rename reverse proxy to services

- Add wasCredentialSubmitted helper to detect when credentials were
  submitted but authentication failed
- Set auth method in CapturedData when wrong PIN/password is entered
- Set auth method for OAuth callback errors and token validation errors
- Add tests for failed auth method capture

.dockerignore

@@ -1,6 +0,0 @@
-.env
-.env.*
-*.pem
-*.key
-*.crt
-*.p12

.github/workflows/check-license-dependencies.yml

@@ -23,7 +23,7 @@ jobs:
 
       - name: Check for problematic license dependencies
         run: |
-          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
+          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
           echo ""
 
           # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
           while IFS= read -r dir; do
             echo "=== Checking $dir ==="
             # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
             if [ -n "$RESULTS" ]; then
               echo "❌ Found problematic dependencies:"
               echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
             else
               echo "✓ No problematic dependencies found"
             fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
 
           echo ""
           if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
+            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
             echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
             exit 1
           else
@@ -88,7 +88,7 @@ jobs:
               IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
 
               # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
 
               if [ -n "$BSD_IMPORTER" ]; then
                 echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"

.github/workflows/golang-test-darwin.yml

@@ -43,5 +43,5 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
 

.github/workflows/golang-test-freebsd.yml

@@ -46,5 +46,6 @@ jobs:
             time go test -timeout 1m -failfast ./client/iface/...
             time go test -timeout 1m -failfast ./route/...
             time go test -timeout 1m -failfast ./sharedsock/...
+            time go test -timeout 1m -failfast ./signal/...
             time go test -timeout 1m -failfast ./util/...
             time go test -timeout 1m -failfast ./version/...

.github/workflows/golang-test-linux.yml

@@ -97,16 +97,6 @@ jobs:
         working-directory: relay
         run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
 
-      - name: Build combined
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 go build .
-
-      - name: Build combined 386
-        if: steps.cache.outputs.cache-hit != 'true'
-        working-directory: combined
-        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
-
   test:
     name: "Client / Unit"
     needs: [build-cache]
@@ -154,7 +144,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
 
   test_client_on_docker:
     name: "Client (Docker) / Unit"
@@ -214,7 +204,7 @@ jobs:
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
             '
 
   test_relay:
@@ -271,53 +261,6 @@ jobs:
             -exec 'sudo' \
             -timeout 10m -p 1 ./relay/... ./shared/relay/...
 
-  test_proxy:
-    name: "Proxy / Unit"
-    needs: [build-cache]
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: [ '386','amd64' ]
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: "go.mod"
-          cache: false
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
-
-      - name: Get Go environment
-        run: |
-          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-
-      - name: Cache Go modules
-        uses: actions/cache/restore@v4
-        with:
-          path: |
-            ${{ env.cache }}
-            ${{ env.modcache }}
-          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-gotest-cache-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Test
-        run: |
-          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 ./proxy/...
-
   test_signal:
     name: "Signal / Unit"
     needs: [build-cache]

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/golangci-lint.yml

@@ -19,8 +19,8 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver
-          skip: go.mod,go.sum,**/proxy/web/**
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
+          skip: go.mod,go.sum
   golangci:
     strategy:
       fail-fast: false

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.1"
+  SIGN_PIPE_VER: "v0.1.0"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -160,7 +160,7 @@ jobs:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -176,7 +176,6 @@ jobs:
       - name: Generate windows syso arm64
         run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
-        id: goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
@@ -186,19 +185,6 @@ jobs:
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: Tag and push PR images (amd64 only)
-        if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
-        run: |
-          PR_TAG="pr-${{ github.event.pull_request.number }}"
-          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
-            grep '^ghcr.io/' | while read -r SRC; do
-              IMG_NAME="${SRC%%:*}"
-              DST="${IMG_NAME}:${PR_TAG}"
-              echo "Tagging ${SRC} -> ${DST}"
-              docker tag "$SRC" "$DST"
-              docker push "$DST"
-            done
       - name: upload non tags for debug purposes
         uses: actions/upload-artifact@v4
         with:

.goreleaser.yaml

@@ -106,26 +106,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-server
-    dir: combined
-    env:
-      - CGO_ENABLED=1
-      - >-
-        {{- if eq .Runtime.Goos "linux" }}
-          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-        {{- end }}
-    binary: netbird-server
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
   - id: netbird-upload
     dir: upload-server
     env: [CGO_ENABLED=0]
@@ -140,20 +120,6 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-proxy
-    dir: proxy/cmd/proxy
-    env: [CGO_ENABLED=0]
-    binary: netbird-proxy
-    goos:
-      - linux
-    goarch:
-      - amd64
-      - arm64
-      - arm
-    ldflags:
-      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 universal_binaries:
   - id: netbird
 
@@ -554,104 +520,6 @@ dockers:
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
       - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-    ids:
-      - netbird-server
-    goarch: amd64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-    ids:
-      - netbird-server
-    goarch: arm64
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-    ids:
-      - netbird-server
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: combined/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-    ids:
-      - netbird-proxy
-    goarch: amd64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-    ids:
-      - netbird-proxy
-    goarch: arm64
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
-  - image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-    ids:
-      - netbird-proxy
-    goarch: arm
-    goarm: 6
-    use: buildx
-    dockerfile: proxy/Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
   - name_template: netbirdio/netbird:{{ .Version }}
     image_templates:
@@ -730,18 +598,6 @@ docker_manifests:
       - netbirdio/upload:{{ .Version }}-arm
       - netbirdio/upload:{{ .Version }}-amd64
 
-  - name_template: netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/netbird-server:latest
-    image_templates:
-      - netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - netbirdio/netbird-server:{{ .Version }}-arm
-      - netbirdio/netbird-server:{{ .Version }}-amd64
-
   - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
     image_templates:
       - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -819,43 +675,6 @@ docker_manifests:
       - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
       - ghcr.io/netbirdio/upload:{{ .Version }}-arm
       - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/netbird-server:latest
-    image_templates:
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
-      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: netbirdio/reverse-proxy:latest
-    image_templates:
-      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - netbirdio/reverse-proxy:{{ .Version }}-arm
-      - netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
-  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
-    image_templates:
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
-      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
-
 brews:
   - ids:
       - default

LICENSE

@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 
 BSD 3-Clause License

client/android/env_list.go

@@ -1,19 +1,10 @@
 package android
 
-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"
 
 var (
-	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
+	// EnvKeyNBForceRelay Exported for Android java client
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-
-	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
-
-	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
-	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )
 
 // EnvList wraps a Go map for export to Java

client/cmd/login.go

@@ -282,9 +282,13 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	}
 	defer authClient.Close()
 
-	needsLogin, err := authClient.IsLoginRequired(ctx)
-	if err != nil {
-		return fmt.Errorf("check login required: %v", err)
+	needsLogin := false
+
+	err, isAuthError := authClient.Login(ctx, "", "")
+	if isAuthError {
+		needsLogin = true
+	} else if err != nil {
+		return fmt.Errorf("login check failed: %v", err)
 	}
 
 	jwtToken := ""

client/embed/embed.go

@@ -31,14 +31,6 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
 
-// PeerConnStatus is a peer's connection status.
-type PeerConnStatus = peer.ConnStatus
-
-const (
-	// PeerStatusConnected indicates the peer is in connected state.
-	PeerStatusConnected = peer.StatusConnected
-)
-
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string

client/firewall/nftables/router_linux.go

@@ -483,12 +483,7 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}
 
 	if nftRule.Handle == 0 {
-		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(nftRule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
+		return fmt.Errorf("route rule %s has no handle", ruleKey)
 	}
 
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -665,32 +660,13 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 
 	if err := r.conn.Flush(); err != nil {
-		r.rollbackRules(pair)
-		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
+		// TODO: rollback ipset counter
+		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
 	}
 
 	return nil
 }
 
-// rollbackRules cleans up unflushed rules and their set counters after a flush failure.
-func (r *router) rollbackRules(pair firewall.RouterPair) {
-	keys := []string{
-		firewall.GenKey(firewall.ForwardingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, pair),
-		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
-	}
-	for _, key := range keys {
-		rule, ok := r.rules[key]
-		if !ok {
-			continue
-		}
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("rollback set counter for %s: %v", key, err)
-		}
-		delete(r.rules, key)
-	}
-}
-
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -952,30 +928,18 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
 
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
+
+		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
+
 		delete(r.rules, ruleKey)
-		return nil
-	}
 
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
 	}
 
 	return nil
@@ -1365,89 +1329,65 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 
-	var merr *multierror.Error
-
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
+			return fmt.Errorf("remove prerouting rule: %w", err)
 		}
 
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
+			return fmt.Errorf("remove inverse prerouting rule: %w", err)
 		}
 	}
 
 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
+		return fmt.Errorf("remove legacy routing rule: %w", err)
 	}
 
-	// Set counters are decremented in the sub-methods above before flush. If flush fails,
-	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *router) removeNatRule(pair firewall.RouterPair) error {
-	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-
-	rule, exists := r.rules[ruleKey]
-	if !exists {
-		log.Debugf("prerouting rule %s not found", ruleKey)
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
-		if err := r.decrementSetCounter(rule); err != nil {
-			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
-		}
-		delete(r.rules, ruleKey)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
-	}
-
-	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
-
-	delete(r.rules, ruleKey)
-
-	if err := r.decrementSetCounter(rule); err != nil {
-		return fmt.Errorf("decrement set counter: %w", err)
+		// TODO: rollback set counter
+		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}
 
 	return nil
 }
 
-// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
-// (e.g. from failed flushes) and updates handles for all existing rules.
+func (r *router) removeNatRule(pair firewall.RouterPair) error {
+	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
+
+	if rule, exists := r.rules[ruleKey]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
+		}
+
+		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
+
+		delete(r.rules, ruleKey)
+
+		if err := r.decrementSetCounter(rule); err != nil {
+			return fmt.Errorf("decrement set counter: %w", err)
+		}
+	} else {
+		log.Debugf("prerouting rule %s not found", ruleKey)
+	}
+
+	return nil
+}
+
+// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// duplicates and to get missing attributes that we don't have when adding new rules
 func (r *router) refreshRulesMap() error {
-	var merr *multierror.Error
-	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
-			// preserve existing entries for this chain since we can't verify their state
-			for k, v := range r.rules {
-				if v.Chain != nil && v.Chain.Name == chain.Name {
-					newRules[k] = v
-				}
-			}
-			continue
+			return fmt.Errorf("list rules: %w", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				newRules[string(rule.UserData)] = rule
+				r.rules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	r.rules = newRules
-	return nberrors.FormatErrorOrNil(merr)
+	return nil
 }
 
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1689,34 +1629,20 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}
 
 	var merr *multierror.Error
-	var needsFlush bool
-
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if dnatRule.Handle == 0 {
-			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
-			delete(r.rules, ruleKey+dnatSuffix)
-		} else if err := r.conn.DelRule(dnatRule); err != nil {
+		if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}
 
 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if masqRule.Handle == 0 {
-			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
-			delete(r.rules, ruleKey+snatSuffix)
-		} else if err := r.conn.DelRule(masqRule); err != nil {
+		if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
-		} else {
-			needsFlush = true
 		}
 	}
 
-	if needsFlush {
-		if err := r.conn.Flush(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
-		}
+	if err := r.conn.Flush(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 	}
 
 	if merr == nil {
@@ -1831,25 +1757,16 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 
-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
+	if rule, exists := r.rules[ruleID]; exists {
+		if err := r.conn.DelRule(rule); err != nil {
+			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
+		}
 		delete(r.rules, ruleID)
-		return nil
 	}
 
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
 	return nil
 }
 

client/firewall/nftables/router_linux_test.go

@@ -18,7 +18,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/internal/acl/id"
 )
 
 const (
@@ -720,137 +719,3 @@ func deleteWorkTable() {
 		}
 	}
 }
-
-func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Add a real rule to the kernel
-	ruleKey, err := r.AddRouteFiltering(
-		nil,
-		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
-		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
-		firewall.ProtocolTCP,
-		nil,
-		&firewall.Port{Values: []uint16{80}},
-		firewall.ActionAccept,
-	)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, r.DeleteRouteRule(ruleKey))
-	})
-
-	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
-	staleKey := "stale-rule-that-does-not-exist"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
-
-	err = r.refreshRulesMap()
-	require.NoError(t, err)
-
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
-
-	realRule, ok := r.rules[ruleKey.ID()]
-	assert.True(t, ok, "real rule should still exist after refresh")
-	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
-}
-
-func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	workTable, err := createWorkTable()
-	require.NoError(t, err)
-	defer deleteWorkTable()
-
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, r.init(workTable))
-	defer func() { require.NoError(t, r.Reset()) }()
-
-	// Inject a stale entry with Handle=0
-	staleKey := "stale-route-rule"
-	r.rules[staleKey] = &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingFw],
-		Handle:   0,
-		UserData: []byte(staleKey),
-	}
-
-	// DeleteRouteRule should not return an error for stale handles
-	err = r.DeleteRouteRule(id.RuleID(staleKey))
-	assert.NoError(t, err, "deleting a stale rule should not error")
-	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
-}
-
-func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
-	if check() != NFTABLES {
-		t.Skip("nftables not supported on this system")
-	}
-
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-	t.Cleanup(func() {
-		require.NoError(t, manager.Close(nil))
-	})
-
-	pair := firewall.RouterPair{
-		ID:          "staletest",
-		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
-		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
-		Masquerade:  true,
-	}
-
-	rtr := manager.router
-
-	// First add succeeds
-	err = rtr.AddNatRule(pair)
-	require.NoError(t, err)
-	t.Cleanup(func() {
-		require.NoError(t, rtr.RemoveNatRule(pair))
-	})
-
-	// Corrupt the handle to simulate stale state
-	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-	if rule, exists := rtr.rules[natRuleKey]; exists {
-		rule.Handle = 0
-	}
-	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
-	if rule, exists := rtr.rules[inverseKey]; exists {
-		rule.Handle = 0
-	}
-
-	// Adding the same rule again should succeed despite stale handles
-	err = rtr.AddNatRule(pair)
-	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
-
-	// Verify rules exist in kernel
-	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
-	require.NoError(t, err)
-
-	found := 0
-	for _, rule := range rules {
-		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
-			found++
-		}
-	}
-	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
-}

client/firewall/uspfilter/conntrack/tcp.go

@@ -115,17 +115,6 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }
 
-// IsSupersededBy returns true if this connection should be replaced by a new one
-// carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
-// connections are superseded by a pure SYN (a new connection attempt for the same
-// four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
-func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
-	if t.tombstone.Load() {
-		return true
-	}
-	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
-}
-
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -180,7 +169,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if exists && !conn.IsSupersededBy(flags) {
+	if exists {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -252,7 +241,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
 
