
 }
 
 // getAllIdentityProviders returns all identity providers for the account
-func (h *handler) getAllIdentityProviders(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	providers, err := h.accountManager.GetIdentityProviders(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllIdentityProviders(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	providers, err := h.accountManager.GetIdentityProviders(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -55,7 +60,15 @@ func (h *handler) getAllIdentityProviders(w http.ResponseWriter, r *http.Request
 }
 
 // getIdentityProvider returns a specific identity provider
-func (h *handler) getIdentityProvider(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getIdentityProvider(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	idpID := vars["idpId"]
 	if idpID == "" {
@@ -63,7 +76,7 @@ func (h *handler) getIdentityProvider(w http.ResponseWriter, r *http.Request, us
 		return
 	}
 
-	provider, err := h.accountManager.GetIdentityProvider(r.Context(), userAuth.AccountId, idpID, userAuth.UserId)
+	provider, err := h.accountManager.GetIdentityProvider(r.Context(), accountID, idpID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -73,7 +86,15 @@ func (h *handler) getIdentityProvider(w http.ResponseWriter, r *http.Request, us
 }
 
 // createIdentityProvider creates a new identity provider
-func (h *handler) createIdentityProvider(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createIdentityProvider(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.IdentityProviderRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
@@ -82,7 +103,7 @@ func (h *handler) createIdentityProvider(w http.ResponseWriter, r *http.Request,
 
 	idp := fromAPIRequest(&req)
 
-	created, err := h.accountManager.CreateIdentityProvider(r.Context(), userAuth.AccountId, userAuth.UserId, idp)
+	created, err := h.accountManager.CreateIdentityProvider(r.Context(), accountID, userID, idp)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -92,7 +113,15 @@ func (h *handler) createIdentityProvider(w http.ResponseWriter, r *http.Request,
 }
 
 // updateIdentityProvider updates an existing identity provider
-func (h *handler) updateIdentityProvider(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateIdentityProvider(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	idpID := vars["idpId"]
 	if idpID == "" {
@@ -108,7 +137,7 @@ func (h *handler) updateIdentityProvider(w http.ResponseWriter, r *http.Request,
 
 	idp := fromAPIRequest(&req)
 
-	updated, err := h.accountManager.UpdateIdentityProvider(r.Context(), userAuth.AccountId, idpID, userAuth.UserId, idp)
+	updated, err := h.accountManager.UpdateIdentityProvider(r.Context(), accountID, idpID, userID, idp)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -118,7 +147,15 @@ func (h *handler) updateIdentityProvider(w http.ResponseWriter, r *http.Request,
 }
 
 // deleteIdentityProvider deletes an identity provider
-func (h *handler) deleteIdentityProvider(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteIdentityProvider(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	idpID := vars["idpId"]
 	if idpID == "" {
@@ -126,7 +163,7 @@ func (h *handler) deleteIdentityProvider(w http.ResponseWriter, r *http.Request,
 		return
 	}
 
-	if err := h.accountManager.DeleteIdentityProvider(r.Context(), userAuth.AccountId, idpID, userAuth.UserId); err != nil {
+	if err := h.accountManager.DeleteIdentityProvider(r.Context(), accountID, idpID, userID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

management/server/http/handlers/idp/idp_handler_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -121,7 +120,7 @@ func TestGetAllIdentityProviders(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/identity-providers", permissions.WrapHandler(h.getAllIdentityProviders)).Methods("GET")
+			router.HandleFunc("/api/identity-providers", h.getAllIdentityProviders).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -181,7 +180,7 @@ func TestGetIdentityProvider(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/identity-providers/{idpId}", permissions.WrapHandler(h.getIdentityProvider)).Methods("GET")
+			router.HandleFunc("/api/identity-providers/{idpId}", h.getIdentityProvider).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -243,7 +242,7 @@ func TestCreateIdentityProvider(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/identity-providers", permissions.WrapHandler(h.createIdentityProvider)).Methods("POST")
+			router.HandleFunc("/api/identity-providers", h.createIdentityProvider).Methods("POST")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -329,7 +328,7 @@ func TestUpdateIdentityProvider(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/identity-providers/{idpId}", permissions.WrapHandler(h.updateIdentityProvider)).Methods("PUT")
+			router.HandleFunc("/api/identity-providers/{idpId}", h.updateIdentityProvider).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -389,7 +388,7 @@ func TestDeleteIdentityProvider(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/identity-providers/{idpId}", permissions.WrapHandler(h.deleteIdentityProvider)).Methods("DELETE")
+			router.HandleFunc("/api/identity-providers/{idpId}", h.deleteIdentityProvider).Methods("DELETE")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/instance/instance_handler.go

@@ -7,11 +7,7 @@ import (
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	nbinstance "github.com/netbirdio/netbird/management/server/instance"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -33,12 +29,12 @@ func AddEndpoints(instanceManager nbinstance.Manager, router *mux.Router) {
 }
 
 // AddVersionEndpoint registers the authenticated version endpoint.
-func AddVersionEndpoint(instanceManager nbinstance.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddVersionEndpoint(instanceManager nbinstance.Manager, router *mux.Router) {
 	h := &handler{
 		instanceManager: instanceManager,
 	}
 
-	router.HandleFunc("/instance/version", permissionsManager.WithPermission(modules.Settings, operations.Read, h.getVersionInfo)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/instance/version", h.getVersionInfo).Methods("GET", "OPTIONS")
 }
 
 // getInstanceStatus returns the instance status including whether setup is required.
@@ -81,7 +77,7 @@ func (h *handler) setup(w http.ResponseWriter, r *http.Request) {
 
 // getVersionInfo returns version information for NetBird components.
 // This endpoint requires authentication.
-func (h *handler) getVersionInfo(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getVersionInfo(w http.ResponseWriter, r *http.Request) {
 	versionInfo, err := h.instanceManager.GetVersionInfo(r.Context())
 	if err != nil {
 		log.WithContext(r.Context()).Errorf("failed to get version info: %v", err)

management/server/http/handlers/instance/instance_handler_test.go

@@ -10,17 +10,12 @@ import (
 	"net/mail"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/idp"
 	nbinstance "github.com/netbirdio/netbird/management/server/instance"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/status"
 )
@@ -300,15 +295,8 @@ func TestSetup_ManagerError(t *testing.T) {
 
 func TestGetVersionInfo_Success(t *testing.T) {
 	manager := &mockInstanceManager{}
-	ctrl := gomock.NewController(t)
-	permissionsManager := permissions.NewMockManager(ctrl)
-	permissionsManager.EXPECT().WithPermission(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(module modules.Module, operation operations.Operation, handler func(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth), authErrHandler ...permissions.AuthErrorHandler) http.HandlerFunc {
-		return func(w http.ResponseWriter, r *http.Request) {
-			handler(w, r, &auth.UserAuth{})
-		}
-	}).AnyTimes()
 	router := mux.NewRouter()
-	AddVersionEndpoint(manager, router, permissionsManager)
+	AddVersionEndpoint(manager, router)
 
 	req := httptest.NewRequest(http.MethodGet, "/instance/version", nil)
 	rec := httptest.NewRecorder()
@@ -335,15 +323,8 @@ func TestGetVersionInfo_Error(t *testing.T) {
 			return nil, errors.New("failed to fetch versions")
 		},
 	}
-	ctrl := gomock.NewController(t)
-	permissionsManager := permissions.NewMockManager(ctrl)
-	permissionsManager.EXPECT().WithPermission(gomock.Any(), gomock.Any(), gomock.Any()).DoAndReturn(func(module modules.Module, operation operations.Operation, handler func(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth), authErrHandler ...permissions.AuthErrorHandler) http.HandlerFunc {
-		return func(w http.ResponseWriter, r *http.Request) {
-			handler(w, r, &auth.UserAuth{})
-		}
-	}).AnyTimes()
 	router := mux.NewRouter()
-	AddVersionEndpoint(manager, router, permissionsManager)
+	AddVersionEndpoint(manager, router)
 
 	req := httptest.NewRequest(http.MethodGet, "/instance/version", nil)
 	rec := httptest.NewRecorder()

management/server/http/handlers/networks/handler.go

@@ -9,10 +9,8 @@ import (
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/networks"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
@@ -20,7 +18,6 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	"github.com/netbirdio/netbird/management/server/networks/types"
 	nbtypes "github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -36,16 +33,16 @@ type handler struct {
 	groupsManager groups.Manager
 }
 
-func AddEndpoints(networksManager networks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager groups.Manager, accountManager account.Manager, permissionsManager permissions.Manager, router *mux.Router) {
-	addRouterEndpoints(routerManager, permissionsManager, router)
-	addResourceEndpoints(resourceManager, groupsManager, permissionsManager, router)
+func AddEndpoints(networksManager networks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager groups.Manager, accountManager account.Manager, router *mux.Router) {
+	addRouterEndpoints(routerManager, router)
+	addResourceEndpoints(resourceManager, groupsManager, router)
 
 	networksHandler := newHandler(networksManager, resourceManager, routerManager, groupsManager, accountManager)
-	router.HandleFunc("/networks", permissionsManager.WithPermission(modules.Networks, operations.Read, networksHandler.getAllNetworks)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks", permissionsManager.WithPermission(modules.Networks, operations.Create, networksHandler.createNetwork)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}", permissionsManager.WithPermission(modules.Networks, operations.Read, networksHandler.getNetwork)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}", permissionsManager.WithPermission(modules.Networks, operations.Update, networksHandler.updateNetwork)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}", permissionsManager.WithPermission(modules.Networks, operations.Delete, networksHandler.deleteNetwork)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/networks", networksHandler.getAllNetworks).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks", networksHandler.createNetwork).Methods("POST", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}", networksHandler.getNetwork).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}", networksHandler.updateNetwork).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}", networksHandler.deleteNetwork).Methods("DELETE", "OPTIONS")
 }
 
 func newHandler(networksManager networks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager groups.Manager, accountManager account.Manager) *handler {
@@ -58,32 +55,40 @@ func newHandler(networksManager networks.Manager, resourceManager resources.Mana
 	}
 }
 