-	if !exists || conn.IsSupersededBy(flags) {
+	if !exists || conn.IsTombstone() {
 		return false
 	}
 

client/firewall/uspfilter/conntrack/tcp_test.go

@@ -485,261 +485,6 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }
 
-// TestTCPPortReuseTombstone verifies that a new connection on a port with a
-// tombstoned (closed) conntrack entry is properly tracked. Without the fix,
-// updateIfExists treats tombstoned entries as live, causing track() to skip
-// creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
-// because the entry is tombstoned, and the response packet gets dropped by ACL.
-func TestTCPPortReuseTombstone(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and gracefully close a connection (server-initiated close)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Server sends FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-
-		// Client sends FIN-ACK
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-
-		// Server sends final ACK
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-
-		// Connection should be tombstoned
-		conn := tracker.connections[key]
-		require.NotNil(t, conn, "old connection should still be in map")
-		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
-
-		// Now reuse the same port for a new connection
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// The old tombstoned entry should be replaced with a new one
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		// SYN-ACK for the new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-
-		// Data transfer should work
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
-		require.True(t, valid, "data should be allowed on new connection")
-	})
-
-	t.Run("Outbound port reuse after RST", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and RST a connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
-		require.True(t, valid)
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
-
-		// Reuse the same port
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynSent, newConn.GetState())
-
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
-	})
-
-	t.Run("Inbound port reuse after close", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		clientIP := srcIP
-		serverIP := dstIP
-		clientPort := srcPort
-		serverPort := dstPort
-		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
-
-		// Inbound connection: client SYN → server SYN-ACK → client ACK
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateEstablished, conn.GetState())
-
-		// Server-initiated close to reach Closed/tombstoned:
-		// Server FIN (opposite dir) → CloseWait
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
-		require.Equal(t, TCPStateCloseWait, conn.GetState())
-		// Client FIN-ACK (same dir as conn) → LastAck
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateLastAck, conn.GetState())
-		// Server final ACK (opposite dir) → Closed → tombstoned
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
-
-		require.True(t, conn.IsTombstone())
-
-		// New inbound connection on same ports
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
-
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn)
-		require.False(t, newConn.IsTombstone())
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-
-		// Complete handshake: server SYN-ACK, then client ACK
-		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
-		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
-
-		conn := tracker.connections[key]
-		require.True(t, conn.IsTombstone())
-
-		// Late ACK should be rejected (tombstoned)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
-
-		// Late outbound ACK should not create a new connection (not a SYN)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
-	})
-}
-
-func TestTCPPortReuseTimeWait(t *testing.T) {
-	srcIP := netip.MustParseAddr("100.64.0.1")
-	dstIP := netip.MustParseAddr("100.64.0.2")
-	srcPort := uint16(12345)
-	dstPort := uint16(80)
-
-	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish connection
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-
-		// Active close: client (outbound initiator) sends FIN first
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateFinWait1, conn.GetState())
-
-		// Server ACKs the FIN
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateFinWait2, conn.GetState())
-
-		// Server sends its own FIN
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		require.True(t, valid)
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
-
-		// New outbound SYN on the same port (port reuse during TIME-WAIT)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
-
-		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
-		newConn := tracker.connections[key]
-		require.NotNil(t, newConn, "new connection should exist")
-		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
-		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
-
-		// SYN-ACK for new connection should be valid
-		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
-		require.True(t, valid, "SYN-ACK for new connection should be accepted")
-		require.Equal(t, TCPStateEstablished, newConn.GetState())
-	})
-
-	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish outbound connection and close via active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
-		// so the filter falls through to ACL check + TrackInbound (which creates
-		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
-		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
-
-		// Simulate what the filter does next: TrackInbound via the normal path
-		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
-
-		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
-		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
-		newConn := tracker.connections[invertedKey]
-		require.NotNil(t, newConn, "new inbound connection should be tracked")
-		require.Equal(t, TCPStateSynReceived, newConn.GetState())
-		require.False(t, newConn.IsTombstone())
-	})
-
-	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
-		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
-		defer tracker.Close()
-
-		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
-
-		// Establish and active close → TIME-WAIT
-		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
-		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
-
-		conn := tracker.connections[key]
-		require.Equal(t, TCPStateTimeWait, conn.GetState())
-
-		// Late ACK retransmits during TIME-WAIT should still be accepted
-		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
-		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
-	})
-}
-
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond

client/firewall/uspfilter/log/log.go

@@ -5,8 +5,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"os"
-	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -18,18 +16,9 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	defaultLogChanSize   = 1000
+	logChannelSize       = 1000
 )
 
-func getLogChannelSize() int {
-	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
-		if n, err := strconv.Atoi(v); err == nil && n > 0 {
-			return n
-		}
-	}
-	return defaultLogChanSize
-}
-
 type Level uint32
 
 const (
@@ -80,7 +69,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, getLogChannelSize()),
+		msgChannel: make(chan logMessage, logChannelSize),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {

client/firewall/uspfilter/nat.go

@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {

client/iface/device/device_filter.go

@@ -29,9 +29,8 @@ type PacketFilter interface {
 type FilteredDevice struct {
 	tun.Device
 
-	filter    PacketFilter
-	mutex     sync.RWMutex
-	closeOnce sync.Once
+	filter PacketFilter
+	mutex  sync.RWMutex
 }
 
 // newDeviceFilter constructor function
@@ -41,20 +40,6 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }
 
-// Close closes the underlying tun device exactly once.
-// wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
-// and multiple code paths can trigger Close on the same device.
-func (d *FilteredDevice) Close() error {
-	var err error
-	d.closeOnce.Do(func() {
-		err = d.Device.Close()
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {

client/iface/device/device_netstack.go

@@ -82,9 +82,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		if cErr := tunIface.Close(); cErr != nil {
-			log.Debugf("failed to close tun device: %v", cErr)
-		}
+		_ = tunIface.Close()
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}
 

client/iface/iface_test.go

@@ -589,101 +589,6 @@ func Test_ConnectPeers(t *testing.T) {
 
 }
 
-func Test_UserSpaceAddAllowedIPs(t *testing.T) {
-	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+5)
-	wgIP := "10.99.99.21/30"
-	wgPort := 33105
-
-	newNet, err := stdnet.NewNet(context.Background(), nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	opts := WGIFaceOpts{
-		IFaceName:    ifaceName,
-		Address:      wgIP,
-		WGPort:       wgPort,
-		WGPrivKey:    key,
-		MTU:          DefaultMTU,
-		TransportNet: newNet,
-	}
-
-	iface, err := NewWGIFace(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = iface.Create()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		if err := iface.Close(); err != nil {
-			t.Error(err)
-		}
-	}()
-
-	_, err = iface.Up()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	keepAlive := 15 * time.Second
-	initialAllowedIP := netip.MustParsePrefix("10.99.99.22/32")
-	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9905")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Add peer with initial endpoint and first allowed IP
-	err = iface.UpdatePeer(peerPubKey, []netip.Prefix{initialAllowedIP}, keepAlive, endpoint, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Phase 1: generate 500 allowed IPs into a list
-	const extraIPs = 500
-	addedPrefixes := make([]netip.Prefix, 0, extraIPs)
-	for i := 0; i < extraIPs; i++ {
-		// Use 172.16.x.y/32 range: i encoded as two octets
-		prefix := netip.MustParsePrefix(fmt.Sprintf("172.16.%d.%d/32", i/256, i%256))
-		addedPrefixes = append(addedPrefixes, prefix)
-	}
-
-	// Phase 2: iterate over the list and add each allowed IP to the peer
-	phase2Start := time.Now()
-	for _, prefix := range addedPrefixes {
-		if addErr := iface.AddAllowedIP(peerPubKey, prefix); addErr != nil {
-			t.Fatalf("failed to add allowed IP %s: %v", prefix, addErr)
-		}
-	}
-	t.Logf("Phase 2 (add %d IPs to peer): %s", extraIPs, time.Since(phase2Start))
-
-	// Verify the peer has all 101 allowed IPs (1 initial + 100 added)
-	peer, err := getPeer(ifaceName, peerPubKey)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if peer.Endpoint.String() != endpoint.String() {
-		t.Fatalf("expected endpoint %s, got %s", endpoint, peer.Endpoint)
-	}
-
-	allExpected := append([]netip.Prefix{initialAllowedIP}, addedPrefixes...)
-	if len(peer.AllowedIPs) != len(allExpected) {
-		t.Fatalf("expected %d allowed IPs, got %d", len(allExpected), len(peer.AllowedIPs))
-	}
-
-	allowedIPSet := make(map[string]struct{}, len(peer.AllowedIPs))
-	for _, aip := range peer.AllowedIPs {
-		allowedIPSet[aip.String()] = struct{}{}
-	}
-	for _, expected := range allExpected {
-		if _, found := allowedIPSet[expected.String()]; !found {
-			t.Errorf("expected allowed IP %s not found in peer config", expected)
-		}
-	}
-}
-
 func getPeer(ifaceName, peerPubKey string) (wgtypes.Peer, error) {
 	wg, err := wgctrl.New()
 	if err != nil {

client/iface/netstack/tun.go

@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()
 
-	return t.tundev, tunNet, nil
+	return nsTunDev, tunNet, nil
 }
 
 func (t *NetStackTun) Close() error {

client/internal/connect.go

@@ -290,10 +290,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 
-		if relayClient.IsDisableRelay() {
-			relayURLs = []string{}
-		}
-
 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
 		if len(relayURLs) > 0 {
@@ -314,8 +310,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		c.engineMutex.Lock()
 		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, stateManager)
 		engine.SetSyncResponsePersistence(c.persistSyncResponse)
-		engine.SetReadyChan(runningChan)
-		runningChan = nil
 		c.engine = engine
 		c.engineMutex.Unlock()
 
@@ -336,6 +330,11 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
 
+		if runningChan != nil {
+			close(runningChan)
+			runningChan = nil
+		}
+
 		<-engineCtx.Done()
 
 		c.engineMutex.Lock()

client/internal/dns/host_windows.go

@@ -42,8 +42,6 @@ const (
 	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
 	dnsPolicyConfigConfigOptionsValue   = 0x8
 
-	nrptMaxDomainsPerRule = 50
-
 	interfaceConfigPath          = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
@@ -200,11 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
-		// Update count even on error to ensure cleanup covers partially created rules
-		r.nrptEntryCount = count
 		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		r.nrptEntryCount = 0
 	}
@@ -242,33 +239,23 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
+	for i, domain := range domains {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
 
-	// We need to batch domains into chunks and create one NRPT rule per batch.
-	ruleIndex := 0
-	for i := 0; i < len(domains); i += nrptMaxDomainsPerRule {
-		end := i + nrptMaxDomainsPerRule
-		if end > len(domains) {
-			end = len(domains)
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
 		}
-		batchDomains := domains[i:end]
-
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, ruleIndex)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, ruleIndex)
-
-		if err := r.configureDNSPolicy(localPath, batchDomains, ip); err != nil {
-			return ruleIndex, fmt.Errorf("configure DNS Local policy for rule %d: %w", ruleIndex, err)
-		}
-
-		// Increment immediately so the caller's cleanup path knows about this rule
-		ruleIndex++
 
 		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, batchDomains, ip); err != nil {
-				return ruleIndex, fmt.Errorf("configure gpo DNS policy for rule %d: %w", ruleIndex-1, err)
+			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
+				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
 			}
 		}
 
-		log.Debugf("added NRPT rule %d with %d domains", ruleIndex-1, len(batchDomains))
+		log.Debugf("added NRPT entry for domain: %s", domain)
 	}
 
 	if r.gpo {
@@ -277,8 +264,8 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 		}
 	}
 
-	log.Infof("added %d NRPT rules for %d domains. Domain list: %v", ruleIndex, len(domains), domains)
-	return ruleIndex, nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }
 
 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {

client/internal/dns/host_windows_test.go

@@ -12,7 +12,6 @@ import (
 
 // TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
 // when the number of match domains decreases between configuration changes.
-// With batching enabled (50 domains per rule), we need enough domains to create multiple rules.
 func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping registry integration test in short mode")
@@ -38,60 +37,51 @@ func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
 		gpo:  false,
 	}
 
-	// Create 125 domains which will result in 3 NRPT rules (50+50+25)
-	domains125 := make([]DomainConfig, 125)
-	for i := 0; i < 125; i++ {
-		domains125[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config125 := HostDNSConfig{
+	config5 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains125,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
 	}
 
-	err = cfg.applyDNSConfig(config125, nil)
+	err = cfg.applyDNSConfig(config5, nil)
 	require.NoError(t, err)
 
-	// Verify 3 NRPT rules exist
-	assert.Equal(t, 3, cfg.nrptEntryCount, "Should create 3 NRPT rules for 125 domains")
-	for i := 0; i < 3; i++ {
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after first config", i)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
 	}
 
-	// Reduce to 75 domains which will result in 2 NRPT rules (50+25)
-	domains75 := make([]DomainConfig, 75)
-	for i := 0; i < 75; i++ {
-		domains75[i] = DomainConfig{
-			Domain:    fmt.Sprintf("domain%d.com", i+1),
-			MatchOnly: true,
-		}
-	}
-
-	config75 := HostDNSConfig{
+	config2 := HostDNSConfig{
 		ServerIP: testIP,
-		Domains:  domains75,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
 	}
 
-	err = cfg.applyDNSConfig(config75, nil)
+	err = cfg.applyDNSConfig(config2, nil)
 	require.NoError(t, err)
 
-	// Verify first 2 NRPT rules exist
-	assert.Equal(t, 2, cfg.nrptEntryCount, "Should create 2 NRPT rules for 75 domains")
+	// Verify first 2 entries exist
 	for i := 0; i < 2; i++ {
 		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
 		require.NoError(t, err)
-		assert.True(t, exists, "NRPT rule %d should exist after second config", i)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
 	}
 
-	// Verify rule 2 is cleaned up
-	exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, 2))
-	require.NoError(t, err)
-	assert.False(t, exists, "NRPT rule 2 should NOT exist after reducing to 75 domains")
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
 }
 
 func registryKeyExists(path string) (bool, error) {
@@ -107,106 +97,6 @@ func registryKeyExists(path string) (bool, error) {
 }
 
 func cleanupRegistryKeys(*testing.T) {
-	// Clean up more entries to account for batching tests with many domains
-	cfg := &registryConfigurator{nrptEntryCount: 20}
+	cfg := &registryConfigurator{nrptEntryCount: 10}
 	_ = cfg.removeDNSMatchPolicies()
 }
-
-// TestNRPTDomainBatching verifies that domains are correctly batched into NRPT rules.
-func TestNRPTDomainBatching(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	testCases := []struct {
-		name              string
-		domainCount       int
-		expectedRuleCount int
-	}{
-		{
-			name:              "Less than 50 domains (single rule)",
-			domainCount:       30,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "Exactly 50 domains (single rule)",
-			domainCount:       50,
-			expectedRuleCount: 1,
-		},
-		{
-			name:              "51 domains (two rules)",
-			domainCount:       51,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "100 domains (two rules)",
-			domainCount:       100,
-			expectedRuleCount: 2,
-		},
-		{
-			name:              "125 domains (three rules: 50+50+25)",
-			domainCount:       125,
-			expectedRuleCount: 3,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			// Clean up before each subtest
-			cleanupRegistryKeys(t)
-
-			// Generate domains
-			domains := make([]DomainConfig, tc.domainCount)
-			for i := 0; i < tc.domainCount; i++ {
-				domains[i] = DomainConfig{
-					Domain:    fmt.Sprintf("domain%d.com", i+1),
-					MatchOnly: true,
-				}
-			}
-
-			config := HostDNSConfig{
-				ServerIP: testIP,
-				Domains:  domains,
-			}
-
-			err := cfg.applyDNSConfig(config, nil)
-			require.NoError(t, err)
-
-			// Verify that exactly expectedRuleCount rules were created
-			assert.Equal(t, tc.expectedRuleCount, cfg.nrptEntryCount,
-				"Should create %d NRPT rules for %d domains", tc.expectedRuleCount, tc.domainCount)
-
-			// Verify all expected rules exist
-			for i := 0; i < tc.expectedRuleCount; i++ {
-				exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-				require.NoError(t, err)
-				assert.True(t, exists, "NRPT rule %d should exist", i)
-			}
-
-			// Verify no extra rules were created
-			exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, tc.expectedRuleCount))
-			require.NoError(t, err)
-			assert.False(t, exists, "No NRPT rule should exist at index %d", tc.expectedRuleCount)
-		})
-	}
-}

client/internal/dns/mock_server.go

@@ -84,18 +84,3 @@ func (m *MockServer) UpdateServerConfig(domains dnsconfig.ServerDomains) error {
 func (m *MockServer) PopulateManagementDomain(mgmtURL *url.URL) error {
 	return nil
 }
-
-// BeginBatch mock implementation of BeginBatch from Server interface
-func (m *MockServer) BeginBatch() {
-	// Mock implementation - no-op
-}
-
-// EndBatch mock implementation of EndBatch from Server interface
-func (m *MockServer) EndBatch() {
-	// Mock implementation - no-op
-}
-
-// CancelBatch mock implementation of CancelBatch from Server interface
-func (m *MockServer) CancelBatch() {
-	// Mock implementation - no-op
-}

client/internal/dns/server.go

@@ -45,9 +45,6 @@ type IosDnsManager interface {
 type Server interface {
 	RegisterHandler(domains domain.List, handler dns.Handler, priority int)
 	DeregisterHandler(domains domain.List, priority int)
-	BeginBatch()
-	EndBatch()
-	CancelBatch()
 	Initialize() error
 	Stop()
 	DnsIP() netip.Addr
@@ -90,7 +87,6 @@ type DefaultServer struct {
 	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
-	batchMode          bool
 
 	mgmtCacheResolver *mgmt.Resolver
 
@@ -238,9 +234,7 @@ func (s *DefaultServer) RegisterHandler(domains domain.List, handler dns.Handler
 		// convert to zone with simple ref counter
 		s.extraDomains[toZone(domain)]++
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
+	s.applyHostConfig()
 }
 
 func (s *DefaultServer) registerHandler(domains []string, handler dns.Handler, priority int) {
@@ -269,41 +263,9 @@ func (s *DefaultServer) DeregisterHandler(domains domain.List, priority int) {
 			delete(s.extraDomains, zone)
 		}
 	}
-	if !s.batchMode {
-		s.applyHostConfig()
-	}
-}
-
-// BeginBatch starts batch mode for DNS handler registration/deregistration.
-// In batch mode, applyHostConfig() is not called after each handler operation,
-// allowing multiple handlers to be registered/deregistered efficiently.
-// Must be followed by EndBatch() to apply the accumulated changes.
-func (s *DefaultServer) BeginBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode enabled")
-	s.batchMode = true
-}
-
-// EndBatch ends batch mode and applies all accumulated DNS configuration changes.
-func (s *DefaultServer) EndBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode disabled, applying accumulated changes")
-	s.batchMode = false
 	s.applyHostConfig()
 }
 
-// CancelBatch cancels batch mode without applying accumulated changes.
-// This is useful when operations fail partway through and you want to
-// discard partial state rather than applying it.
-func (s *DefaultServer) CancelBatch() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	log.Debugf("DNS batch mode cancelled, discarding accumulated changes")
-	s.batchMode = false
-}
-
 func (s *DefaultServer) deregisterHandler(domains []string, priority int) {
 	log.Debugf("deregistering handler with priority %d for %v", priority, domains)
 
@@ -561,7 +523,6 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.currentConfig.RouteAll = false
 	}
 
-	// Always apply host config for management updates, regardless of batch mode
 	s.applyHostConfig()
 
 	s.shutdownWg.Add(1)
@@ -926,7 +887,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			}
 		}
 
-		// Always apply host config when nameserver goes down, regardless of batch mode
 		s.applyHostConfig()
 
 		go func() {
@@ -962,7 +922,6 @@ func (s *DefaultServer) upstreamCallbacks(
 			s.registerHandler([]string{nbdns.RootZone}, handler, priority)
 		}
 
-		// Always apply host config when nameserver reactivates, regardless of batch mode
 		s.applyHostConfig()
 
 		s.updateNSState(nsGroup, nil, true)

client/internal/dns/server_export_test.go

@@ -18,12 +18,7 @@ func TestGetServerDns(t *testing.T) {
 		t.Errorf("invalid dns server instance: %s", err)
 	}
 
-	mockSrvB, ok := srvB.(*MockServer)
-	if !ok {
-		t.Errorf("returned server is not a MockServer")
-	}
-
-	if mockSrvB != srv {
+	if srvB != srv {
 		t.Errorf("mismatch dns instances")
 	}
 }

client/internal/engine.go

@@ -29,7 +29,6 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -217,10 +216,6 @@ type Engine struct {
 	// WireGuard interface monitor
 	wgIfaceMonitor *WGIfaceMonitor
 
-	// readyChan is closed when the first sync message is received from management
-	readyChan     chan struct{}
-	readyChanOnce sync.Once
-
 	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
 	shutdownWg sync.WaitGroup
 
@@ -279,10 +274,6 @@ func NewEngine(
 	return engine
 }
 
-func (e *Engine) SetReadyChan(ch chan struct{}) {
-	e.readyChan = ch
-}
-
 func (e *Engine) Stop() error {
 	if e == nil {
 		// this seems to be a very odd case but there was the possibility if the netbird down command comes before the engine is fully started
@@ -552,12 +543,11 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
 	e.shutdownWg.Add(1)
-	wgIfaceName := e.wgInterface.Name()
 
 	go func() {
 		defer e.shutdownWg.Done()
 
-		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, wgIfaceName); shouldRestart {
+		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
 			e.triggerClientRestart()
 		} else if err != nil {
@@ -842,13 +832,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	defer func() {
 		log.Infof("sync finished in %s", time.Since(started))
 	}()
-
-	e.readyChanOnce.Do(func() {
-		if e.readyChan != nil {
-			close(e.readyChan)
-		}
-	})
-
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -895,11 +878,9 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		// todo update signal
 	}
 
-	uCheckTime := time.Now()
 	if err := e.updateChecksIfNew(update.Checks); err != nil {
 		return err
 	}
-	log.Infof("update check finished in %s", time.Since(uCheckTime))
 
 	nm := update.GetNetworkMap()
 	if nm == nil {
@@ -942,9 +923,7 @@ func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 			return fmt.Errorf("update relay token: %w", err)
 		}
 
-		if !relayClient.IsDisableRelay() {
-			e.relayManager.UpdateServerURLs(update.Urls)
-		}
+		e.relayManager.UpdateServerURLs(update.Urls)
 
 		// Just in case the agent started with an MGM server where the relay was disabled but was later enabled.
 		// We can ignore all errors because the guard will manage the reconnection retries.
@@ -1943,7 +1922,7 @@ func (e *Engine) triggerClientRestart() {
 }
 
 func (e *Engine) startNetworkMonitor() {
-	if !e.config.NetworkMonitor || nbnetstack.IsEnabled() {
+	if !e.config.NetworkMonitor {
 		log.Infof("Network monitor is disabled, not starting")
 		return
 	}

client/internal/networkmonitor/monitor.go

@@ -14,6 +14,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
@@ -37,6 +38,11 @@ func New() *NetworkMonitor {
 
 // Listen begins monitoring network changes. When a change is detected, this function will return without error.
 func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
+	if netstack.IsEnabled() {
+		log.Debugf("Network monitor: skipping in netstack mode")
+		return nil
+	}
+
 	nw.mu.Lock()
 	if nw.cancel != nil {
 		nw.mu.Unlock()

client/internal/peer/conn.go

@@ -410,7 +410,7 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 	conn.doOnConnected(iceConnInfo.RosenpassPubKey, iceConnInfo.RosenpassAddr)
 }
 
-func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
+func (conn *Conn) onICEStateDisconnected() {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
@@ -430,18 +430,14 @@ func (conn *Conn) onICEStateDisconnected(sessionChanged bool) {
 	if conn.isReadyToUpgrade() {
 		conn.Log.Infof("ICE disconnected, set Relay to active connection")
 		conn.dumpState.SwitchToRelay()
-		if sessionChanged {
-			conn.resetEndpoint()
-		}
-
-		// todo consider to move after the ConfigureWGEndpoint
 		conn.wgProxyRelay.Work()
 
 		presharedKey := conn.presharedKey(conn.rosenpassRemoteKey)
-		if err := conn.endpointUpdater.SwitchWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
+		if err := conn.endpointUpdater.ConfigureWGEndpoint(conn.wgProxyRelay.EndpointAddr(), presharedKey); err != nil {
 			conn.Log.Errorf("failed to switch to relay conn: %v", err)
 		}
 
+		conn.wgProxyRelay.Work()
 		conn.currentConnPriority = conntype.Relay
 	} else {
 		conn.Log.Infof("ICE disconnected, do not switch to Relay. Reset priority to: %s", conntype.None.String())
@@ -503,22 +499,20 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 		return
 	}
 
-	controller := isController(conn.config)
+	wgProxy.Work()
+	presharedKey := conn.presharedKey(rci.rosenpassPubKey)
 
-	if controller {
-		wgProxy.Work()
-	}
 	conn.enableWgWatcherIfNeeded()
-	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), conn.presharedKey(rci.rosenpassPubKey)); err != nil {
+
+	if err := conn.endpointUpdater.ConfigureWGEndpoint(wgProxy.EndpointAddr(), presharedKey); err != nil {
 		if err := wgProxy.CloseConn(); err != nil {
 			conn.Log.Warnf("Failed to close relay connection: %v", err)
 		}
 		conn.Log.Errorf("Failed to update WireGuard peer configuration: %v", err)
 		return
 	}
-	if !controller {
-		wgProxy.Work()
-	}
+
+	wgConfigWorkaround()
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()
@@ -763,17 +757,6 @@ func (conn *Conn) newProxy(remoteConn net.Conn) (wgproxy.Proxy, error) {
 	return wgProxy, nil
 }
 
-func (conn *Conn) resetEndpoint() {
-	if !isController(conn.config) {
-		return
-	}
-	conn.Log.Infof("reset wg endpoint")
-	conn.wgWatcher.Reset()
-	if err := conn.endpointUpdater.RemoveEndpointAddress(); err != nil {
-		conn.Log.Warnf("failed to remove endpoint address before update: %v", err)
-	}
-}
-
 func (conn *Conn) isReadyToUpgrade() bool {
 	return conn.wgProxyRelay != nil && conn.currentConnPriority != conntype.Relay
 }
@@ -879,3 +862,9 @@ func isController(config ConnConfig) bool {
 func isRosenpassEnabled(remoteRosenpassPubKey []byte) bool {
 	return remoteRosenpassPubKey != nil
 }
+
+// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
+// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
+func wgConfigWorkaround() {
+	time.Sleep(100 * time.Millisecond)
+}

client/internal/peer/endpoint.go

@@ -34,27 +34,28 @@ func NewEndpointUpdater(log *logrus.Entry, wgConfig WgConfig, initiator bool) *E
 	}
 }
 
+// ConfigureWGEndpoint sets up the WireGuard endpoint configuration.
+// The initiator immediately configures the endpoint, while the non-initiator
+// waits for a fallback period before configuring to avoid handshake congestion.
 func (e *EndpointUpdater) ConfigureWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
 	if e.initiator {
-		e.log.Debugf("configure up WireGuard as initiator")
-		return e.configureAsInitiator(addr, presharedKey)
+		e.log.Debugf("configure up WireGuard as initiatr")
+		return e.updateWireGuardPeer(addr, presharedKey)
 	}
 