-func (h *handler) getAllNetworks(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	networks, err := h.networksManager.GetAllNetworks(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllNetworks(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	resourceIDs, err := h.resourceManager.GetAllResourceIDsInAccount(r.Context(), userAuth.AccountId, userAuth.UserId)
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	networks, err := h.networksManager.GetAllNetworks(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	groups, err := h.groupsManager.GetAllGroupsMap(r.Context(), userAuth.AccountId, userAuth.UserId)
+	resourceIDs, err := h.resourceManager.GetAllResourceIDsInAccount(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	routers, err := h.routerManager.GetAllRoutersInAccount(r.Context(), userAuth.AccountId, userAuth.UserId)
+	groups, err := h.groupsManager.GetAllGroupsMap(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccount(r.Context(), userAuth.AccountId)
+	routers, err := h.routerManager.GetAllRoutersInAccount(r.Context(), accountID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	account, err := h.accountManager.GetAccount(r.Context(), accountID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -92,9 +97,16 @@ func (h *handler) getAllNetworks(w http.ResponseWriter, r *http.Request, userAut
 	util.WriteJSONObject(r.Context(), w, h.generateNetworkResponse(networks, routers, resourceIDs, groups, account))
 }
 
-func (h *handler) createNetwork(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createNetwork(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.NetworkRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -103,14 +115,14 @@ func (h *handler) createNetwork(w http.ResponseWriter, r *http.Request, userAuth
 	network := &types.Network{}
 	network.FromAPIRequest(&req)
 
-	network.AccountID = userAuth.AccountId
-	network, err = h.networksManager.CreateNetwork(r.Context(), userAuth.UserId, network)
+	network.AccountID = accountID
+	network, err = h.networksManager.CreateNetwork(r.Context(), userID, network)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccount(r.Context(), userAuth.AccountId)
+	account, err := h.accountManager.GetAccount(r.Context(), accountID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -121,7 +133,14 @@ func (h *handler) createNetwork(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, network.ToAPIResponse([]string{}, []string{}, 0, policyIDs))
 }
 
-func (h *handler) getNetwork(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getNetwork(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	networkID := vars["networkId"]
 	if len(networkID) == 0 {
@@ -129,19 +148,19 @@ func (h *handler) getNetwork(w http.ResponseWriter, r *http.Request, userAuth *a
 		return
 	}
 
-	network, err := h.networksManager.GetNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+	network, err := h.networksManager.GetNetwork(r.Context(), accountID, userID, networkID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	routerIDs, resourceIDs, peerCount, err := h.collectIDsInNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+	routerIDs, resourceIDs, peerCount, err := h.collectIDsInNetwork(r.Context(), accountID, userID, networkID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccount(r.Context(), userAuth.AccountId)
+	account, err := h.accountManager.GetAccount(r.Context(), accountID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -152,7 +171,14 @@ func (h *handler) getNetwork(w http.ResponseWriter, r *http.Request, userAuth *a
 	util.WriteJSONObject(r.Context(), w, network.ToAPIResponse(routerIDs, resourceIDs, peerCount, policyIDs))
 }
 
-func (h *handler) updateNetwork(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateNetwork(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	networkID := vars["networkId"]
 	if len(networkID) == 0 {
@@ -161,7 +187,7 @@ func (h *handler) updateNetwork(w http.ResponseWriter, r *http.Request, userAuth
 	}
 
 	var req api.NetworkRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -171,20 +197,20 @@ func (h *handler) updateNetwork(w http.ResponseWriter, r *http.Request, userAuth
 	network.FromAPIRequest(&req)
 
 	network.ID = networkID
-	network.AccountID = userAuth.AccountId
-	network, err = h.networksManager.UpdateNetwork(r.Context(), userAuth.UserId, network)
+	network.AccountID = accountID
+	network, err = h.networksManager.UpdateNetwork(r.Context(), userID, network)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	routerIDs, resourceIDs, peerCount, err := h.collectIDsInNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+	routerIDs, resourceIDs, peerCount, err := h.collectIDsInNetwork(r.Context(), accountID, userID, networkID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccount(r.Context(), userAuth.AccountId)
+	account, err := h.accountManager.GetAccount(r.Context(), accountID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -195,7 +221,14 @@ func (h *handler) updateNetwork(w http.ResponseWriter, r *http.Request, userAuth
 	util.WriteJSONObject(r.Context(), w, network.ToAPIResponse(routerIDs, resourceIDs, peerCount, policyIDs))
 }
 
-func (h *handler) deleteNetwork(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteNetwork(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	networkID := vars["networkId"]
 	if len(networkID) == 0 {
@@ -203,7 +236,7 @@ func (h *handler) deleteNetwork(w http.ResponseWriter, r *http.Request, userAuth
 		return
 	}
 
-	err := h.networksManager.DeleteNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+	err = h.networksManager.DeleteNetwork(r.Context(), accountID, userID, networkID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/networks/resources_handler.go

@@ -6,13 +6,10 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/networks/resources"
 	"github.com/netbirdio/netbird/management/server/networks/resources/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -22,14 +19,14 @@ type resourceHandler struct {
 	groupsManager   groups.Manager
 }
 
-func addResourceEndpoints(resourcesManager resources.Manager, groupsManager groups.Manager, permissionsManager permissions.Manager, router *mux.Router) {
+func addResourceEndpoints(resourcesManager resources.Manager, groupsManager groups.Manager, router *mux.Router) {
 	resourceHandler := newResourceHandler(resourcesManager, groupsManager)
-	router.HandleFunc("/networks/resources", permissionsManager.WithPermission(modules.Networks, operations.Read, resourceHandler.getAllResourcesInAccount)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/resources", permissionsManager.WithPermission(modules.Networks, operations.Read, resourceHandler.getAllResourcesInNetwork)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/resources", permissionsManager.WithPermission(modules.Networks, operations.Create, resourceHandler.createResource)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", permissionsManager.WithPermission(modules.Networks, operations.Read, resourceHandler.getResource)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", permissionsManager.WithPermission(modules.Networks, operations.Update, resourceHandler.updateResource)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", permissionsManager.WithPermission(modules.Networks, operations.Delete, resourceHandler.deleteResource)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/networks/resources", resourceHandler.getAllResourcesInAccount).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/resources", resourceHandler.getAllResourcesInNetwork).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/resources", resourceHandler.createResource).Methods("POST", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", resourceHandler.getResource).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", resourceHandler.updateResource).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/resources/{resourceId}", resourceHandler.deleteResource).Methods("DELETE", "OPTIONS")
 }
 
 func newResourceHandler(resourceManager resources.Manager, groupsManager groups.Manager) *resourceHandler {
@@ -39,15 +36,22 @@ func newResourceHandler(resourceManager resources.Manager, groupsManager groups.
 	}
 }
 
-func (h *resourceHandler) getAllResourcesInNetwork(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	networkID := mux.Vars(r)["networkId"]
-	resources, err := h.resourceManager.GetAllResourcesInNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+func (h *resourceHandler) getAllResourcesInNetwork(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	grps, err := h.groupsManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+	networkID := mux.Vars(r)["networkId"]
+	resources, err := h.resourceManager.GetAllResourcesInNetwork(r.Context(), accountID, userID, networkID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	grps, err := h.groupsManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -62,14 +66,22 @@ func (h *resourceHandler) getAllResourcesInNetwork(w http.ResponseWriter, r *htt
 
 	util.WriteJSONObject(r.Context(), w, resourcesResponse)
 }
-func (h *resourceHandler) getAllResourcesInAccount(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	resources, err := h.resourceManager.GetAllResourcesInAccount(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *resourceHandler) getAllResourcesInAccount(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	grps, err := h.groupsManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	resources, err := h.resourceManager.GetAllResourcesInAccount(r.Context(), accountID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	grps, err := h.groupsManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -85,9 +97,17 @@ func (h *resourceHandler) getAllResourcesInAccount(w http.ResponseWriter, r *htt
 	util.WriteJSONObject(r.Context(), w, resourcesResponse)
 }
 
-func (h *resourceHandler) createResource(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *resourceHandler) createResource(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.NetworkResourceRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -97,14 +117,14 @@ func (h *resourceHandler) createResource(w http.ResponseWriter, r *http.Request,
 	resource.FromAPIRequest(&req)
 
 	resource.NetworkID = mux.Vars(r)["networkId"]
-	resource.AccountID = userAuth.AccountId
-	resource, err = h.resourceManager.CreateResource(r.Context(), userAuth.UserId, resource)
+	resource.AccountID = accountID
+	resource, err = h.resourceManager.CreateResource(r.Context(), userID, resource)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	grps, err := h.groupsManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	grps, err := h.groupsManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -115,16 +135,23 @@ func (h *resourceHandler) createResource(w http.ResponseWriter, r *http.Request,
 	util.WriteJSONObject(r.Context(), w, resource.ToAPIResponse(grpsInfoMap[resource.ID]))
 }
 
-func (h *resourceHandler) getResource(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *resourceHandler) getResource(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	networkID := mux.Vars(r)["networkId"]
 	resourceID := mux.Vars(r)["resourceId"]
-	resource, err := h.resourceManager.GetResource(r.Context(), userAuth.AccountId, userAuth.UserId, networkID, resourceID)
+	resource, err := h.resourceManager.GetResource(r.Context(), accountID, userID, networkID, resourceID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	grps, err := h.groupsManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	grps, err := h.groupsManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -135,9 +162,16 @@ func (h *resourceHandler) getResource(w http.ResponseWriter, r *http.Request, us
 	util.WriteJSONObject(r.Context(), w, resource.ToAPIResponse(grpsInfoMap[resource.ID]))
 }
 
-func (h *resourceHandler) updateResource(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *resourceHandler) updateResource(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	var req api.NetworkResourceRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -148,14 +182,14 @@ func (h *resourceHandler) updateResource(w http.ResponseWriter, r *http.Request,
 
 	resource.ID = mux.Vars(r)["resourceId"]
 	resource.NetworkID = mux.Vars(r)["networkId"]
-	resource.AccountID = userAuth.AccountId
-	resource, err = h.resourceManager.UpdateResource(r.Context(), userAuth.UserId, resource)
+	resource.AccountID = accountID
+	resource, err = h.resourceManager.UpdateResource(r.Context(), userID, resource)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	grps, err := h.groupsManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	grps, err := h.groupsManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -166,10 +200,17 @@ func (h *resourceHandler) updateResource(w http.ResponseWriter, r *http.Request,
 	util.WriteJSONObject(r.Context(), w, resource.ToAPIResponse(grpsInfoMap[resource.ID]))
 }
 
-func (h *resourceHandler) deleteResource(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *resourceHandler) deleteResource(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	networkID := mux.Vars(r)["networkId"]
 	resourceID := mux.Vars(r)["resourceId"]
-	err := h.resourceManager.DeleteResource(r.Context(), userAuth.AccountId, userAuth.UserId, networkID, resourceID)
+	err = h.resourceManager.DeleteResource(r.Context(), accountID, userID, networkID, resourceID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/networks/routers_handler.go

@@ -6,12 +6,9 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/networks/routers"
 	"github.com/netbirdio/netbird/management/server/networks/routers/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 )
@@ -20,14 +17,14 @@ type routersHandler struct {
 	routersManager routers.Manager
 }
 
-func addRouterEndpoints(routersManager routers.Manager, permissionsManager permissions.Manager, router *mux.Router) {
+func addRouterEndpoints(routersManager routers.Manager, router *mux.Router) {
 	routersHandler := newRoutersHandler(routersManager)
-	router.HandleFunc("/networks/routers", permissionsManager.WithPermission(modules.Networks, operations.Read, routersHandler.getAllRouters)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/routers", permissionsManager.WithPermission(modules.Networks, operations.Read, routersHandler.getNetworkRouters)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/routers", permissionsManager.WithPermission(modules.Networks, operations.Create, routersHandler.createRouter)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/routers/{routerId}", permissionsManager.WithPermission(modules.Networks, operations.Read, routersHandler.getRouter)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/routers/{routerId}", permissionsManager.WithPermission(modules.Networks, operations.Update, routersHandler.updateRouter)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/networks/{networkId}/routers/{routerId}", permissionsManager.WithPermission(modules.Networks, operations.Delete, routersHandler.deleteRouter)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/networks/routers", routersHandler.getAllRouters).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/routers", routersHandler.getNetworkRouters).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/routers", routersHandler.createRouter).Methods("POST", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/routers/{routerId}", routersHandler.getRouter).Methods("GET", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/routers/{routerId}", routersHandler.updateRouter).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/networks/{networkId}/routers/{routerId}", routersHandler.deleteRouter).Methods("DELETE", "OPTIONS")
 }
 
 func newRoutersHandler(routersManager routers.Manager) *routersHandler {
@@ -36,8 +33,16 @@ func newRoutersHandler(routersManager routers.Manager) *routersHandler {
 	}
 }
 
-func (h *routersHandler) getAllRouters(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	routersMap, err := h.routersManager.GetAllRoutersInAccount(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *routersHandler) getAllRouters(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	routersMap, err := h.routersManager.GetAllRoutersInAccount(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -53,9 +58,17 @@ func (h *routersHandler) getAllRouters(w http.ResponseWriter, r *http.Request, u
 	util.WriteJSONObject(r.Context(), w, routersResponse)
 }
 
-func (h *routersHandler) getNetworkRouters(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *routersHandler) getNetworkRouters(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	networkID := mux.Vars(r)["networkId"]
-	routers, err := h.routersManager.GetAllRoutersInNetwork(r.Context(), userAuth.AccountId, userAuth.UserId, networkID)
+	routers, err := h.routersManager.GetAllRoutersInNetwork(r.Context(), accountID, userID, networkID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -69,10 +82,18 @@ func (h *routersHandler) getNetworkRouters(w http.ResponseWriter, r *http.Reques
 	util.WriteJSONObject(r.Context(), w, routersResponse)
 }
 
-func (h *routersHandler) createRouter(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *routersHandler) createRouter(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	networkID := mux.Vars(r)["networkId"]
 	var req api.NetworkRouterRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -82,7 +103,7 @@ func (h *routersHandler) createRouter(w http.ResponseWriter, r *http.Request, us
 	router.FromAPIRequest(&req)
 
 	router.NetworkID = networkID
-	router.AccountID = userAuth.AccountId
+	router.AccountID = accountID
 	router.Enabled = true
 
 	if err := router.Validate(); err != nil {
@@ -90,7 +111,7 @@ func (h *routersHandler) createRouter(w http.ResponseWriter, r *http.Request, us
 		return
 	}
 
-	router, err = h.routersManager.CreateRouter(r.Context(), userAuth.UserId, router)
+	router, err = h.routersManager.CreateRouter(r.Context(), userID, router)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -99,10 +120,18 @@ func (h *routersHandler) createRouter(w http.ResponseWriter, r *http.Request, us
 	util.WriteJSONObject(r.Context(), w, router.ToAPIResponse())
 }
 
-func (h *routersHandler) getRouter(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *routersHandler) getRouter(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	routerID := mux.Vars(r)["routerId"]
 	networkID := mux.Vars(r)["networkId"]
-	router, err := h.routersManager.GetRouter(r.Context(), userAuth.AccountId, userAuth.UserId, networkID, routerID)
+	router, err := h.routersManager.GetRouter(r.Context(), accountID, userID, networkID, routerID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -111,9 +140,17 @@ func (h *routersHandler) getRouter(w http.ResponseWriter, r *http.Request, userA
 	util.WriteJSONObject(r.Context(), w, router.ToAPIResponse())
 }
 
-func (h *routersHandler) updateRouter(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *routersHandler) updateRouter(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.NetworkRouterRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -124,14 +161,14 @@ func (h *routersHandler) updateRouter(w http.ResponseWriter, r *http.Request, us
 
 	router.NetworkID = mux.Vars(r)["networkId"]
 	router.ID = mux.Vars(r)["routerId"]
-	router.AccountID = userAuth.AccountId
+	router.AccountID = accountID
 
 	if err := router.Validate(); err != nil {
 		util.WriteErrorResponse(err.Error(), http.StatusBadRequest, w)
 		return
 	}
 
-	router, err = h.routersManager.UpdateRouter(r.Context(), userAuth.UserId, router)
+	router, err = h.routersManager.UpdateRouter(r.Context(), userID, router)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -140,10 +177,17 @@ func (h *routersHandler) updateRouter(w http.ResponseWriter, r *http.Request, us
 	util.WriteJSONObject(r.Context(), w, router.ToAPIResponse())
 }
 
-func (h *routersHandler) deleteRouter(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *routersHandler) deleteRouter(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	routerID := mux.Vars(r)["routerId"]
 	networkID := mux.Vars(r)["networkId"]
-	err := h.routersManager.DeleteRouter(r.Context(), userAuth.AccountId, userAuth.UserId, networkID, routerID)
+	err = h.routersManager.DeleteRouter(r.Context(), accountID, userID, networkID, routerID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/peers/peers_handler.go

@@ -1,6 +1,7 @@
 package peers
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -11,15 +12,15 @@ import (
 
 	"github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/groups"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -34,15 +35,14 @@ type Handler struct {
 
 func AddEndpoints(accountManager account.Manager, router *mux.Router, networkMapController network_map.Controller, permissionsManager permissions.Manager) {
 	peersHandler := NewHandler(accountManager, networkMapController, permissionsManager)
-	router.HandleFunc("/peers", permissionsManager.WithPermission(modules.Peers, operations.Read, peersHandler.GetAllPeers)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}", permissionsManager.WithPermission(modules.Peers, operations.Read, peersHandler.GetPeer)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}", permissionsManager.WithPermission(modules.Peers, operations.Update, peersHandler.UpdatePeer)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}", permissionsManager.WithPermission(modules.Peers, operations.Delete, peersHandler.DeletePeer)).Methods("DELETE", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/accessible-peers", permissionsManager.WithPermission(modules.Peers, operations.Read, peersHandler.GetAccessiblePeers)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/temporary-access", permissionsManager.WithPermission(modules.Peers, operations.Create, peersHandler.CreateTemporaryAccess)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/jobs", permissionsManager.WithPermission(modules.RemoteJobs, operations.Read, peersHandler.ListJobs)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/jobs", permissionsManager.WithPermission(modules.RemoteJobs, operations.Create, peersHandler.CreateJob)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/jobs/{jobId}", permissionsManager.WithPermission(modules.RemoteJobs, operations.Read, peersHandler.GetJob)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/peers", peersHandler.GetAllPeers).Methods("GET", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}", peersHandler.HandlePeer).
+		Methods("GET", "PUT", "DELETE", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}/accessible-peers", peersHandler.GetAccessiblePeers).Methods("GET", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}/temporary-access", peersHandler.CreateTemporaryAccess).Methods("POST", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}/jobs", peersHandler.ListJobs).Methods("GET", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}/jobs", peersHandler.CreateJob).Methods("POST", "OPTIONS")
+	router.HandleFunc("/peers/{peerId}/jobs/{jobId}", peersHandler.GetJob).Methods("GET", "OPTIONS")
 }
 