-	e.log.Debugf("configure up WireGuard as responder")
-	return e.configureAsResponder(addr, presharedKey)
-}
-
-func (e *EndpointUpdater) SwitchWGEndpoint(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	// prevent to run new update while cancel the previous update
 	e.waitForCloseTheDelayedUpdate()
 
-	return e.updateWireGuardPeer(addr, presharedKey)
+	var ctx context.Context
+	ctx, e.cancelFunc = context.WithCancel(context.Background())
+	e.updateWg.Add(1)
+	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
+
+	e.log.Debugf("configure up WireGuard and wait for handshake")
+	return e.updateWireGuardPeer(nil, presharedKey)
 }
 
 func (e *EndpointUpdater) RemoveWgPeer() error {
@@ -65,38 +66,6 @@ func (e *EndpointUpdater) RemoveWgPeer() error {
 	return e.wgConfig.WgInterface.RemovePeer(e.wgConfig.RemoteKey)
 }
 
-func (e *EndpointUpdater) RemoveEndpointAddress() error {
-	e.mu.Lock()
-	defer e.mu.Unlock()
-
-	e.waitForCloseTheDelayedUpdate()
-	return e.wgConfig.WgInterface.RemoveEndpointAddress(e.wgConfig.RemoteKey)
-}
-
-func (e *EndpointUpdater) configureAsInitiator(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	if err := e.updateWireGuardPeer(addr, presharedKey); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (e *EndpointUpdater) configureAsResponder(addr *net.UDPAddr, presharedKey *wgtypes.Key) error {
-	// prevent to run new update while cancel the previous update
-	e.waitForCloseTheDelayedUpdate()
-
-	e.log.Debugf("configure up WireGuard and wait for handshake")
-	var ctx context.Context
-	ctx, e.cancelFunc = context.WithCancel(context.Background())
-	e.updateWg.Add(1)
-	go e.scheduleDelayedUpdate(ctx, addr, presharedKey)
-
-	if err := e.updateWireGuardPeer(nil, presharedKey); err != nil {
-		e.waitForCloseTheDelayedUpdate()
-		return err
-	}
-	return nil
-}
-
 func (e *EndpointUpdater) waitForCloseTheDelayedUpdate() {
 	if e.cancelFunc == nil {
 		return
@@ -132,9 +101,3 @@ func (e *EndpointUpdater) updateWireGuardPeer(endpoint *net.UDPAddr, presharedKe
 		presharedKey,
 	)
 }
-
-// wgConfigWorkaround is a workaround for the issue with WireGuard configuration update
-// When update a peer configuration in near to each other time, the second update can be ignored by WireGuard
-func wgConfigWorkaround() {
-	time.Sleep(100 * time.Millisecond)
-}

client/internal/peer/ice/agent.go

@@ -12,7 +12,6 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 )
 
 const (
@@ -126,10 +125,6 @@ func GenerateICECredentials() (string, string, error) {
 }
 
 func CandidateTypes() []ice.CandidateType {
-	if relayClient.IsDisableRelay() {
-		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-	}
-
 	if hasICEForceRelayConn() {
 		return []ice.CandidateType{ice.CandidateTypeRelay}
 	}

client/internal/peer/wg_watcher.go

@@ -32,8 +32,6 @@ type WGWatcher struct {
 
 	enabled   bool
 	muEnabled sync.RWMutex
-
-	resetCh chan struct{}
 }
 
 func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey string, stateDump *stateDump) *WGWatcher {
@@ -42,7 +40,6 @@ func NewWGWatcher(log *log.Entry, wgIfaceStater WGInterfaceStater, peerKey strin
 		wgIfaceStater: wgIfaceStater,
 		peerKey:       peerKey,
 		stateDump:     stateDump,
-		resetCh:       make(chan struct{}, 1),
 	}
 }
 
@@ -79,15 +76,6 @@ func (w *WGWatcher) IsEnabled() bool {
 	return w.enabled
 }
 
-// Reset signals the watcher that the WireGuard peer has been reset and a new
-// handshake is expected. This restarts the handshake timeout from scratch.
-func (w *WGWatcher) Reset() {
-	select {
-	case w.resetCh <- struct{}{}:
-	default:
-	}
-}
-
 // wgStateCheck help to check the state of the WireGuard handshake and relay connection
 func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn func(), enabledTime time.Time, initialHandshake time.Time) {
 	w.log.Infof("WireGuard watcher started")
@@ -117,12 +105,6 @@ func (w *WGWatcher) periodicHandshakeCheck(ctx context.Context, onDisconnectedFn
 			w.stateDump.WGcheckSuccess()
 
 			w.log.Debugf("WireGuard watcher reset timer: %v", resetTime)
-		case <-w.resetCh:
-			w.log.Infof("WireGuard watcher received peer reset, restarting handshake timeout")
-			lastHandshake = time.Time{}
-			enabledTime = time.Now()
-			timer.Stop()
-			timer.Reset(wgHandshakeOvertime)
 		case <-ctx.Done():
 			w.log.Infof("WireGuard watcher stopped")
 			return

client/internal/peer/worker_ice.go

@@ -52,9 +52,8 @@ type WorkerICE struct {
 	// increase by one when disconnecting the agent
 	// with it the remote peer can discard the already deprecated offer/answer
 	// Without it the remote peer may recreate a workable ICE connection
-	sessionID            ICESessionID
-	remoteSessionChanged bool
-	muxAgent             sync.Mutex
+	sessionID ICESessionID
+	muxAgent  sync.Mutex
 
 	localUfrag string
 	localPwd   string
@@ -107,7 +106,6 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 			return
 		}
 		w.log.Debugf("agent already exists, recreate the connection")
-		w.remoteSessionChanged = true
 		w.agentDialerCancel()
 		if w.agent != nil {
 			if err := w.agent.Close(); err != nil {
@@ -308,17 +306,13 @@ func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent
 	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }
 
-func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) bool {
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
 	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}
 
 	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
-	sessionChanged := w.remoteSessionChanged
-	w.remoteSessionChanged = false
 
 	if w.agent == agent {
 		// consider to remove from here and move to the OnNewOffer
@@ -331,7 +325,7 @@ func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.C
 		w.agentConnecting = false
 		w.remoteSessionID = ""
 	}
-	return sessionChanged
+	w.muxAgent.Unlock()
 }
 
 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -432,11 +426,11 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 			// ice.ConnectionStateClosed happens when we recreate the agent. For the P2P to TURN switch important to
 			// notify the conn.onICEStateDisconnected changes to update the current used priority
 
-			sessionChanged := w.closeAgent(agent, dialerCancel)
+			w.closeAgent(agent, dialerCancel)
 
 			if w.lastKnownState == ice.ConnectionStateConnected {
 				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected(sessionChanged)
+				w.conn.onICEStateDisconnected()
 			}
 		default:
 			return

client/internal/routemanager/manager.go

@@ -346,23 +346,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 	}
 
 	var merr *multierror.Error
-
-	// Begin batch mode to avoid calling applyHostConfig() after each DNS handler operation
-	batchStarted := false
-	if m.dnsServer != nil {
-		m.dnsServer.BeginBatch()
-		batchStarted = true
-		defer func() {
-			if merr != nil {
-				// On error, cancel batch to discard partial DNS state
-				m.dnsServer.CancelBatch()
-			} else {
-				// On success, apply accumulated DNS changes
-				m.dnsServer.EndBatch()
-			}
-		}()
-	}
-
 	for id, handler := range toRemove {
 		if err := handler.RemoveRoute(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", handler.String(), err))
@@ -393,7 +376,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 		m.activeRoutes[id] = handler
 	}
 
-	_ = batchStarted // Mark as used
 	return nberrors.FormatErrorOrNil(merr)
 }
 

client/ios/NetBirdSDK/env_list.go

@@ -2,10 +2,7 @@
 
 package NetBirdSDK
 
-import (
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/peer"
-)
+import "github.com/netbirdio/netbird/client/internal/peer"
 
 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
@@ -35,13 +32,3 @@ func (el *EnvList) AllItems() map[string]string {
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
-
-// GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
-func GetEnvKeyNBLazyConn() string {
-	return lazyconn.EnvEnableLazyConn
-}
-
-// GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client
-func GetEnvKeyNBInactivityThreshold() string {
-	return lazyconn.EnvInactivityThreshold
-}

combined/Dockerfile

@@ -1,5 +0,0 @@
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY netbird-server /go/bin/netbird-server

combined/Dockerfile.multistage

@@ -1,25 +0,0 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /app
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y gcc libc6-dev git && rm -rf /var/lib/apt/lists/*
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-
-# Build with version info from git (matching goreleaser ldflags)
-RUN CGO_ENABLED=1 GOOS=linux go build \
-    -ldflags="-s -w \
-    -X github.com/netbirdio/netbird/version.version=$(git describe --tags --always --dirty 2>/dev/null || echo 'dev') \
-    -X main.commit=$(git rev-parse --short HEAD 2>/dev/null || echo 'unknown') \
-    -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
-    -X main.builtBy=docker" \
-    -o netbird-server ./combined
-
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-server" ]
-CMD ["--config", "/etc/netbird/config.yaml"]
-COPY --from=builder /app/netbird-server /go/bin/netbird-server

combined/LICENSE

@@ -1,661 +0,0 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.