 // NewHandler creates a new peers Handler
@@ -54,7 +54,14 @@ func NewHandler(accountManager account.Manager, networkMapController network_map
 	}
 }
 
-func (h *Handler) CreateJob(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) CreateJob(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	userAuth, err := nbcontext.GetUserAuthFromContext(ctx)
+	if err != nil {
+		util.WriteError(ctx, err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 
@@ -66,30 +73,37 @@ func (h *Handler) CreateJob(w http.ResponseWriter, r *http.Request, userAuth *au
 
 	job, err := types.NewJob(userAuth.UserId, userAuth.AccountId, peerID, req)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
-	if err := h.accountManager.CreatePeerJob(r.Context(), userAuth.AccountId, peerID, userAuth.UserId, job); err != nil {
-		util.WriteError(r.Context(), err, w)
+	if err := h.accountManager.CreatePeerJob(ctx, userAuth.AccountId, peerID, userAuth.UserId, job); err != nil {
+		util.WriteError(ctx, err, w)
 		return
 	}
 
 	resp, err := toSingleJobResponse(job)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
-	util.WriteJSONObject(r.Context(), w, resp)
+	util.WriteJSONObject(ctx, w, resp)
 }
 
-func (h *Handler) ListJobs(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) ListJobs(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	userAuth, err := nbcontext.GetUserAuthFromContext(ctx)
+	if err != nil {
+		util.WriteError(ctx, err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 
-	jobs, err := h.accountManager.GetAllPeerJobs(r.Context(), userAuth.AccountId, userAuth.UserId, peerID)
+	jobs, err := h.accountManager.GetAllPeerJobs(ctx, userAuth.AccountId, userAuth.UserId, peerID)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
@@ -97,88 +111,79 @@ func (h *Handler) ListJobs(w http.ResponseWriter, r *http.Request, userAuth *aut
 	for _, job := range jobs {
 		resp, err := toSingleJobResponse(job)
 		if err != nil {
-			util.WriteError(r.Context(), err, w)
+			util.WriteError(ctx, err, w)
 			return
 		}
 		respBody = append(respBody, resp)
 	}
 
-	util.WriteJSONObject(r.Context(), w, respBody)
+	util.WriteJSONObject(ctx, w, respBody)
 }
 
-func (h *Handler) GetJob(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) GetJob(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	userAuth, err := nbcontext.GetUserAuthFromContext(ctx)
+	if err != nil {
+		util.WriteError(ctx, err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 	jobID := vars["jobId"]
 
-	job, err := h.accountManager.GetPeerJobByID(r.Context(), userAuth.AccountId, userAuth.UserId, peerID, jobID)
+	job, err := h.accountManager.GetPeerJobByID(ctx, userAuth.AccountId, userAuth.UserId, peerID, jobID)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
 	resp, err := toSingleJobResponse(job)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
-	util.WriteJSONObject(r.Context(), w, resp)
+	util.WriteJSONObject(ctx, w, resp)
 }
 
-// GetPeer handles GET request for a single peer
-func (h *Handler) GetPeer(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	vars := mux.Vars(r)
-	peerID := vars["peerId"]
-	if len(peerID) == 0 {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid peer ID"), w)
-		return
-	}
-
-	peer, err := h.accountManager.GetPeer(r.Context(), userAuth.AccountId, peerID, userAuth.UserId)
+func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string, w http.ResponseWriter) {
+	peer, err := h.accountManager.GetPeer(ctx, accountID, peerID, userID)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
 	if peer.ProxyMeta.Embedded {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "not allowed to read peer"), w)
+		util.WriteError(ctx, status.Errorf(status.InvalidArgument, "not allowed to read peer"), w)
 		return
 	}
 
-	settings, err := h.accountManager.GetAccountSettings(r.Context(), userAuth.AccountId, activity.SystemInitiator)
+	settings, err := h.accountManager.GetAccountSettings(ctx, accountID, activity.SystemInitiator)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
 	dnsDomain := h.networkMapController.GetDNSDomain(settings)
 
-	grps, _ := h.accountManager.GetPeerGroups(r.Context(), userAuth.AccountId, peerID)
+	grps, _ := h.accountManager.GetPeerGroups(ctx, accountID, peerID)
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, 0)
 
-	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(r.Context(), userAuth.AccountId)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
-		log.WithContext(r.Context()).Errorf("failed to list approved peers: %v", err)
-		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
+		log.WithContext(ctx).Errorf("failed to list approved peers: %v", err)
+		util.WriteError(ctx, fmt.Errorf("internal error"), w)
 		return
 	}
 
 	_, valid := validPeers[peer.ID]
 	reason := invalidPeers[peer.ID]
 
-	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid, reason))
+	util.WriteJSONObject(ctx, w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }
 
-// UpdatePeer handles PUT request to update a peer
-func (h *Handler) UpdatePeer(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	vars := mux.Vars(r)
-	peerID := vars["peerId"]
-	if len(peerID) == 0 {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid peer ID"), w)
-		return
-	}
-
+func (h *Handler) updatePeer(ctx context.Context, accountID, userID, peerID string, w http.ResponseWriter, r *http.Request) {
 	req := &api.PeerRequest{}
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
@@ -187,10 +192,11 @@ func (h *Handler) UpdatePeer(w http.ResponseWriter, r *http.Request, userAuth *a
 	}
 
 	update := &nbpeer.Peer{
-		ID:                          peerID,
-		SSHEnabled:                  req.SshEnabled,
-		Name:                        req.Name,
-		LoginExpirationEnabled:      req.LoginExpirationEnabled,
+		ID:                     peerID,
+		SSHEnabled:             req.SshEnabled,
+		Name:                   req.Name,
+		LoginExpirationEnabled: req.LoginExpirationEnabled,
+
 		InactivityExpirationEnabled: req.InactivityExpirationEnabled,
 	}
 
@@ -204,41 +210,41 @@ func (h *Handler) UpdatePeer(w http.ResponseWriter, r *http.Request, userAuth *a
 	if req.Ip != nil {
 		addr, err := netip.ParseAddr(*req.Ip)
 		if err != nil {
-			util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid IP address %s: %v", *req.Ip, err), w)
+			util.WriteError(ctx, status.Errorf(status.InvalidArgument, "invalid IP address %s: %v", *req.Ip, err), w)
 			return
 		}
 
-		if err = h.accountManager.UpdatePeerIP(r.Context(), userAuth.AccountId, userAuth.UserId, peerID, addr); err != nil {
-			util.WriteError(r.Context(), err, w)
+		if err = h.accountManager.UpdatePeerIP(ctx, accountID, userID, peerID, addr); err != nil {
+			util.WriteError(ctx, err, w)
 			return
 		}
 	}
 
-	peer, err := h.accountManager.UpdatePeer(r.Context(), userAuth.AccountId, userAuth.UserId, update)
+	peer, err := h.accountManager.UpdatePeer(ctx, accountID, userID, update)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
-	settings, err := h.accountManager.GetAccountSettings(r.Context(), userAuth.AccountId, activity.SystemInitiator)
+	settings, err := h.accountManager.GetAccountSettings(ctx, accountID, activity.SystemInitiator)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 	dnsDomain := h.networkMapController.GetDNSDomain(settings)
 
-	peerGroups, err := h.accountManager.GetPeerGroups(r.Context(), userAuth.AccountId, peer.ID)
+	peerGroups, err := h.accountManager.GetPeerGroups(ctx, accountID, peer.ID)
 	if err != nil {
-		util.WriteError(r.Context(), err, w)
+		util.WriteError(ctx, err, w)
 		return
 	}
 
 	grpsInfoMap := groups.ToGroupsInfoMap(peerGroups, 0)
 
-	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(r.Context(), userAuth.AccountId)
+	validPeers, invalidPeers, err := h.accountManager.GetValidatedPeers(ctx, accountID)
 	if err != nil {
-		log.WithContext(r.Context()).Errorf("failed to get validated peers: %v", err)
-		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
+		log.WithContext(ctx).Errorf("failed to get validated peers: %v", err)
+		util.WriteError(ctx, fmt.Errorf("internal error"), w)
 		return
 	}
 
@@ -248,8 +254,25 @@ func (h *Handler) UpdatePeer(w http.ResponseWriter, r *http.Request, userAuth *a
 	util.WriteJSONObject(r.Context(), w, toSinglePeerResponse(peer, grpsInfoMap[peerID], dnsDomain, valid, reason))
 }
 
-// DeletePeer handles DELETE request to delete a peer
-func (h *Handler) DeletePeer(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) deletePeer(ctx context.Context, accountID, userID string, peerID string, w http.ResponseWriter) {
+	err := h.accountManager.DeletePeer(ctx, accountID, peerID, userID)
+	if err != nil {
+		log.WithContext(ctx).Errorf("failed to delete peer: %v", err)
+		util.WriteError(ctx, err, w)
+		return
+	}
+	util.WriteJSONObject(ctx, w, util.EmptyObject{})
+}
+
+// HandlePeer handles all peer requests for GET, PUT and DELETE operations
+func (h *Handler) HandlePeer(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 	if len(peerID) == 0 {
@@ -257,34 +280,48 @@ func (h *Handler) DeletePeer(w http.ResponseWriter, r *http.Request, userAuth *a
 		return
 	}
 
-	err := h.accountManager.DeletePeer(r.Context(), userAuth.AccountId, peerID, userAuth.UserId)
-	if err != nil {
-		log.WithContext(r.Context()).Errorf("failed to delete peer: %v", err)
-		util.WriteError(r.Context(), err, w)
+	switch r.Method {
+	case http.MethodDelete:
+		h.deletePeer(r.Context(), accountID, userID, peerID, w)
 		return
+	case http.MethodGet:
+		h.getPeer(r.Context(), accountID, peerID, userID, w)
+		return
+	case http.MethodPut:
+		h.updatePeer(r.Context(), accountID, userID, peerID, w, r)
+		return
+	default:
+		util.WriteError(r.Context(), status.Errorf(status.NotFound, "unknown METHOD"), w)
 	}
-	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }
 
 // GetAllPeers returns a list of all peers associated with a provided account
-func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	nameFilter := r.URL.Query().Get("name")
-	ipFilter := r.URL.Query().Get("ip")
-
-	peers, err := h.accountManager.GetPeers(r.Context(), userAuth.AccountId, userAuth.UserId, nameFilter, ipFilter, true)
+func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	settings, err := h.accountManager.GetAccountSettings(r.Context(), userAuth.AccountId, activity.SystemInitiator)
+	nameFilter := r.URL.Query().Get("name")
+	ipFilter := r.URL.Query().Get("ip")
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	peers, err := h.accountManager.GetPeers(r.Context(), accountID, userID, nameFilter, ipFilter)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	settings, err := h.accountManager.GetAccountSettings(r.Context(), accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 	dnsDomain := h.networkMapController.GetDNSDomain(settings)
 
-	grps, _ := h.accountManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	grps, _ := h.accountManager.GetAllGroups(r.Context(), accountID, userID)
 
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, len(peers))
 	respBody := make([]*api.PeerBatch, 0, len(peers))
@@ -295,7 +332,7 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request, userAuth *
 		respBody = append(respBody, toPeerListItemResponse(peer, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}
 
-	validPeersMap, invalidPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), userAuth.AccountId)
+	validPeersMap, invalidPeersMap, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
 		log.WithContext(r.Context()).Errorf("failed to get validated peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
@@ -319,7 +356,15 @@ func (h *Handler) setApprovalRequiredFlag(respBody []*api.PeerBatch, validPeersM
 }
 
 // GetAccessiblePeers returns a list of all peers that the specified peer can connect to within the network.
-func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 	if len(peerID) == 0 {
@@ -327,22 +372,25 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request, use
 		return
 	}
 
-	user, err := h.accountManager.GetUserByID(r.Context(), userAuth.UserId)
+	user, err := h.accountManager.GetUserByID(r.Context(), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	account, err := h.accountManager.GetAccountByID(r.Context(), userAuth.AccountId, activity.SystemInitiator)
+	allowed, err := h.permissionsManager.ValidateUserPermissions(r.Context(), accountID, userID, modules.Peers, operations.Read)
+	if err != nil {
+		util.WriteError(r.Context(), status.NewPermissionValidationError(err), w)
+		return
+	}
+
+	account, err := h.accountManager.GetAccountByID(r.Context(), accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	// Check if user is an admin/service user through their role
-	isAdmin := user.Role == types.UserRoleAdmin || user.Role == types.UserRoleOwner
-
-	if !isAdmin && !user.IsServiceUser && !userAuth.IsChild {
+	if !allowed && !userAuth.IsChild {
 		if account.Settings.RegularUsersViewBlocked {
 			util.WriteJSONObject(r.Context(), w, []api.AccessiblePeer{})
 			return
@@ -360,7 +408,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request, use
 		}
 	}
 
-	validPeers, _, err := h.accountManager.GetValidatedPeers(r.Context(), userAuth.AccountId)
+	validPeers, _, err := h.accountManager.GetValidatedPeers(r.Context(), accountID)
 	if err != nil {
 		log.WithContext(r.Context()).Errorf("failed to list approved peers: %v", err)
 		util.WriteError(r.Context(), fmt.Errorf("internal error"), w)
@@ -374,7 +422,13 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request, use
 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
 
-func (h *Handler) CreateTemporaryAccess(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *Handler) CreateTemporaryAccess(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	peerID := vars["peerId"]
 	if len(peerID) == 0 {
@@ -383,7 +437,7 @@ func (h *Handler) CreateTemporaryAccess(w http.ResponseWriter, r *http.Request,
 	}
 
 	var req api.PeerTemporaryAccessRequest
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return

management/server/http/handlers/peers/peers_handler_test.go

@@ -19,11 +19,11 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -174,7 +174,7 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 					return nil, fmt.Errorf("user not found")
 				}
 			},
-			GetPeersFunc: func(_ context.Context, accountID, userID, nameFilter, ipFilter string, _ bool) ([]*nbpeer.Peer, error) {
+			GetPeersFunc: func(_ context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error) {
 				return peers, nil
 			},
 			GetPeerGroupsFunc: func(ctx context.Context, accountID, peerID string) ([]*types.Group, error) {
@@ -307,9 +307,9 @@ func TestGetPeers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/peers/", permissions.WrapHandler(p.GetAllPeers)).Methods("GET")
-			router.HandleFunc("/api/peers/{peerId}", permissions.WrapHandler(p.GetPeer)).Methods("GET")
-			router.HandleFunc("/api/peers/{peerId}", permissions.WrapHandler(p.UpdatePeer)).Methods("PUT")
+			router.HandleFunc("/api/peers/", p.GetAllPeers).Methods("GET")
+			router.HandleFunc("/api/peers/{peerId}", p.HandlePeer).Methods("GET")
+			router.HandleFunc("/api/peers/{peerId}", p.HandlePeer).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -498,7 +498,7 @@ func TestGetAccessiblePeers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/peers/{peerId}/accessible-peers", permissions.WrapHandler(p.GetAccessiblePeers)).Methods("GET")
+			router.HandleFunc("/api/peers/{peerId}/accessible-peers", p.GetAccessiblePeers).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -582,7 +582,7 @@ func TestPeersHandlerUpdatePeerIP(t *testing.T) {
 
 			rr := httptest.NewRecorder()
 			router := mux.NewRouter()
-			router.HandleFunc("/peers/{peerId}", permissions.WrapHandler(p.UpdatePeer)).Methods("PUT")
+			router.HandleFunc("/peers/{peerId}", p.HandlePeer).Methods("PUT")
 
 			router.ServeHTTP(rr, req)
 

management/server/http/handlers/policies/geolocation_handler_test.go

@@ -14,12 +14,12 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/mock_server"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -121,7 +121,7 @@ func TestGetCitiesByCountry(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/locations/countries/{country}/cities", permissions.WrapHandler(geolocationHandler.getCitiesByCountry)).Methods("GET")
+			router.HandleFunc("/api/locations/countries/{country}/cities", geolocationHandler.getCitiesByCountry).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -214,7 +214,7 @@ func TestGetAllCountries(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/locations/countries", permissions.WrapHandler(geolocationHandler.getAllCountries)).Methods("GET")
+			router.HandleFunc("/api/locations/countries", geolocationHandler.getAllCountries).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/policies/geolocations_handler.go

@@ -6,12 +6,12 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
-	"github.com/netbirdio/netbird/shared/auth"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -30,8 +30,8 @@ type geolocationsHandler struct {
 
 func AddLocationsEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, permissionsManager permissions.Manager, router *mux.Router) {
 	locationHandler := newGeolocationsHandlerHandler(accountManager, locationManager, permissionsManager)
-	router.HandleFunc("/locations/countries", permissionsManager.WithPermission(modules.Policies, operations.Read, locationHandler.getAllCountries)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/locations/countries/{country}/cities", permissionsManager.WithPermission(modules.Policies, operations.Read, locationHandler.getCitiesByCountry)).Methods("GET", "OPTIONS")
+	router.HandleFunc("/locations/countries", locationHandler.getAllCountries).Methods("GET", "OPTIONS")
+	router.HandleFunc("/locations/countries/{country}/cities", locationHandler.getCitiesByCountry).Methods("GET", "OPTIONS")
 }
 
 // newGeolocationsHandlerHandler creates a new Geolocations handler
@@ -44,7 +44,12 @@ func newGeolocationsHandlerHandler(accountManager account.Manager, geolocationMa
 }
 
 // getAllCountries retrieves a list of all countries
-func (l *geolocationsHandler) getAllCountries(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (l *geolocationsHandler) getAllCountries(w http.ResponseWriter, r *http.Request) {
+	if err := l.authenticateUser(r); err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	if l.geolocationManager == nil {
 		// TODO: update error message to include geo db self hosted doc link when ready
 		util.WriteError(r.Context(), status.Errorf(status.PreconditionFailed, "Geo location database is not initialized"), w)
@@ -65,7 +70,12 @@ func (l *geolocationsHandler) getAllCountries(w http.ResponseWriter, r *http.Req
 }
 
 // getCitiesByCountry retrieves a list of cities based on the given country code
-func (l *geolocationsHandler) getCitiesByCountry(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (l *geolocationsHandler) getCitiesByCountry(w http.ResponseWriter, r *http.Request) {
+	if err := l.authenticateUser(r); err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	countryCode := vars["country"]
 	if !countryCodeRegex.MatchString(countryCode) {
@@ -92,6 +102,27 @@ func (l *geolocationsHandler) getCitiesByCountry(w http.ResponseWriter, r *http.
 	util.WriteJSONObject(r.Context(), w, cities)
 }
 