combined/cmd/config.go

@@ -1,723 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"path"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"gopkg.in/yaml.v3"
-
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/crypt"
-
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-)
-
-// CombinedConfig is the root configuration for the combined server.
-// The combined server is primarily a Management server with optional embedded
-// Signal, Relay, and STUN services.
-//
-// Architecture:
-//   - Management: Always runs locally (this IS the management server)
-//   - Signal: Runs locally by default; disabled if server.signalUri is set
-//   - Relay: Runs locally by default; disabled if server.relays is set
-//   - STUN: Runs locally on port 3478 by default; disabled if server.stuns is set
-//
-// All user-facing settings are under "server". The relay/signal/management
-// fields are internal and populated automatically from server settings.
-type CombinedConfig struct {
-	Server ServerConfig `yaml:"server"`
-
-	// Internal configs - populated from Server settings, not user-configurable
-	Relay      RelayConfig      `yaml:"-"`
-	Signal     SignalConfig     `yaml:"-"`
-	Management ManagementConfig `yaml:"-"`
-}
-
-// ServerConfig contains server-wide settings
-// In simplified mode, this contains all configuration
-type ServerConfig struct {
-	ListenAddress      string    `yaml:"listenAddress"`
-	MetricsPort        int       `yaml:"metricsPort"`
-	HealthcheckAddress string    `yaml:"healthcheckAddress"`
-	LogLevel           string    `yaml:"logLevel"`
-	LogFile            string    `yaml:"logFile"`
-	TLS                TLSConfig `yaml:"tls"`
-
-	// Simplified config fields (used when relay/signal/management sections are omitted)
-	ExposedAddress string `yaml:"exposedAddress"` // Public address with protocol (e.g., "https://example.com:443")
-	StunPorts      []int  `yaml:"stunPorts"`      // STUN ports (empty to disable local STUN)
-	AuthSecret     string `yaml:"authSecret"`     // Shared secret for relay authentication
-	DataDir        string `yaml:"dataDir"`        // Data directory for all services
-
-	// External service overrides (simplified mode)
-	// When these are set, the corresponding local service is NOT started
-	// and these values are used for client configuration instead
-	Stuns     []HostConfig `yaml:"stuns"`     // External STUN servers (disables local STUN)
-	Relays    RelaysConfig `yaml:"relays"`    // External relay servers (disables local relay)
-	SignalURI string       `yaml:"signalUri"` // External signal server (disables local signal)
-
-	// Management settings (simplified mode)
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Store                   StoreConfig        `yaml:"store"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// TLSConfig contains TLS/HTTPS settings
-type TLSConfig struct {
-	CertFile    string            `yaml:"certFile"`
-	KeyFile     string            `yaml:"keyFile"`
-	LetsEncrypt LetsEncryptConfig `yaml:"letsencrypt"`
-}
-
-// LetsEncryptConfig contains Let's Encrypt settings
-type LetsEncryptConfig struct {
-	Enabled    bool     `yaml:"enabled"`
-	DataDir    string   `yaml:"dataDir"`
-	Domains    []string `yaml:"domains"`
-	Email      string   `yaml:"email"`
-	AWSRoute53 bool     `yaml:"awsRoute53"`
-}
-
-// RelayConfig contains relay service settings
-type RelayConfig struct {
-	Enabled        bool       `yaml:"enabled"`
-	ExposedAddress string     `yaml:"exposedAddress"`
-	AuthSecret     string     `yaml:"authSecret"`
-	LogLevel       string     `yaml:"logLevel"`
-	Stun           StunConfig `yaml:"stun"`
-}
-
-// StunConfig contains embedded STUN service settings
-type StunConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	Ports    []int  `yaml:"ports"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// SignalConfig contains signal service settings
-type SignalConfig struct {
-	Enabled  bool   `yaml:"enabled"`
-	LogLevel string `yaml:"logLevel"`
-}
-
-// ManagementConfig contains management service settings
-type ManagementConfig struct {
-	Enabled                 bool               `yaml:"enabled"`
-	LogLevel                string             `yaml:"logLevel"`
-	DataDir                 string             `yaml:"dataDir"`
-	DnsDomain               string             `yaml:"dnsDomain"`
-	DisableAnonymousMetrics bool               `yaml:"disableAnonymousMetrics"`
-	DisableGeoliteUpdate    bool               `yaml:"disableGeoliteUpdate"`
-	DisableDefaultPolicy    bool               `yaml:"disableDefaultPolicy"`
-	Auth                    AuthConfig         `yaml:"auth"`
-	Stuns                   []HostConfig       `yaml:"stuns"`
-	Relays                  RelaysConfig       `yaml:"relays"`
-	SignalURI               string             `yaml:"signalUri"`
-	Store                   StoreConfig        `yaml:"store"`
-	ReverseProxy            ReverseProxyConfig `yaml:"reverseProxy"`
-}
-
-// AuthConfig contains authentication/identity provider settings
-type AuthConfig struct {
-	Issuer                string            `yaml:"issuer"`
-	LocalAuthDisabled     bool              `yaml:"localAuthDisabled"`
-	SignKeyRefreshEnabled bool              `yaml:"signKeyRefreshEnabled"`
-	Storage               AuthStorageConfig `yaml:"storage"`
-	DashboardRedirectURIs []string          `yaml:"dashboardRedirectURIs"`
-	CLIRedirectURIs       []string          `yaml:"cliRedirectURIs"`
-	Owner                 *AuthOwnerConfig  `yaml:"owner,omitempty"`
-}
-
-// AuthStorageConfig contains auth storage settings
-type AuthStorageConfig struct {
-	Type string `yaml:"type"`
-	File string `yaml:"file"`
-}
-
-// AuthOwnerConfig contains initial admin user settings
-type AuthOwnerConfig struct {
-	Email    string `yaml:"email"`
-	Password string `yaml:"password"`
-}
-
-// HostConfig represents a STUN/TURN/Signal host
-type HostConfig struct {
-	URI      string `yaml:"uri"`
-	Proto    string `yaml:"proto,omitempty"` // udp, dtls, tcp, http, https - defaults based on URI scheme
-	Username string `yaml:"username,omitempty"`
-	Password string `yaml:"password,omitempty"`
-}
-
-// RelaysConfig contains external relay server settings for clients
-type RelaysConfig struct {
-	Addresses      []string `yaml:"addresses"`
-	CredentialsTTL string   `yaml:"credentialsTTL"`
-	Secret         string   `yaml:"secret"`
-}
-
-// StoreConfig contains database settings
-type StoreConfig struct {
-	Engine        string `yaml:"engine"`
-	EncryptionKey string `yaml:"encryptionKey"`
-	DSN           string `yaml:"dsn"` // Connection string for postgres or mysql engines
-}
-
-// ReverseProxyConfig contains reverse proxy settings
-type ReverseProxyConfig struct {
-	TrustedHTTPProxies      []string `yaml:"trustedHTTPProxies"`
-	TrustedHTTPProxiesCount uint     `yaml:"trustedHTTPProxiesCount"`
-	TrustedPeers            []string `yaml:"trustedPeers"`
-}
-
-// DefaultConfig returns a CombinedConfig with default values
-func DefaultConfig() *CombinedConfig {
-	return &CombinedConfig{
-		Server: ServerConfig{
-			ListenAddress:      ":443",
-			MetricsPort:        9090,
-			HealthcheckAddress: ":9000",
-			LogLevel:           "info",
-			LogFile:            "console",
-			StunPorts:          []int{3478},
-			DataDir:            "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-		Relay: RelayConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			Stun: StunConfig{
-				Enabled: false,
-				Ports:   []int{3478},
-				// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-			},
-		},
-		Signal: SignalConfig{
-			// LogLevel inherited from Server.LogLevel via ApplySimplifiedDefaults
-		},
-		Management: ManagementConfig{
-			DataDir: "/var/lib/netbird/",
-			Auth: AuthConfig{
-				Storage: AuthStorageConfig{
-					Type: "sqlite3",
-				},
-			},
-			Relays: RelaysConfig{
-				CredentialsTTL: "12h",
-			},
-			Store: StoreConfig{
-				Engine: "sqlite",
-			},
-		},
-	}
-}
-
-// hasRequiredSettings returns true if the configuration has the required server settings
-func (c *CombinedConfig) hasRequiredSettings() bool {
-	return c.Server.ExposedAddress != ""
-}
-
-// parseExposedAddress extracts protocol, host, and host:port from the exposed address
-// Input format: "https://example.com:443" or "http://example.com:8080" or "example.com:443"
-// Returns: protocol ("https" or "http"), hostname only, and host:port
-func parseExposedAddress(exposedAddress string) (protocol, hostname, hostPort string) {
-	// Default to https if no protocol specified
-	protocol = "https"
-	hostPort = exposedAddress
-
-	// Check for protocol prefix
-	if strings.HasPrefix(exposedAddress, "https://") {
-		protocol = "https"
-		hostPort = strings.TrimPrefix(exposedAddress, "https://")
-	} else if strings.HasPrefix(exposedAddress, "http://") {
-		protocol = "http"
-		hostPort = strings.TrimPrefix(exposedAddress, "http://")
-	}
-
-	// Extract hostname (without port)
-	hostname = hostPort
-	if host, _, err := net.SplitHostPort(hostPort); err == nil {
-		hostname = host
-	}
-
-	return protocol, hostname, hostPort
-}
-
-// ApplySimplifiedDefaults populates internal relay/signal/management configs from server settings.
-// Management is always enabled. Signal, Relay, and STUN are enabled unless external
-// overrides are configured (server.signalUri, server.relays, server.stuns).
-func (c *CombinedConfig) ApplySimplifiedDefaults() {
-	if !c.hasRequiredSettings() {
-		return
-	}
-
-	// Parse exposed address to extract protocol and hostname
-	exposedProto, exposedHost, exposedHostPort := parseExposedAddress(c.Server.ExposedAddress)
-
-	// Check for external service overrides
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	hasExternalSignal := c.Server.SignalURI != ""
-	hasExternalStuns := len(c.Server.Stuns) > 0
-
-	// Default stunPorts to [3478] if not specified and no external STUN
-	if len(c.Server.StunPorts) == 0 && !hasExternalStuns {
-		c.Server.StunPorts = []int{3478}
-	}
-
-	c.applyRelayDefaults(exposedProto, exposedHostPort, hasExternalRelay, hasExternalStuns)
-	c.applySignalDefaults(hasExternalSignal)
-	c.applyManagementDefaults(exposedHost)
-
-	// Auto-configure client settings (stuns, relays, signalUri)
-	c.autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort, hasExternalStuns, hasExternalRelay, hasExternalSignal)
-}
-
-// applyRelayDefaults configures the relay service if no external relay is configured.
-func (c *CombinedConfig) applyRelayDefaults(exposedProto, exposedHostPort string, hasExternalRelay, hasExternalStuns bool) {
-	if hasExternalRelay {
-		return
-	}
-
-	c.Relay.Enabled = true
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-	c.Relay.ExposedAddress = fmt.Sprintf("%s://%s", relayProto, exposedHostPort)
-	c.Relay.AuthSecret = c.Server.AuthSecret
-	if c.Relay.LogLevel == "" {
-		c.Relay.LogLevel = c.Server.LogLevel
-	}
-
-	// Enable local STUN only if no external STUN servers and stunPorts are configured
-	if !hasExternalStuns && len(c.Server.StunPorts) > 0 {
-		c.Relay.Stun.Enabled = true
-		c.Relay.Stun.Ports = c.Server.StunPorts
-		if c.Relay.Stun.LogLevel == "" {
-			c.Relay.Stun.LogLevel = c.Server.LogLevel
-		}
-	}
-}
-
-// applySignalDefaults configures the signal service if no external signal is configured.
-func (c *CombinedConfig) applySignalDefaults(hasExternalSignal bool) {
-	if hasExternalSignal {
-		return
-	}
-
-	c.Signal.Enabled = true
-	if c.Signal.LogLevel == "" {
-		c.Signal.LogLevel = c.Server.LogLevel
-	}
-}
-
-// applyManagementDefaults configures the management service (always enabled).
-func (c *CombinedConfig) applyManagementDefaults(exposedHost string) {
-	c.Management.Enabled = true
-	if c.Management.LogLevel == "" {
-		c.Management.LogLevel = c.Server.LogLevel
-	}
-	if c.Management.DataDir == "" || c.Management.DataDir == "/var/lib/netbird/" {
-		c.Management.DataDir = c.Server.DataDir
-	}
-	c.Management.DnsDomain = exposedHost
-	c.Management.DisableAnonymousMetrics = c.Server.DisableAnonymousMetrics
-	c.Management.DisableGeoliteUpdate = c.Server.DisableGeoliteUpdate
-	// Copy auth config from server if management auth issuer is not set
-	if c.Management.Auth.Issuer == "" && c.Server.Auth.Issuer != "" {
-		c.Management.Auth = c.Server.Auth
-	}
-
-	// Copy store config from server if not set
-	if c.Management.Store.Engine == "" || c.Management.Store.Engine == "sqlite" {
-		if c.Server.Store.Engine != "" {
-			c.Management.Store = c.Server.Store
-		}
-	}
-
-	// Copy reverse proxy config from server
-	if len(c.Server.ReverseProxy.TrustedHTTPProxies) > 0 || c.Server.ReverseProxy.TrustedHTTPProxiesCount > 0 || len(c.Server.ReverseProxy.TrustedPeers) > 0 {
-		c.Management.ReverseProxy = c.Server.ReverseProxy
-	}
-}
-
-// autoConfigureClientSettings sets up STUN/relay/signal URIs for clients
-// External overrides from server config take precedence over auto-generated values
-func (c *CombinedConfig) autoConfigureClientSettings(exposedProto, exposedHost, exposedHostPort string, hasExternalStuns, hasExternalRelay, hasExternalSignal bool) {
-	// Determine relay protocol from exposed protocol
-	relayProto := "rel"
-	if exposedProto == "https" {
-		relayProto = "rels"
-	}
-
-	// Configure STUN servers for clients
-	if hasExternalStuns {
-		// Use external STUN servers from server config
-		c.Management.Stuns = c.Server.Stuns
-	} else if len(c.Server.StunPorts) > 0 && len(c.Management.Stuns) == 0 {
-		// Auto-configure local STUN servers for all ports
-		for _, port := range c.Server.StunPorts {
-			c.Management.Stuns = append(c.Management.Stuns, HostConfig{
-				URI: fmt.Sprintf("stun:%s:%d", exposedHost, port),
-			})
-		}
-	}
-
-	// Configure relay for clients
-	if hasExternalRelay {
-		// Use external relay config from server
-		c.Management.Relays = c.Server.Relays
-	} else if len(c.Management.Relays.Addresses) == 0 {
-		// Auto-configure local relay
-		c.Management.Relays.Addresses = []string{
-			fmt.Sprintf("%s://%s", relayProto, exposedHostPort),
-		}
-	}
-	if c.Management.Relays.Secret == "" {
-		c.Management.Relays.Secret = c.Server.AuthSecret
-	}
-	if c.Management.Relays.CredentialsTTL == "" {
-		c.Management.Relays.CredentialsTTL = "12h"
-	}
-
-	// Configure signal for clients
-	if hasExternalSignal {
-		// Use external signal URI from server config
-		c.Management.SignalURI = c.Server.SignalURI
-	} else if c.Management.SignalURI == "" {
-		// Auto-configure local signal
-		c.Management.SignalURI = fmt.Sprintf("%s://%s", exposedProto, exposedHostPort)
-	}
-}
-
-// LoadConfig loads configuration from a YAML file
-func LoadConfig(configPath string) (*CombinedConfig, error) {
-	cfg := DefaultConfig()
-
-	if configPath == "" {
-		return cfg, nil
-	}
-
-	data, err := os.ReadFile(configPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read config file: %w", err)
-	}
-
-	if err := yaml.Unmarshal(data, cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse config file: %w", err)
-	}
-
-	// Populate internal configs from server settings
-	cfg.ApplySimplifiedDefaults()
-
-	return cfg, nil
-}
-
-// Validate validates the configuration
-func (c *CombinedConfig) Validate() error {
-	if c.Server.ExposedAddress == "" {
-		return fmt.Errorf("server.exposedAddress is required")
-	}
-	if c.Server.DataDir == "" {
-		return fmt.Errorf("server.dataDir is required")
-	}
-
-	// Validate STUN ports
-	seen := make(map[int]bool)
-	for _, port := range c.Server.StunPorts {
-		if port <= 0 || port > 65535 {
-			return fmt.Errorf("invalid server.stunPorts value %d: must be between 1 and 65535", port)
-		}
-		if seen[port] {
-			return fmt.Errorf("duplicate STUN port %d in server.stunPorts", port)
-		}
-		seen[port] = true
-	}
-
-	// authSecret is required only if running local relay (no external relay configured)
-	hasExternalRelay := len(c.Server.Relays.Addresses) > 0
-	if !hasExternalRelay && c.Server.AuthSecret == "" {
-		return fmt.Errorf("server.authSecret is required when running local relay")
-	}
-
-	return nil
-}
-
-// HasTLSCert returns true if TLS certificate files are configured
-func (c *CombinedConfig) HasTLSCert() bool {
-	return c.Server.TLS.CertFile != "" && c.Server.TLS.KeyFile != ""
-}
-
-// HasLetsEncrypt returns true if Let's Encrypt is configured
-func (c *CombinedConfig) HasLetsEncrypt() bool {
-	return c.Server.TLS.LetsEncrypt.Enabled &&
-		c.Server.TLS.LetsEncrypt.DataDir != "" &&
-		len(c.Server.TLS.LetsEncrypt.Domains) > 0
-}
-
-// parseExplicitProtocol parses an explicit protocol string to nbconfig.Protocol
-func parseExplicitProtocol(proto string) (nbconfig.Protocol, bool) {
-	switch strings.ToLower(proto) {
-	case "udp":
-		return nbconfig.UDP, true
-	case "dtls":
-		return nbconfig.DTLS, true
-	case "tcp":
-		return nbconfig.TCP, true
-	case "http":
-		return nbconfig.HTTP, true
-	case "https":
-		return nbconfig.HTTPS, true
-	default:
-		return "", false
-	}
-}
-
-// parseStunProtocol determines protocol for STUN/TURN servers.
-// stun: → UDP, stuns: → DTLS, turn: → UDP, turns: → DTLS
-// Explicit proto overrides URI scheme. Defaults to UDP.
-func parseStunProtocol(uri, proto string) nbconfig.Protocol {
-	if proto != "" {
-		if p, ok := parseExplicitProtocol(proto); ok {
-			return p
-		}
-	}
-
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "stuns:"):
-		return nbconfig.DTLS
-	case strings.HasPrefix(uri, "turns:"):
-		return nbconfig.DTLS
-	default:
-		// stun:, turn:, or no scheme - default to UDP
-		return nbconfig.UDP
-	}
-}
-
-// parseSignalProtocol determines protocol for Signal servers.
-// https:// → HTTPS, http:// → HTTP. Defaults to HTTPS.
-func parseSignalProtocol(uri string) nbconfig.Protocol {
-	uri = strings.ToLower(uri)
-	switch {
-	case strings.HasPrefix(uri, "http://"):
-		return nbconfig.HTTP
-	default:
-		// https:// or no scheme - default to HTTPS
-		return nbconfig.HTTPS
-	}
-}
-
-// stripSignalProtocol removes the protocol prefix from a signal URI.
-// Returns just the host:port (e.g., "selfhosted2.demo.netbird.io:443").
-func stripSignalProtocol(uri string) string {
-	uri = strings.TrimPrefix(uri, "https://")
-	uri = strings.TrimPrefix(uri, "http://")
-	return uri
-}
-
-// ToManagementConfig converts CombinedConfig to management server config
-func (c *CombinedConfig) ToManagementConfig() (*nbconfig.Config, error) {
-	mgmt := c.Management
-
-	// Build STUN hosts
-	var stuns []*nbconfig.Host
-	for _, s := range mgmt.Stuns {
-		stuns = append(stuns, &nbconfig.Host{
-			URI:      s.URI,
-			Proto:    parseStunProtocol(s.URI, s.Proto),
-			Username: s.Username,
-			Password: s.Password,
-		})
-	}
-
-	// Build relay config
-	var relayConfig *nbconfig.Relay
-	if len(mgmt.Relays.Addresses) > 0 || mgmt.Relays.Secret != "" {
-		var ttl time.Duration
-		if mgmt.Relays.CredentialsTTL != "" {
-			var err error
-			ttl, err = time.ParseDuration(mgmt.Relays.CredentialsTTL)
-			if err != nil {
-				return nil, fmt.Errorf("invalid relay credentials TTL %q: %w", mgmt.Relays.CredentialsTTL, err)
-			}
-		}
-		relayConfig = &nbconfig.Relay{
-			Addresses:      mgmt.Relays.Addresses,
-			CredentialsTTL: util.Duration{Duration: ttl},
-			Secret:         mgmt.Relays.Secret,
-		}
-	}
-
-	// Build signal config
-	var signalConfig *nbconfig.Host
-	if mgmt.SignalURI != "" {
-		signalConfig = &nbconfig.Host{
-			URI:   stripSignalProtocol(mgmt.SignalURI),
-			Proto: parseSignalProtocol(mgmt.SignalURI),
-		}
-	}
-
-	// Build store config
-	storeConfig := nbconfig.StoreConfig{
-		Engine: types.Engine(mgmt.Store.Engine),
-	}
-
-	// Build reverse proxy config
-	reverseProxy := nbconfig.ReverseProxy{
-		TrustedHTTPProxiesCount: mgmt.ReverseProxy.TrustedHTTPProxiesCount,
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedHTTPProxies {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedHTTPProxies = append(reverseProxy.TrustedHTTPProxies, prefix)
-		}
-	}
-	for _, p := range mgmt.ReverseProxy.TrustedPeers {
-		if prefix, err := netip.ParsePrefix(p); err == nil {
-			reverseProxy.TrustedPeers = append(reverseProxy.TrustedPeers, prefix)
-		}
-	}
-
-	// Build HTTP config (required, even if empty)
-	httpConfig := &nbconfig.HttpServerConfig{}
-
-	// Build embedded IDP config (always enabled in combined server)
-	storageFile := mgmt.Auth.Storage.File
-	if storageFile == "" {
-		storageFile = path.Join(mgmt.DataDir, "idp.db")
-	}
-
-	embeddedIdP := &idp.EmbeddedIdPConfig{
-		Enabled:               true,
-		Issuer:                mgmt.Auth.Issuer,
-		LocalAuthDisabled:     mgmt.Auth.LocalAuthDisabled,
-		SignKeyRefreshEnabled: mgmt.Auth.SignKeyRefreshEnabled,
-		Storage: idp.EmbeddedStorageConfig{
-			Type: mgmt.Auth.Storage.Type,
-			Config: idp.EmbeddedStorageTypeConfig{
-				File: storageFile,
-			},
-		},
-		DashboardRedirectURIs: mgmt.Auth.DashboardRedirectURIs,
-		CLIRedirectURIs:       mgmt.Auth.CLIRedirectURIs,
-	}
-
-	if mgmt.Auth.Owner != nil && mgmt.Auth.Owner.Email != "" {
-		embeddedIdP.Owner = &idp.OwnerConfig{
-			Email: mgmt.Auth.Owner.Email,
-			Hash:  mgmt.Auth.Owner.Password, // Will be hashed if plain text
-		}
-	}
-
-	// Set HTTP config fields for embedded IDP
-	httpConfig.AuthIssuer = mgmt.Auth.Issuer
-	httpConfig.AuthAudience = "netbird-dashboard"
-	httpConfig.AuthClientID = httpConfig.AuthAudience
-	httpConfig.CLIAuthAudience = "netbird-cli"
-	httpConfig.AuthUserIDClaim = "sub"
-	httpConfig.AuthKeysLocation = mgmt.Auth.Issuer + "/keys"
-	httpConfig.OIDCConfigEndpoint = mgmt.Auth.Issuer + "/.well-known/openid-configuration"
-	httpConfig.IdpSignKeyRefreshEnabled = mgmt.Auth.SignKeyRefreshEnabled
-	callbackURL := strings.TrimSuffix(httpConfig.AuthIssuer, "/oauth2")
-	httpConfig.AuthCallbackURL = callbackURL + types.ProxyCallbackEndpointFull
-
-	return &nbconfig.Config{
-		Stuns:                  stuns,
-		Relay:                  relayConfig,
-		Signal:                 signalConfig,
-		Datadir:                mgmt.DataDir,
-		DataStoreEncryptionKey: mgmt.Store.EncryptionKey,
-		HttpConfig:             httpConfig,
-		StoreConfig:            storeConfig,
-		ReverseProxy:           reverseProxy,
-		DisableDefaultPolicy:   mgmt.DisableDefaultPolicy,
-		EmbeddedIdP:            embeddedIdP,
-	}, nil
-}
-
-// ApplyEmbeddedIdPConfig applies embedded IdP configuration to the management config.
-// This mirrors the logic in management/cmd/management.go ApplyEmbeddedIdPConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config, mgmtPort int, disableSingleAccMode bool) error {
-	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
-		return nil
-	}
-
-	// Embedded IdP requires single account mode
-	if disableSingleAccMode {
-		return fmt.Errorf("embedded IdP requires single account mode; multiple account mode is not supported with embedded IdP")
-	}
-
-	// Set LocalAddress for embedded IdP, used for internal JWT validation
-	cfg.EmbeddedIdP.LocalAddress = fmt.Sprintf("localhost:%d", mgmtPort)
-
-	// Set storage defaults based on Datadir
-	if cfg.EmbeddedIdP.Storage.Type == "" {
-		cfg.EmbeddedIdP.Storage.Type = "sqlite3"
-	}
-	if cfg.EmbeddedIdP.Storage.Config.File == "" && cfg.Datadir != "" {
-		cfg.EmbeddedIdP.Storage.Config.File = path.Join(cfg.Datadir, "idp.db")
-	}
-
-	issuer := cfg.EmbeddedIdP.Issuer
-
-	// Ensure HttpConfig exists
-	if cfg.HttpConfig == nil {
-		cfg.HttpConfig = &nbconfig.HttpServerConfig{}
-	}
-
-	// Set HttpConfig values from EmbeddedIdP
-	cfg.HttpConfig.AuthIssuer = issuer
-	cfg.HttpConfig.AuthAudience = "netbird-dashboard"
-	cfg.HttpConfig.CLIAuthAudience = "netbird-cli"
-	cfg.HttpConfig.AuthUserIDClaim = "sub"
-	cfg.HttpConfig.AuthKeysLocation = issuer + "/keys"
-	cfg.HttpConfig.OIDCConfigEndpoint = issuer + "/.well-known/openid-configuration"
-	cfg.HttpConfig.IdpSignKeyRefreshEnabled = true
-
-	return nil
-}
-
-// EnsureEncryptionKey generates an encryption key if not set.
-// Unlike management server, we don't write back to the config file.
-func EnsureEncryptionKey(ctx context.Context, cfg *nbconfig.Config) error {
-	if cfg.DataStoreEncryptionKey != "" {
-		return nil
-	}
-
-	log.WithContext(ctx).Infof("DataStoreEncryptionKey is not set, generating a new key")
-	key, err := crypt.GenerateKey()
-	if err != nil {
-		return fmt.Errorf("failed to generate datastore encryption key: %v", err)
-	}
-	cfg.DataStoreEncryptionKey = key
-	keyPreview := key[:8] + "..."
-	log.WithContext(ctx).Warnf("DataStoreEncryptionKey generated (%s); add it to your config file under 'server.store.encryptionKey' to persist across restarts", keyPreview)
-
-	return nil
-}
-
-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
-	if cfg.EmbeddedIdP != nil && cfg.EmbeddedIdP.Enabled {
-		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
-	}
-	if cfg.Relay != nil {
-		log.Infof("Relay addresses: %v", cfg.Relay.Addresses)
-	}
-}