+func (l *geolocationsHandler) authenticateUser(r *http.Request) error {
+	ctx := r.Context()
+
+	userAuth, err := nbcontext.GetUserAuthFromContext(ctx)
+	if err != nil {
+		return err
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	allowed, err := l.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Policies, operations.Read)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+	return nil
+}
+
 func toCountryResponse(country geolocation.Country) api.Country {
 	return api.Country{
 		CountryName: country.CountryName,

management/server/http/handlers/policies/policies_handler.go

@@ -7,13 +7,10 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -24,13 +21,13 @@ type handler struct {
 	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) {
 	policiesHandler := newHandler(accountManager)
-	router.HandleFunc("/policies", permissionsManager.WithPermission(modules.Policies, operations.Read, policiesHandler.getAllPolicies)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/policies", permissionsManager.WithPermission(modules.Policies, operations.Create, policiesHandler.createPolicy)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/policies/{policyId}", permissionsManager.WithPermission(modules.Policies, operations.Update, policiesHandler.updatePolicy)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/policies/{policyId}", permissionsManager.WithPermission(modules.Policies, operations.Read, policiesHandler.getPolicy)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/policies/{policyId}", permissionsManager.WithPermission(modules.Policies, operations.Delete, policiesHandler.deletePolicy)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/policies", policiesHandler.getAllPolicies).Methods("GET", "OPTIONS")
+	router.HandleFunc("/policies", policiesHandler.createPolicy).Methods("POST", "OPTIONS")
+	router.HandleFunc("/policies/{policyId}", policiesHandler.updatePolicy).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/policies/{policyId}", policiesHandler.getPolicy).Methods("GET", "OPTIONS")
+	router.HandleFunc("/policies/{policyId}", policiesHandler.deletePolicy).Methods("DELETE", "OPTIONS")
 }
 
 // newHandler creates a new policies handler
@@ -41,14 +38,22 @@ func newHandler(accountManager account.Manager) *handler {
 }
 
 // getAllPolicies list for the account
-func (h *handler) getAllPolicies(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	listPolicies, err := h.accountManager.ListPolicies(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllPolicies(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	allGroups, err := h.accountManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	listPolicies, err := h.accountManager.ListPolicies(r.Context(), accountID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	allGroups, err := h.accountManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -68,7 +73,15 @@ func (h *handler) getAllPolicies(w http.ResponseWriter, r *http.Request, userAut
 }
 
 // updatePolicy handles update to a policy identified by a given ID
-func (h *handler) updatePolicy(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updatePolicy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	policyID := vars["policyId"]
 	if len(policyID) == 0 {
@@ -76,18 +89,26 @@ func (h *handler) updatePolicy(w http.ResponseWriter, r *http.Request, userAuth
 		return
 	}
 
-	_, err := h.accountManager.GetPolicy(r.Context(), userAuth.AccountId, policyID, userAuth.UserId)
+	_, err = h.accountManager.GetPolicy(r.Context(), accountID, policyID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	h.savePolicy(w, r, userAuth.AccountId, userAuth.UserId, policyID, false)
+	h.savePolicy(w, r, accountID, userID, policyID, false)
 }
 
 // createPolicy handles policy creation request
-func (h *handler) createPolicy(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	h.savePolicy(w, r, userAuth.AccountId, userAuth.UserId, "", true)
+func (h *handler) createPolicy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	h.savePolicy(w, r, accountID, userID, "", true)
 }
 
 // savePolicy handles policy creation and update
@@ -282,7 +303,14 @@ func (h *handler) savePolicy(w http.ResponseWriter, r *http.Request, accountID s
 }
 
 // deletePolicy handles policy deletion request
-func (h *handler) deletePolicy(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deletePolicy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	policyID := vars["policyId"]
 	if len(policyID) == 0 {
@@ -290,7 +318,7 @@ func (h *handler) deletePolicy(w http.ResponseWriter, r *http.Request, userAuth
 		return
 	}
 
-	if err := h.accountManager.DeletePolicy(r.Context(), userAuth.AccountId, policyID, userAuth.UserId); err != nil {
+	if err = h.accountManager.DeletePolicy(r.Context(), accountID, policyID, userID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
@@ -299,7 +327,15 @@ func (h *handler) deletePolicy(w http.ResponseWriter, r *http.Request, userAuth
 }
 
 // getPolicy handles a group Get request identified by ID
-func (h *handler) getPolicy(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getPolicy(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	policyID := vars["policyId"]
 	if len(policyID) == 0 {
@@ -307,13 +343,13 @@ func (h *handler) getPolicy(w http.ResponseWriter, r *http.Request, userAuth *au
 		return
 	}
 
-	policy, err := h.accountManager.GetPolicy(r.Context(), userAuth.AccountId, policyID, userAuth.UserId)
+	policy, err := h.accountManager.GetPolicy(r.Context(), accountID, policyID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	allGroups, err := h.accountManager.GetAllGroups(r.Context(), userAuth.AccountId, userAuth.UserId)
+	allGroups, err := h.accountManager.GetAllGroups(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/policies/policies_handler_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -112,7 +111,7 @@ func TestPoliciesGetPolicy(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/policies/{policyId}", permissions.WrapHandler(p.getPolicy)).Methods("GET")
+			router.HandleFunc("/api/policies/{policyId}", p.getPolicy).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -276,8 +275,8 @@ func TestPoliciesWritePolicy(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/policies", permissions.WrapHandler(p.createPolicy)).Methods("POST")
-			router.HandleFunc("/api/policies/{policyId}", permissions.WrapHandler(p.updatePolicy)).Methods("PUT")
+			router.HandleFunc("/api/policies", p.createPolicy).Methods("POST")
+			router.HandleFunc("/api/policies/{policyId}", p.updatePolicy).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/policies/posture_checks_handler.go

@@ -6,13 +6,10 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -24,13 +21,13 @@ type postureChecksHandler struct {
 	geolocationManager geolocation.Geolocation
 }
 
-func AddPostureCheckEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router, permissionsManager permissions.Manager) {
+func AddPostureCheckEndpoints(accountManager account.Manager, locationManager geolocation.Geolocation, router *mux.Router) {
 	postureCheckHandler := newPostureChecksHandler(accountManager, locationManager)
-	router.HandleFunc("/posture-checks", permissionsManager.WithPermission(modules.Policies, operations.Read, postureCheckHandler.getAllPostureChecks)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/posture-checks", permissionsManager.WithPermission(modules.Policies, operations.Create, postureCheckHandler.createPostureCheck)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/posture-checks/{postureCheckId}", permissionsManager.WithPermission(modules.Policies, operations.Update, postureCheckHandler.updatePostureCheck)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/posture-checks/{postureCheckId}", permissionsManager.WithPermission(modules.Policies, operations.Read, postureCheckHandler.getPostureCheck)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/posture-checks/{postureCheckId}", permissionsManager.WithPermission(modules.Policies, operations.Delete, postureCheckHandler.deletePostureCheck)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/posture-checks", postureCheckHandler.getAllPostureChecks).Methods("GET", "OPTIONS")
+	router.HandleFunc("/posture-checks", postureCheckHandler.createPostureCheck).Methods("POST", "OPTIONS")
+	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.updatePostureCheck).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.getPostureCheck).Methods("GET", "OPTIONS")
+	router.HandleFunc("/posture-checks/{postureCheckId}", postureCheckHandler.deletePostureCheck).Methods("DELETE", "OPTIONS")
 }
 
 // newPostureChecksHandler creates a new PostureChecks handler
@@ -42,8 +39,15 @@ func newPostureChecksHandler(accountManager account.Manager, geolocationManager
 }
 
 // getAllPostureChecks list for the account
-func (p *postureChecksHandler) getAllPostureChecks(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	listPostureChecks, err := p.accountManager.ListPostureChecks(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (p *postureChecksHandler) getAllPostureChecks(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+	listPostureChecks, err := p.accountManager.ListPostureChecks(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -58,30 +62,15 @@ func (p *postureChecksHandler) getAllPostureChecks(w http.ResponseWriter, r *htt
 }
 
 // updatePostureCheck handles update to a posture check identified by a given ID
-func (p *postureChecksHandler) updatePostureCheck(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	vars := mux.Vars(r)
-	postureChecksID := vars["postureCheckId"]
-	if len(postureChecksID) == 0 {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid posture checks ID"), w)
-		return
-	}
-
-	_, err := p.accountManager.GetPostureChecks(r.Context(), userAuth.AccountId, postureChecksID, userAuth.UserId)
+func (p *postureChecksHandler) updatePostureCheck(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
 
-	p.savePostureChecks(w, r, userAuth.AccountId, userAuth.UserId, postureChecksID, false)
-}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 
-// createPostureCheck handles posture check creation request
-func (p *postureChecksHandler) createPostureCheck(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	p.savePostureChecks(w, r, userAuth.AccountId, userAuth.UserId, "", true)
-}
-
-// getPostureCheck handles a posture check Get request identified by ID
-func (p *postureChecksHandler) getPostureCheck(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
 	vars := mux.Vars(r)
 	postureChecksID := vars["postureCheckId"]
 	if len(postureChecksID) == 0 {
@@ -89,7 +78,45 @@ func (p *postureChecksHandler) getPostureCheck(w http.ResponseWriter, r *http.Re
 		return
 	}
 
-	postureChecks, err := p.accountManager.GetPostureChecks(r.Context(), userAuth.AccountId, postureChecksID, userAuth.UserId)
+	_, err = p.accountManager.GetPostureChecks(r.Context(), accountID, postureChecksID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	p.savePostureChecks(w, r, accountID, userID, postureChecksID, false)
+}
+
+// createPostureCheck handles posture check creation request
+func (p *postureChecksHandler) createPostureCheck(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	p.savePostureChecks(w, r, accountID, userID, "", true)
+}
+
+// getPostureCheck handles a posture check Get request identified by ID
+func (p *postureChecksHandler) getPostureCheck(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+	vars := mux.Vars(r)
+	postureChecksID := vars["postureCheckId"]
+	if len(postureChecksID) == 0 {
+		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid posture checks ID"), w)
+		return
+	}
+
+	postureChecks, err := p.accountManager.GetPostureChecks(r.Context(), accountID, postureChecksID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -99,7 +126,14 @@ func (p *postureChecksHandler) getPostureCheck(w http.ResponseWriter, r *http.Re
 }
 
 // deletePostureCheck handles posture check deletion request
-func (p *postureChecksHandler) deletePostureCheck(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (p *postureChecksHandler) deletePostureCheck(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	postureChecksID := vars["postureCheckId"]
 	if len(postureChecksID) == 0 {
@@ -107,7 +141,7 @@ func (p *postureChecksHandler) deletePostureCheck(w http.ResponseWriter, r *http
 		return
 	}
 
-	if err := p.accountManager.DeletePostureChecks(r.Context(), userAuth.AccountId, postureChecksID, userAuth.UserId); err != nil {
+	if err = p.accountManager.DeletePostureChecks(r.Context(), accountID, postureChecksID, userID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}

management/server/http/handlers/policies/posture_checks_handler_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/mock_server"
@@ -184,7 +183,7 @@ func TestGetPostureCheck(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/posture-checks/{postureCheckId}", permissions.WrapHandler(p.getPostureCheck)).Methods("GET")
+			router.HandleFunc("/api/posture-checks/{postureCheckId}", p.getPostureCheck).Methods("GET")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()
@@ -842,8 +841,8 @@ func TestPostureCheckUpdate(t *testing.T) {
 			}
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/posture-checks", permissions.WrapHandler(defaultHandler.createPostureCheck)).Methods("POST")
-			router.HandleFunc("/api/posture-checks/{postureCheckId}", permissions.WrapHandler(defaultHandler.updatePostureCheck)).Methods("PUT")
+			router.HandleFunc("/api/posture-checks", defaultHandler.createPostureCheck).Methods("POST")
+			router.HandleFunc("/api/posture-checks/{postureCheckId}", defaultHandler.updatePostureCheck).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/routes/routes_handler.go

@@ -8,12 +8,9 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/route"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -29,13 +26,13 @@ type handler struct {
 	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
 	routesHandler := newHandler(accountManager)
-	router.HandleFunc("/routes", permissionsManager.WithPermission(modules.Routes, operations.Read, routesHandler.getAllRoutes)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/routes", permissionsManager.WithPermission(modules.Routes, operations.Create, routesHandler.createRoute)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/routes/{routeId}", permissionsManager.WithPermission(modules.Routes, operations.Update, routesHandler.updateRoute)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/routes/{routeId}", permissionsManager.WithPermission(modules.Routes, operations.Read, routesHandler.getRoute)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/routes/{routeId}", permissionsManager.WithPermission(modules.Routes, operations.Delete, routesHandler.deleteRoute)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/routes", routesHandler.getAllRoutes).Methods("GET", "OPTIONS")
+	router.HandleFunc("/routes", routesHandler.createRoute).Methods("POST", "OPTIONS")
+	router.HandleFunc("/routes/{routeId}", routesHandler.updateRoute).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/routes/{routeId}", routesHandler.getRoute).Methods("GET", "OPTIONS")
+	router.HandleFunc("/routes/{routeId}", routesHandler.deleteRoute).Methods("DELETE", "OPTIONS")
 }
 
 // newHandler returns a new instance of routes handler
@@ -46,8 +43,16 @@ func newHandler(accountManager account.Manager) *handler {
 }
 
 // getAllRoutes returns the list of routes for the account
-func (h *handler) getAllRoutes(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	routes, err := h.accountManager.ListRoutes(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllRoutes(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
+	routes, err := h.accountManager.ListRoutes(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -66,9 +71,17 @@ func (h *handler) getAllRoutes(w http.ResponseWriter, r *http.Request, userAuth
 }
 
 // createRoute handles route creation request
-func (h *handler) createRoute(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createRoute(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	var req api.PostApiRoutesJSONRequestBody
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -121,8 +134,8 @@ func (h *handler) createRoute(w http.ResponseWriter, r *http.Request, userAuth *
 		skipAutoApply = false
 	}
 
-	newRoute, err := h.accountManager.CreateRoute(r.Context(), userAuth.AccountId, newPrefix, networkType, domains, peerId, peerGroupIds,
-		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, accessControlGroupIds, req.Enabled, userAuth.UserId, req.KeepRoute, skipAutoApply)
+	newRoute, err := h.accountManager.CreateRoute(r.Context(), accountID, newPrefix, networkType, domains, peerId, peerGroupIds,
+		req.Description, route.NetID(req.NetworkId), req.Masquerade, req.Metric, req.Groups, accessControlGroupIds, req.Enabled, userID, req.KeepRoute, skipAutoApply)
 
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -172,7 +185,14 @@ func (h *handler) validateRouteCommon(network *string, domains *[]string, peer *
 }
 
 // updateRoute handles update to a route identified by a given ID
-func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	routeID := vars["routeId"]
 	if len(routeID) == 0 {
@@ -180,7 +200,7 @@ func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request, userAuth *
 		return
 	}
 
-	_, err := h.accountManager.GetRoute(r.Context(), userAuth.AccountId, route.ID(routeID), userAuth.UserId)
+	_, err = h.accountManager.GetRoute(r.Context(), accountID, route.ID(routeID), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -251,7 +271,7 @@ func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request, userAuth *
 		newRoute.AccessControlGroups = *req.AccessControlGroups
 	}
 
-	err = h.accountManager.SaveRoute(r.Context(), userAuth.AccountId, userAuth.UserId, newRoute)
+	err = h.accountManager.SaveRoute(r.Context(), accountID, userID, newRoute)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -267,14 +287,21 @@ func (h *handler) updateRoute(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // deleteRoute handles route deletion request
-func (h *handler) deleteRoute(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteRoute(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	routeID := mux.Vars(r)["routeId"]
 	if len(routeID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid route ID"), w)
 		return
 	}
 
-	err := h.accountManager.DeleteRoute(r.Context(), userAuth.AccountId, route.ID(routeID), userAuth.UserId)
+	err = h.accountManager.DeleteRoute(r.Context(), accountID, route.ID(routeID), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -284,14 +311,22 @@ func (h *handler) deleteRoute(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // getRoute handles a route Get request identified by ID
-func (h *handler) getRoute(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getRoute(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	routeID := mux.Vars(r)["routeId"]
 	if len(routeID) == 0 {
 		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid route ID"), w)
 		return
 	}
 
-	foundRoute, err := h.accountManager.GetRoute(r.Context(), userAuth.AccountId, route.ID(routeID), userAuth.UserId)
+	foundRoute, err := h.accountManager.GetRoute(r.Context(), accountID, route.ID(routeID), userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/routes/routes_handler_test.go

@@ -15,7 +15,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/util"
@@ -502,10 +501,10 @@ func TestRoutesHandlers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/routes/{routeId}", permissions.WrapHandler(p.getRoute)).Methods("GET")
-			router.HandleFunc("/api/routes/{routeId}", permissions.WrapHandler(p.deleteRoute)).Methods("DELETE")
-			router.HandleFunc("/api/routes", permissions.WrapHandler(p.createRoute)).Methods("POST")
-			router.HandleFunc("/api/routes/{routeId}", permissions.WrapHandler(p.updateRoute)).Methods("PUT")
+			router.HandleFunc("/api/routes/{routeId}", p.getRoute).Methods("GET")
+			router.HandleFunc("/api/routes/{routeId}", p.deleteRoute).Methods("DELETE")
+			router.HandleFunc("/api/routes", p.createRoute).Methods("POST")
+			router.HandleFunc("/api/routes/{routeId}", p.updateRoute).Methods("PUT")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/setup_keys/setupkeys_handler.go

@@ -8,12 +8,9 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -24,13 +21,13 @@ type handler struct {
 	accountManager account.Manager
 }
 
-func AddEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddEndpoints(accountManager account.Manager, router *mux.Router) {
 	keysHandler := newHandler(accountManager)
-	router.HandleFunc("/setup-keys", permissionsManager.WithPermission(modules.SetupKeys, operations.Read, keysHandler.getAllSetupKeys)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/setup-keys", permissionsManager.WithPermission(modules.SetupKeys, operations.Create, keysHandler.createSetupKey)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/setup-keys/{keyId}", permissionsManager.WithPermission(modules.SetupKeys, operations.Read, keysHandler.getSetupKey)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/setup-keys/{keyId}", permissionsManager.WithPermission(modules.SetupKeys, operations.Update, keysHandler.updateSetupKey)).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/setup-keys/{keyId}", permissionsManager.WithPermission(modules.SetupKeys, operations.Delete, keysHandler.deleteSetupKey)).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/setup-keys", keysHandler.getAllSetupKeys).Methods("GET", "OPTIONS")
+	router.HandleFunc("/setup-keys", keysHandler.createSetupKey).Methods("POST", "OPTIONS")
+	router.HandleFunc("/setup-keys/{keyId}", keysHandler.getSetupKey).Methods("GET", "OPTIONS")
+	router.HandleFunc("/setup-keys/{keyId}", keysHandler.updateSetupKey).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/setup-keys/{keyId}", keysHandler.deleteSetupKey).Methods("DELETE", "OPTIONS")
 }
 
 // newHandler creates a new setup key handler
@@ -41,9 +38,16 @@ func newHandler(accountManager account.Manager) *handler {
 }
 
 // createSetupKey is a POST requests that creates a new SetupKey
-func (h *handler) createSetupKey(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) createSetupKey(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	req := &api.PostApiSetupKeysJSONRequestBody{}
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -81,8 +85,8 @@ func (h *handler) createSetupKey(w http.ResponseWriter, r *http.Request, userAut
 		allowExtraDNSLabels = *req.AllowExtraDnsLabels
 	}
 