combined/cmd/pprof.go

@@ -1,33 +0,0 @@
-//go:build pprof
-// +build pprof
-
-package cmd
-
-import (
-	"net/http"
-	_ "net/http/pprof"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func init() {
-	addr := pprofAddr()
-	go pprof(addr)
-}
-
-func pprofAddr() string {
-	listenAddr := os.Getenv("NB_PPROF_ADDR")
-	if listenAddr == "" {
-		return "localhost:6969"
-	}
-
-	return listenAddr
-}
-
-func pprof(listenAddr string) {
-	log.Infof("listening pprof on: %s\n", listenAddr)
-	if err := http.ListenAndServe(listenAddr, nil); err != nil {
-		log.Fatalf("Failed to start pprof: %v", err)
-	}
-}

combined/cmd/root.go

@@ -1,715 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"crypto/sha256"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"os"
-	"os/signal"
-	"strconv"
-	"strings"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/coder/websocket"
-	"github.com/hashicorp/go-multierror"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"go.opentelemetry.io/otel/metric"
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/encryption"
-	mgmtServer "github.com/netbirdio/netbird/management/internals/server"
-	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/relay/healthcheck"
-	relayServer "github.com/netbirdio/netbird/relay/server"
-	"github.com/netbirdio/netbird/relay/server/listener/ws"
-	sharedMetrics "github.com/netbirdio/netbird/shared/metrics"
-	"github.com/netbirdio/netbird/shared/relay/auth"
-	"github.com/netbirdio/netbird/shared/signal/proto"
-	signalServer "github.com/netbirdio/netbird/signal/server"
-	"github.com/netbirdio/netbird/stun"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/wsproxy"
-	wsproxyserver "github.com/netbirdio/netbird/util/wsproxy/server"
-)
-
-var (
-	configPath string
-	config     *CombinedConfig
-
-	rootCmd = &cobra.Command{
-		Use:   "combined",
-		Short: "Combined Netbird server (Management + Signal + Relay + STUN)",
-		Long: `Combined Netbird server for self-hosted deployments.
-
-All services (Management, Signal, Relay) are multiplexed on a single port.
-Optional STUN server runs on separate UDP ports.
-
-Configuration is loaded from a YAML file specified with --config.`,
-		SilenceUsage:  true,
-		SilenceErrors: true,
-		RunE:          execute,
-	}
-)
-
-func init() {
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", "", "path to YAML configuration file (required)")
-	_ = rootCmd.MarkPersistentFlagRequired("config")
-
-	rootCmd.AddCommand(newTokenCommands())
-}
-
-func Execute() error {
-	return rootCmd.Execute()
-}
-
-func waitForExitSignal() {
-	osSigs := make(chan os.Signal, 1)
-	signal.Notify(osSigs, syscall.SIGINT, syscall.SIGTERM)
-	<-osSigs
-}
-
-func execute(cmd *cobra.Command, _ []string) error {
-	if err := initializeConfig(); err != nil {
-		return err
-	}
-
-	// Management is required as the base server when signal or relay are enabled
-	if (config.Signal.Enabled || config.Relay.Enabled) && !config.Management.Enabled {
-		return fmt.Errorf("management must be enabled when signal or relay are enabled (provides the base HTTP server)")
-	}
-
-	servers, err := createAllServers(cmd.Context(), config)
-	if err != nil {
-		return err
-	}
-
-	// Register services with management's gRPC server using AfterInit hook
-	setupServerHooks(servers, config)
-
-	// Start management server (this also starts the HTTP listener)
-	if servers.mgmtSrv != nil {
-		if err := servers.mgmtSrv.Start(cmd.Context()); err != nil {
-			cleanupSTUNListeners(servers.stunListeners)
-			return fmt.Errorf("failed to start management server: %w", err)
-		}
-	}
-
-	// Start all other servers
-	wg := sync.WaitGroup{}
-	startServers(&wg, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.metricsServer)
-
-	waitForExitSignal()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	err = shutdownServers(ctx, servers.relaySrv, servers.healthcheck, servers.stunServer, servers.mgmtSrv, servers.metricsServer)
-	wg.Wait()
-	return err
-}
-
-// initializeConfig loads and validates the configuration, then initializes logging.
-func initializeConfig() error {
-	var err error
-	config, err = LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("failed to load config: %w", err)
-	}
-
-	if err := config.Validate(); err != nil {
-		return fmt.Errorf("invalid config: %w", err)
-	}
-
-	if err := util.InitLog(config.Server.LogLevel, config.Server.LogFile); err != nil {
-		return fmt.Errorf("failed to initialize log: %w", err)
-	}
-
-	if dsn := config.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(config.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-
-	log.Infof("Starting combined NetBird server")
-	logConfig(config)
-	logEnvVars()
-	return nil
-}
-
-// serverInstances holds all server instances created during startup.
-type serverInstances struct {
-	relaySrv      *relayServer.Server
-	mgmtSrv       *mgmtServer.BaseServer
-	signalSrv     *signalServer.Server
-	healthcheck   *healthcheck.Server
-	stunServer    *stun.Server
-	stunListeners []*net.UDPConn
-	metricsServer *sharedMetrics.Metrics
-}
-
-// createAllServers creates all server instances based on configuration.
-func createAllServers(ctx context.Context, cfg *CombinedConfig) (*serverInstances, error) {
-	metricsServer, err := sharedMetrics.NewServer(cfg.Server.MetricsPort, "")
-	if err != nil {
-		return nil, fmt.Errorf("failed to create metrics server: %w", err)
-	}
-	servers := &serverInstances{
-		metricsServer: metricsServer,
-	}
-
-	_, tlsSupport, err := handleTLSConfig(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("failed to setup TLS config: %w", err)
-	}
-
-	if err := servers.createRelayServer(cfg, tlsSupport); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createManagementServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createSignalServer(ctx, cfg); err != nil {
-		return nil, err
-	}
-
-	if err := servers.createHealthcheckServer(cfg); err != nil {
-		return nil, err
-	}
-
-	return servers, nil
-}
-
-func (s *serverInstances) createRelayServer(cfg *CombinedConfig, tlsSupport bool) error {
-	if !cfg.Relay.Enabled {
-		return nil
-	}
-
-	var err error
-	s.stunListeners, err = createSTUNListeners(cfg)
-	if err != nil {
-		return err
-	}
-
-	hashedSecret := sha256.Sum256([]byte(cfg.Relay.AuthSecret))
-	authenticator := auth.NewTimedHMACValidator(hashedSecret[:], 24*time.Hour)
-
-	relayCfg := relayServer.Config{
-		Meter:          s.metricsServer.Meter,
-		ExposedAddress: cfg.Relay.ExposedAddress,
-		AuthValidator:  authenticator,
-		TLSSupport:     tlsSupport,
-	}
-
-	s.relaySrv, err = createRelayServer(relayCfg, s.stunListeners)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("Relay server created")
-
-	if len(s.stunListeners) > 0 {
-		s.stunServer = stun.NewServer(s.stunListeners, cfg.Relay.Stun.LogLevel)
-	}
-
-	return nil
-}
-
-func (s *serverInstances) createManagementServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Management.Enabled {
-		return nil
-	}
-
-	mgmtConfig, err := cfg.ToManagementConfig()
-	if err != nil {
-		return fmt.Errorf("failed to create management config: %w", err)
-	}
-
-	_, portStr, portErr := net.SplitHostPort(cfg.Server.ListenAddress)
-	if portErr != nil {
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	if err := ApplyEmbeddedIdPConfig(ctx, mgmtConfig, mgmtPort, false); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to apply embedded IdP config: %w", err)
-	}
-
-	if err := EnsureEncryptionKey(ctx, mgmtConfig); err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to ensure encryption key: %w", err)
-	}
-
-	LogConfigInfo(mgmtConfig)
-
-	s.mgmtSrv, err = createManagementServer(cfg, mgmtConfig)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management server: %w", err)
-	}
-
-	// Inject externally-managed AppMetrics so management uses the shared metrics server
-	appMetrics, err := telemetry.NewAppMetricsWithMeter(ctx, s.metricsServer.Meter)
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create management app metrics: %w", err)
-	}
-	mgmtServer.Inject[telemetry.AppMetrics](s.mgmtSrv, appMetrics)
-
-	log.Infof("Management server created")
-	return nil
-}
-
-func (s *serverInstances) createSignalServer(ctx context.Context, cfg *CombinedConfig) error {
-	if !cfg.Signal.Enabled {
-		return nil
-	}
-
-	var err error
-	s.signalSrv, err = signalServer.NewServer(ctx, s.metricsServer.Meter, "signal_")
-	if err != nil {
-		cleanupSTUNListeners(s.stunListeners)
-		return fmt.Errorf("failed to create signal server: %w", err)
-	}
-
-	log.Infof("Signal server created")
-	return nil
-}
-
-func (s *serverInstances) createHealthcheckServer(cfg *CombinedConfig) error {
-	hCfg := healthcheck.Config{
-		ListenAddress:  cfg.Server.HealthcheckAddress,
-		ServiceChecker: s.relaySrv,
-	}
-
-	var err error
-	s.healthcheck, err = createHealthCheck(hCfg, s.stunListeners)
-	return err
-}
-
-// setupServerHooks registers services with management's gRPC server.
-func setupServerHooks(servers *serverInstances, cfg *CombinedConfig) {
-	if servers.mgmtSrv == nil {
-		return
-	}
-
-	servers.mgmtSrv.AfterInit(func(s *mgmtServer.BaseServer) {
-		grpcSrv := s.GRPCServer()
-
-		if servers.signalSrv != nil {
-			proto.RegisterSignalExchangeServer(grpcSrv, servers.signalSrv)
-			log.Infof("Signal server registered on port %s", cfg.Server.ListenAddress)
-		}
-
-		s.SetHandlerFunc(createCombinedHandler(grpcSrv, s.APIHandler(), servers.relaySrv, servers.metricsServer.Meter, cfg))
-		if servers.relaySrv != nil {
-			log.Infof("Relay WebSocket handler added (path: /relay)")
-		}
-	})
-}
-
-func startServers(wg *sync.WaitGroup, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, metricsServer *sharedMetrics.Metrics) {
-	if srv != nil {
-		instanceURL := srv.InstanceURL()
-		log.Infof("Relay server instance URL: %s", instanceURL.String())
-		log.Infof("Relay WebSocket multiplexed on management port (no separate relay listener)")
-	}
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		log.Infof("running metrics server: %s%s", metricsServer.Addr, metricsServer.Endpoint)
-		if err := metricsServer.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start metrics server: %v", err)
-		}
-	}()
-
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		if err := httpHealthcheck.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
-			log.Fatalf("failed to start healthcheck server: %v", err)
-		}
-	}()
-
-	if stunServer != nil {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			if err := stunServer.Listen(); err != nil {
-				if errors.Is(err, stun.ErrServerClosed) {
-					return
-				}
-				log.Errorf("STUN server error: %v", err)
-			}
-		}()
-	}
-}
-
-func shutdownServers(ctx context.Context, srv *relayServer.Server, httpHealthcheck *healthcheck.Server, stunServer *stun.Server, mgmtSrv *mgmtServer.BaseServer, metricsServer *sharedMetrics.Metrics) error {
-	var errs error
-
-	if err := httpHealthcheck.Shutdown(ctx); err != nil {
-		errs = multierror.Append(errs, fmt.Errorf("failed to close healthcheck server: %w", err))
-	}
-
-	if stunServer != nil {
-		if err := stunServer.Shutdown(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close STUN server: %w", err))
-		}
-	}
-
-	if srv != nil {
-		if err := srv.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close relay server: %w", err))
-		}
-	}
-
-	if mgmtSrv != nil {
-		log.Infof("shutting down management and signal servers")
-		if err := mgmtSrv.Stop(); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close management server: %w", err))
-		}
-	}
-
-	if metricsServer != nil {
-		log.Infof("shutting down metrics server")
-		if err := metricsServer.Shutdown(ctx); err != nil {
-			errs = multierror.Append(errs, fmt.Errorf("failed to close metrics server: %w", err))
-		}
-	}
-
-	return errs
-}
-
-func createHealthCheck(hCfg healthcheck.Config, stunListeners []*net.UDPConn) (*healthcheck.Server, error) {
-	httpHealthcheck, err := healthcheck.NewServer(hCfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create healthcheck server: %w", err)
-	}
-	return httpHealthcheck, nil
-}
-
-func createRelayServer(cfg relayServer.Config, stunListeners []*net.UDPConn) (*relayServer.Server, error) {
-	srv, err := relayServer.NewServer(cfg)
-	if err != nil {
-		cleanupSTUNListeners(stunListeners)
-		return nil, fmt.Errorf("failed to create relay server: %w", err)
-	}
-	return srv, nil
-}
-
-func cleanupSTUNListeners(stunListeners []*net.UDPConn) {
-	for _, l := range stunListeners {
-		_ = l.Close()
-	}
-}
-
-func createSTUNListeners(cfg *CombinedConfig) ([]*net.UDPConn, error) {
-	var stunListeners []*net.UDPConn
-	if cfg.Relay.Stun.Enabled {
-		for _, port := range cfg.Relay.Stun.Ports {
-			listener, err := net.ListenUDP("udp", &net.UDPAddr{Port: port})
-			if err != nil {
-				cleanupSTUNListeners(stunListeners)
-				return nil, fmt.Errorf("failed to create STUN listener on port %d: %w", port, err)
-			}
-			stunListeners = append(stunListeners, listener)
-			log.Infof("STUN server listening on UDP port %d", port)
-		}
-	}
-	return stunListeners, nil
-}
-
-func handleTLSConfig(cfg *CombinedConfig) (*tls.Config, bool, error) {
-	tlsCfg := cfg.Server.TLS
-
-	if tlsCfg.LetsEncrypt.AWSRoute53 {
-		log.Debugf("using Let's Encrypt DNS resolver with Route 53 support")
-		r53 := encryption.Route53TLS{
-			DataDir: tlsCfg.LetsEncrypt.DataDir,
-			Email:   tlsCfg.LetsEncrypt.Email,
-			Domains: tlsCfg.LetsEncrypt.Domains,
-		}
-		tc, err := r53.GetCertificate()
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	if cfg.HasLetsEncrypt() {
-		log.Infof("setting up TLS with Let's Encrypt")
-		certManager, err := encryption.CreateCertManager(tlsCfg.LetsEncrypt.DataDir, tlsCfg.LetsEncrypt.Domains...)
-		if err != nil {
-			return nil, false, fmt.Errorf("failed creating LetsEncrypt cert manager: %w", err)
-		}
-		return certManager.TLSConfig(), true, nil
-	}
-
-	if cfg.HasTLSCert() {
-		log.Debugf("using file based TLS config")
-		tc, err := encryption.LoadTLSConfig(tlsCfg.CertFile, tlsCfg.KeyFile)
-		if err != nil {
-			return nil, false, err
-		}
-		return tc, true, nil
-	}
-
-	return nil, false, nil
-}
-
-func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*mgmtServer.BaseServer, error) {
-	mgmt := cfg.Management
-
-	dnsDomain := mgmt.DnsDomain
-	singleAccModeDomain := dnsDomain
-
-	// Extract port from listen address
-	_, portStr, err := net.SplitHostPort(cfg.Server.ListenAddress)
-	if err != nil {
-		// If no port specified, assume default
-		portStr = "443"
-	}
-	mgmtPort, _ := strconv.Atoi(portStr)
-
-	mgmtSrv := mgmtServer.NewServer(
-		&mgmtServer.Config{
-			NbConfig:                mgmtConfig,
-			DNSDomain:               dnsDomain,
-			MgmtSingleAccModeDomain: singleAccModeDomain,
-			MgmtPort:                mgmtPort,
-			MgmtMetricsPort:         cfg.Server.MetricsPort,
-			DisableMetrics:          mgmt.DisableAnonymousMetrics,
-			DisableGeoliteUpdate:    mgmt.DisableGeoliteUpdate,
-			// Always enable user deletion from IDP in combined server (embedded IdP is always enabled)
-			UserDeleteFromIDPEnabled: true,
-		},
-	)
-
-	return mgmtSrv, nil
-}
-
-// createCombinedHandler creates an HTTP handler that multiplexes Management, Signal (via wsproxy), and Relay WebSocket traffic
-func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
-	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
-
-	var relayAcceptFn func(conn net.Conn)
-	if relaySrv != nil {
-		relayAcceptFn = relaySrv.RelayAccept()
-	}
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		// Native gRPC traffic (HTTP/2 with gRPC content-type)
-		case r.ProtoMajor == 2 && (strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc") ||
-			strings.HasPrefix(r.Header.Get("Content-Type"), "application/grpc+proto")):
-			grpcServer.ServeHTTP(w, r)
-
-		// WebSocket proxy for Management gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
-			wsProxy.Handler().ServeHTTP(w, r)
-
-		// WebSocket proxy for Signal gRPC
-		case r.URL.Path == wsproxy.ProxyPath+wsproxy.SignalComponent:
-			if cfg.Signal.Enabled {
-				wsProxy.Handler().ServeHTTP(w, r)
-			} else {
-				http.Error(w, "Signal service not enabled", http.StatusNotFound)
-			}
-
-		// Relay WebSocket
-		case r.URL.Path == "/relay":
-			if relayAcceptFn != nil {
-				handleRelayWebSocket(w, r, relayAcceptFn, cfg)
-			} else {
-				http.Error(w, "Relay service not enabled", http.StatusNotFound)
-			}
-
-		// Management HTTP API (default)
-		default:
-			httpHandler.ServeHTTP(w, r)
-		}
-	})
-}
-
-// handleRelayWebSocket handles incoming WebSocket connections for the relay service
-func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(conn net.Conn), cfg *CombinedConfig) {
-	acceptOptions := &websocket.AcceptOptions{
-		OriginPatterns: []string{"*"},
-	}
-
-	wsConn, err := websocket.Accept(w, r, acceptOptions)
-	if err != nil {
-		log.Errorf("failed to accept relay ws connection: %s", err)
-		return
-	}
-
-	connRemoteAddr := r.RemoteAddr
-	if r.Header.Get("X-Real-Ip") != "" && r.Header.Get("X-Real-Port") != "" {
-		connRemoteAddr = net.JoinHostPort(r.Header.Get("X-Real-Ip"), r.Header.Get("X-Real-Port"))
-	}
-
-	rAddr, err := net.ResolveTCPAddr("tcp", connRemoteAddr)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	lAddr, err := net.ResolveTCPAddr("tcp", cfg.Server.ListenAddress)
-	if err != nil {
-		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
-		return
-	}
-
-	log.Debugf("Relay WS client connected from: %s", rAddr)
-
-	conn := ws.NewConn(wsConn, lAddr, rAddr)
-	acceptFn(conn)
-}
-
-// logConfig prints all configuration parameters for debugging
-func logConfig(cfg *CombinedConfig) {
-	log.Info("=== Configuration ===")
-	logServerConfig(cfg)
-	logComponentsConfig(cfg)
-	logRelayConfig(cfg)
-	logManagementConfig(cfg)
-	log.Info("=== End Configuration ===")
-}
-
-func logServerConfig(cfg *CombinedConfig) {
-	log.Info("--- Server ---")
-	log.Infof("  Listen address: %s", cfg.Server.ListenAddress)
-	log.Infof("  Exposed address: %s", cfg.Server.ExposedAddress)
-	log.Infof("  Healthcheck address: %s", cfg.Server.HealthcheckAddress)
-	log.Infof("  Metrics port: %d", cfg.Server.MetricsPort)
-	log.Infof("  Log level: %s", cfg.Server.LogLevel)
-	log.Infof("  Data dir: %s", cfg.Server.DataDir)
-
-	switch {
-	case cfg.HasTLSCert():
-		log.Infof("  TLS: cert=%s, key=%s", cfg.Server.TLS.CertFile, cfg.Server.TLS.KeyFile)
-	case cfg.HasLetsEncrypt():
-		log.Infof("  TLS: Let's Encrypt (domains=%v)", cfg.Server.TLS.LetsEncrypt.Domains)
-	default:
-		log.Info("  TLS: disabled (using reverse proxy)")
-	}
-}
-
-func logComponentsConfig(cfg *CombinedConfig) {
-	log.Info("--- Components ---")
-	log.Infof("  Management: %v (log level: %s)", cfg.Management.Enabled, cfg.Management.LogLevel)
-	log.Infof("  Signal: %v (log level: %s)", cfg.Signal.Enabled, cfg.Signal.LogLevel)
-	log.Infof("  Relay: %v (log level: %s)", cfg.Relay.Enabled, cfg.Relay.LogLevel)
-}
-
-func logRelayConfig(cfg *CombinedConfig) {
-	if !cfg.Relay.Enabled {
-		return
-	}
-	log.Info("--- Relay ---")
-	log.Infof("  Exposed address: %s", cfg.Relay.ExposedAddress)
-	log.Infof("  Auth secret: %s...", maskSecret(cfg.Relay.AuthSecret))
-	if cfg.Relay.Stun.Enabled {
-		log.Infof("  STUN ports: %v (log level: %s)", cfg.Relay.Stun.Ports, cfg.Relay.Stun.LogLevel)
-	} else {
-		log.Info("  STUN: disabled")
-	}
-}
-
-func logManagementConfig(cfg *CombinedConfig) {
-	if !cfg.Management.Enabled {
-		return
-	}
-	log.Info("--- Management ---")
-	log.Infof("  Data dir: %s", cfg.Management.DataDir)
-	log.Infof("  DNS domain: %s", cfg.Management.DnsDomain)
-	log.Infof("  Store engine: %s", cfg.Management.Store.Engine)
-	if cfg.Server.Store.DSN != "" {
-		log.Infof("  Store DSN: %s", maskDSNPassword(cfg.Server.Store.DSN))
-	}
-
-	log.Info("  Auth (embedded IdP):")
-	log.Infof("    Issuer: %s", cfg.Management.Auth.Issuer)
-	log.Infof("    Dashboard redirect URIs: %v", cfg.Management.Auth.DashboardRedirectURIs)
-	log.Infof("    CLI redirect URIs: %v", cfg.Management.Auth.CLIRedirectURIs)
-
-	log.Info("  Client settings:")
-	log.Infof("    Signal URI: %s", cfg.Management.SignalURI)
-	for _, s := range cfg.Management.Stuns {
-		log.Infof("    STUN: %s", s.URI)
-	}
-	if len(cfg.Management.Relays.Addresses) > 0 {
-		log.Infof("    Relay addresses: %v", cfg.Management.Relays.Addresses)
-		log.Infof("    Relay credentials TTL: %s", cfg.Management.Relays.CredentialsTTL)
-	}
-}
-
-// logEnvVars logs all NB_ environment variables that are currently set
-func logEnvVars() {
-	log.Info("=== Environment Variables ===")
-	found := false
-	for _, env := range os.Environ() {
-		if strings.HasPrefix(env, "NB_") {
-			key, _, _ := strings.Cut(env, "=")
-			value := os.Getenv(key)
-			if strings.Contains(strings.ToLower(key), "secret") || strings.Contains(strings.ToLower(key), "key") || strings.Contains(strings.ToLower(key), "password") {
-				value = maskSecret(value)
-			}
-			log.Infof("  %s=%s", key, value)
-			found = true
-		}
-	}
-	if !found {
-		log.Info("  (none set)")
-	}
-	log.Info("=== End Environment Variables ===")
-}
-
-// maskDSNPassword masks the password in a DSN string.
-// Handles both key=value format ("password=secret") and URI format ("user:secret@host").
-func maskDSNPassword(dsn string) string {
-	// Key=value format: "host=localhost user=nb password=secret dbname=nb"
-	if strings.Contains(dsn, "password=") {
-		parts := strings.Fields(dsn)
-		for i, p := range parts {
-			if strings.HasPrefix(p, "password=") {
-				parts[i] = "password=****"
-			}
-		}
-		return strings.Join(parts, " ")
-	}
-
-	// URI format: "user:password@host..."
-	if atIdx := strings.Index(dsn, "@"); atIdx != -1 {
-		prefix := dsn[:atIdx]
-		if colonIdx := strings.Index(prefix, ":"); colonIdx != -1 {
-			return prefix[:colonIdx+1] + "****" + dsn[atIdx:]
-		}
-	}
-
-	return dsn
-}
-
-// maskSecret returns first 4 chars of secret followed by "..."
-func maskSecret(secret string) string {
-	if len(secret) <= 4 {
-		return "****"
-	}
-	return secret[:4] + "..."
-}