-	setupKey, err := h.accountManager.CreateSetupKey(r.Context(), userAuth.AccountId, req.Name, types.SetupKeyType(req.Type), expiresIn,
-		req.AutoGroups, req.UsageLimit, userAuth.UserId, ephemeral, allowExtraDNSLabels)
+	setupKey, err := h.accountManager.CreateSetupKey(r.Context(), accountID, req.Name, types.SetupKeyType(req.Type), expiresIn,
+		req.AutoGroups, req.UsageLimit, userID, ephemeral, allowExtraDNSLabels)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -96,7 +100,14 @@ func (h *handler) createSetupKey(w http.ResponseWriter, r *http.Request, userAut
 }
 
 // getSetupKey is a GET request to get a SetupKey by ID
-func (h *handler) getSetupKey(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) getSetupKey(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+
 	vars := mux.Vars(r)
 	keyID := vars["keyId"]
 	if len(keyID) == 0 {
@@ -104,7 +115,7 @@ func (h *handler) getSetupKey(w http.ResponseWriter, r *http.Request, userAuth *
 		return
 	}
 
-	key, err := h.accountManager.GetSetupKey(r.Context(), userAuth.AccountId, userAuth.UserId, keyID)
+	key, err := h.accountManager.GetSetupKey(r.Context(), accountID, userID, keyID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -114,7 +125,14 @@ func (h *handler) getSetupKey(w http.ResponseWriter, r *http.Request, userAuth *
 }
 
 // updateSetupKey is a PUT request to update server.SetupKey
-func (h *handler) updateSetupKey(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) updateSetupKey(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	keyID := vars["keyId"]
 	if len(keyID) == 0 {
@@ -123,7 +141,7 @@ func (h *handler) updateSetupKey(w http.ResponseWriter, r *http.Request, userAut
 	}
 
 	req := &api.PutApiSetupKeysKeyIdJSONRequestBody{}
-	err := json.NewDecoder(r.Body).Decode(&req)
+	err = json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
 		return
@@ -139,7 +157,7 @@ func (h *handler) updateSetupKey(w http.ResponseWriter, r *http.Request, userAut
 	newKey.Revoked = req.Revoked
 	newKey.Id = keyID
 
-	newKey, err = h.accountManager.SaveSetupKey(r.Context(), userAuth.AccountId, newKey, userAuth.UserId)
+	newKey, err = h.accountManager.SaveSetupKey(r.Context(), accountID, newKey, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -148,8 +166,15 @@ func (h *handler) updateSetupKey(w http.ResponseWriter, r *http.Request, userAut
 }
 
 // getAllSetupKeys is a GET request that returns a list of SetupKey
-func (h *handler) getAllSetupKeys(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
-	setupKeys, err := h.accountManager.ListSetupKeys(r.Context(), userAuth.AccountId, userAuth.UserId)
+func (h *handler) getAllSetupKeys(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
+	setupKeys, err := h.accountManager.ListSetupKeys(r.Context(), accountID, userID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -163,7 +188,14 @@ func (h *handler) getAllSetupKeys(w http.ResponseWriter, r *http.Request, userAu
 	util.WriteJSONObject(r.Context(), w, apiSetupKeys)
 }
 
-func (h *handler) deleteSetupKey(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *handler) deleteSetupKey(w http.ResponseWriter, r *http.Request) {
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	accountID, userID := userAuth.AccountId, userAuth.UserId
 	vars := mux.Vars(r)
 	keyID := vars["keyId"]
 	if len(keyID) == 0 {
@@ -171,7 +203,7 @@ func (h *handler) deleteSetupKey(w http.ResponseWriter, r *http.Request, userAut
 		return
 	}
 
-	err := h.accountManager.DeleteSetupKey(r.Context(), userAuth.AccountId, userAuth.UserId, keyID)
+	err = h.accountManager.DeleteSetupKey(r.Context(), accountID, userID, keyID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return

management/server/http/handlers/setup_keys/setupkeys_handler_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/stretchr/testify/assert"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -172,11 +171,11 @@ func TestSetupKeysHandlers(t *testing.T) {
 			})
 
 			router := mux.NewRouter()
-			router.HandleFunc("/api/setup-keys", permissions.WrapHandler(handler.getAllSetupKeys)).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys", permissions.WrapHandler(handler.createSetupKey)).Methods("POST", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{keyId}", permissions.WrapHandler(handler.getSetupKey)).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{keyId}", permissions.WrapHandler(handler.updateSetupKey)).Methods("PUT", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{keyId}", permissions.WrapHandler(handler.deleteSetupKey)).Methods("DELETE", "OPTIONS")
+			router.HandleFunc("/api/setup-keys", handler.getAllSetupKeys).Methods("GET", "OPTIONS")
+			router.HandleFunc("/api/setup-keys", handler.createSetupKey).Methods("POST", "OPTIONS")
+			router.HandleFunc("/api/setup-keys/{keyId}", handler.getSetupKey).Methods("GET", "OPTIONS")
+			router.HandleFunc("/api/setup-keys/{keyId}", handler.updateSetupKey).Methods("PUT", "OPTIONS")
+			router.HandleFunc("/api/setup-keys/{keyId}", handler.deleteSetupKey).Methods("DELETE", "OPTIONS")
 			router.ServeHTTP(recorder, req)
 
 			res := recorder.Result()

management/server/http/handlers/users/invites_handler.go

@@ -9,13 +9,10 @@ import (
 
 	"github.com/gorilla/mux"
 
-	"github.com/netbirdio/netbird/management/internals/modules/permissions"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/modules"
-	"github.com/netbirdio/netbird/management/internals/modules/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/account"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -58,14 +55,14 @@ type invitesHandler struct {
 }
 
 // AddInvitesEndpoints registers invite-related endpoints
-func AddInvitesEndpoints(accountManager account.Manager, router *mux.Router, permissionsManager permissions.Manager) {
+func AddInvitesEndpoints(accountManager account.Manager, router *mux.Router) {
 	h := &invitesHandler{accountManager: accountManager}
 
 	// Authenticated endpoints (require admin)
-	router.HandleFunc("/users/invites", permissionsManager.WithPermission(modules.Users, operations.Read, h.listInvites)).Methods("GET", "OPTIONS")
-	router.HandleFunc("/users/invites", permissionsManager.WithPermission(modules.Users, operations.Create, h.createInvite)).Methods("POST", "OPTIONS")
-	router.HandleFunc("/users/invites/{inviteId}", permissionsManager.WithPermission(modules.Users, operations.Delete, h.deleteInvite)).Methods("DELETE", "OPTIONS")
-	router.HandleFunc("/users/invites/{inviteId}/regenerate", permissionsManager.WithPermission(modules.Users, operations.Update, h.regenerateInvite)).Methods("POST", "OPTIONS")
+	router.HandleFunc("/users/invites", h.listInvites).Methods("GET", "OPTIONS")
+	router.HandleFunc("/users/invites", h.createInvite).Methods("POST", "OPTIONS")
+	router.HandleFunc("/users/invites/{inviteId}", h.deleteInvite).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/users/invites/{inviteId}/regenerate", h.regenerateInvite).Methods("POST", "OPTIONS")
 }
 
 // AddPublicInvitesEndpoints registers public (unauthenticated) invite endpoints with rate limiting
@@ -82,7 +79,14 @@ func AddPublicInvitesEndpoints(accountManager account.Manager, router *mux.Route
 }
 
 // listInvites handles GET /api/users/invites
-func (h *invitesHandler) listInvites(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *invitesHandler) listInvites(w http.ResponseWriter, r *http.Request) {
+
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	invites, err := h.accountManager.ListUserInvites(r.Context(), userAuth.AccountId, userAuth.UserId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -98,7 +102,14 @@ func (h *invitesHandler) listInvites(w http.ResponseWriter, r *http.Request, use
 }
 
 // createInvite handles POST /api/users/invites
-func (h *invitesHandler) createInvite(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *invitesHandler) createInvite(w http.ResponseWriter, r *http.Request) {
+
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	var req api.UserInviteCreateRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
@@ -180,12 +191,18 @@ func (h *invitesHandler) acceptInvite(w http.ResponseWriter, r *http.Request) {
 }
 
 // regenerateInvite handles POST /api/users/invites/{inviteId}/regenerate
-func (h *invitesHandler) regenerateInvite(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *invitesHandler) regenerateInvite(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		util.WriteErrorResponse("wrong HTTP method", http.StatusMethodNotAllowed, w)
 		return
 	}
 
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	inviteID := vars["inviteId"]
 	if inviteID == "" {
@@ -221,7 +238,14 @@ func (h *invitesHandler) regenerateInvite(w http.ResponseWriter, r *http.Request
 }
 
 // deleteInvite handles DELETE /api/users/invites/{inviteId}
-func (h *invitesHandler) deleteInvite(w http.ResponseWriter, r *http.Request, userAuth *auth.UserAuth) {
+func (h *invitesHandler) deleteInvite(w http.ResponseWriter, r *http.Request) {
+
+	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	vars := mux.Vars(r)
 	inviteID := vars["inviteId"]
 	if inviteID == "" {
@@ -229,7 +253,7 @@ func (h *invitesHandler) deleteInvite(w http.ResponseWriter, r *http.Request, us
 		return
 	}
 
-	err := h.accountManager.DeleteUserInvite(r.Context(), userAuth.AccountId, userAuth.UserId, inviteID)
+	err = h.accountManager.DeleteUserInvite(r.Context(), userAuth.AccountId, userAuth.UserId, inviteID)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return