combined/cmd/token.go

@@ -1,60 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/util"
-)
-
-// newTokenCommands creates the token command tree with combined-specific store opener.
-func newTokenCommands() *cobra.Command {
-	return tokencmd.NewCommands(withTokenStore)
-}
-
-// withTokenStore loads the combined YAML config, initializes the store, and calls fn.
-func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error {
-	if err := util.InitLog("error", "console"); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
-
-	cfg, err := LoadConfig(configPath)
-	if err != nil {
-		return fmt.Errorf("load config: %w", err)
-	}
-
-	if dsn := cfg.Server.Store.DSN; dsn != "" {
-		switch strings.ToLower(cfg.Server.Store.Engine) {
-		case "postgres":
-			os.Setenv("NB_STORE_ENGINE_POSTGRES_DSN", dsn)
-		case "mysql":
-			os.Setenv("NB_STORE_ENGINE_MYSQL_DSN", dsn)
-		}
-	}
-
-	datadir := cfg.Management.DataDir
-	engine := types.Engine(cfg.Management.Store.Engine)
-
-	s, err := store.NewStore(ctx, engine, datadir, nil, true)
-	if err != nil {
-		return fmt.Errorf("create store: %w", err)
-	}
-	defer func() {
-		if err := s.Close(ctx); err != nil {
-			log.Debugf("close store: %v", err)
-		}
-	}()
-
-	return fn(ctx, s)
-}

combined/config-simple.yaml.example

@@ -1,111 +0,0 @@
-# NetBird Combined Server Configuration
-# Copy this file to config.yaml and customize for your deployment
-#
-# This is a Management server with optional embedded Signal, Relay, and STUN services.
-# By default, all services run locally. You can use external services instead by
-# setting the corresponding override fields.
-#
-# Architecture:
-#   - Management: Always runs locally (this IS the management server)
-#   - Signal: Local by default; set 'signalUri' to use external (disables local)
-#   - Relay: Local by default; set 'relays' to use external (disables local)
-#   - STUN: Local on port 3478 by default; set 'stuns' to use external instead
-
-server:
-  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
-  listenAddress: ":443"
-
-  # Public address that peers will use to connect to this server
-  # Used for relay connections and management DNS domain
-  # Format: protocol://hostname:port (e.g., https://server.mycompany.com:443)
-  exposedAddress: "https://server.mycompany.com:443"
-
-  # STUN server ports (defaults to [3478] if not specified; set 'stuns' to use external)
-  # stunPorts:
-  #   - 3478
-
-  # Metrics endpoint port
-  metricsPort: 9090
-
-  # Healthcheck endpoint address
-  healthcheckAddress: ":9000"
-
-  # Logging configuration
-  logLevel: "info"    # Default log level for all components: panic, fatal, error, warn, info, debug, trace
-  logFile: "console"  # "console" or path to log file
-
-  # TLS configuration (optional)
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-      dataDir: ""
-      domains: []
-      email: ""
-      awsRoute53: false
-
-  # Shared secret for relay authentication (required when running local relay)
-  authSecret: "your-secret-key-here"
-
-  # Data directory for all services
-  dataDir: "/var/lib/netbird/"
-
-  # ============================================================================
-  # External Service Overrides (optional)
-  # Use these to point to external Signal, Relay, or STUN servers instead of
-  # running them locally. When set, the corresponding local service is disabled.
-  # ============================================================================
-
-  # External STUN servers - disables local STUN server
-  # stuns:
-  #   - uri: "stun:stun.example.com:3478"
-  #   - uri: "stun:stun.example.com:3479"
-
-  # External relay servers - disables local relay server
-  # relays:
-  #   addresses:
-  #     - "rels://relay.example.com:443"
-  #   credentialsTTL: "12h"
-  #   secret: "relay-shared-secret"
-
-  # External signal server - disables local signal server
-  # signalUri: "https://signal.example.com:443"
-
-  # ============================================================================
-  # Management Settings
-  # ============================================================================
-
-  # Metrics and updates
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  # Embedded authentication/identity provider (Dex) configuration (always enabled)
-  auth:
-    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://server.mycompany.com/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    # OAuth2 redirect URIs for dashboard
-    dashboardRedirectURIs:
-      - "https://app.netbird.io/nb-auth"
-      - "https://app.netbird.io/nb-silent-auth"
-    # OAuth2 redirect URIs for CLI
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-    # Optional initial admin user
-    # owner:
-    #   email: "admin@example.com"
-    #   password: "initial-password"
-
-  # Store configuration
-  store:
-    engine: "sqlite"  # sqlite, postgres, or mysql
-    dsn: ""  # Connection string for postgres or mysql
-    encryptionKey: ""
-
-  # Reverse proxy settings (optional)
-  # reverseProxy:
-  #   trustedHTTPProxies: []
-  #   trustedHTTPProxiesCount: 0
-  #   trustedPeers: []

combined/config.yaml.example

@@ -1,115 +0,0 @@
-# Simplified Combined NetBird Server Configuration
-# Copy this file to config.yaml and customize for your deployment
-
-# Server-wide settings
-server:
-  # Main HTTP/gRPC port for all services (Management, Signal, Relay)
-  listenAddress: ":443"
-
-  # Metrics endpoint port
-  metricsPort: 9090
-
-  # Healthcheck endpoint address
-  healthcheckAddress: ":9000"
-
-  # Logging configuration
-  logLevel: "info"    # panic, fatal, error, warn, info, debug, trace
-  logFile: "console"  # "console" or path to log file
-
-  # TLS configuration (optional)
-  tls:
-    certFile: ""
-    keyFile: ""
-    letsencrypt:
-      enabled: false
-      dataDir: ""
-      domains: []
-      email: ""
-      awsRoute53: false
-
-# Relay service configuration
-relay:
-  # Enable/disable the relay service
-  enabled: true
-
-  # Public address that peers will use to connect to this relay
-  # Format: hostname:port or ip:port
-  exposedAddress: "relay.example.com:443"
-
-  # Shared secret for relay authentication (required when enabled)
-  authSecret: "your-secret-key-here"
-
-  # Log level for relay (reserved for future use, currently uses global log level)
-  logLevel: "info"
-
-  # Embedded STUN server (optional)
-  stun:
-    enabled: false
-    ports: [3478]
-    logLevel: "info"
-
-# Signal service configuration
-signal:
-  # Enable/disable the signal service
-  enabled: true
-
-  # Log level for signal (reserved for future use, currently uses global log level)
-  logLevel: "info"
-
-# Management service configuration
-management:
-  # Enable/disable the management service
-  enabled: true
-
-  # Data directory for management service
-  dataDir: "/var/lib/netbird/"
-
-  # DNS domain for the management server
-  dnsDomain: ""
-
-  # Metrics and updates
-  disableAnonymousMetrics: false
-  disableGeoliteUpdate: false
-
-  auth:
-    # OIDC issuer URL - must be publicly accessible
-    issuer: "https://management.example.com/oauth2"
-    localAuthDisabled: false
-    signKeyRefreshEnabled: false
-    # OAuth2 redirect URIs for dashboard
-    dashboardRedirectURIs:
-      - "https://app.example.com/nb-auth"
-      - "https://app.example.com/nb-silent-auth"
-    # OAuth2 redirect URIs for CLI
-    cliRedirectURIs:
-      - "http://localhost:53000/"
-    # Optional initial admin user
-    # owner:
-    #   email: "admin@example.com"
-    #   password: "initial-password"
-
-  # External STUN servers (for client config)
-  stuns: []
-  #  - uri: "stun:stun.example.com:3478"
-
-  # External relay servers (for client config)
-  relays:
-    addresses: []
-    #  - "rels://relay.example.com:443"
-    credentialsTTL: "12h"
-    secret: ""
-
-  # External signal server URI (for client config)
-  signalUri: ""
-
-  # Store configuration
-  store:
-    engine: "sqlite"  # sqlite, postgres, or mysql
-    dsn: ""  # Connection string for postgres or mysql
-    encryptionKey: ""
-
-  # Reverse proxy settings
-  reverseProxy:
-    trustedHTTPProxies: []
-    trustedHTTPProxiesCount: 0
-    trustedPeers: []

combined/main.go

@@ -1,13 +0,0 @@
-package main
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/combined/cmd"
-)
-
-func main() {
-	if err := cmd.Execute(); err != nil {
-		log.Fatalf("failed to execute command: %v", err)
-	}
-}

go.mod

@@ -40,7 +40,7 @@ require (
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
 	github.com/cilium/ebpf v0.15.0
-	github.com/coder/websocket v1.8.14
+	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/creack/pty v1.1.24
@@ -69,7 +69,7 @@ require (
 	github.com/mdlayher/socket v0.5.1
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
@@ -83,7 +83,6 @@ require (
 	github.com/pion/stun/v3 v3.1.0
 	github.com/pion/transport/v3 v3.1.1
 	github.com/pion/turn/v3 v3.0.1
-	github.com/pires/go-proxyproto v0.11.0
 	github.com/pkg/sftp v1.13.9
 	github.com/prometheus/client_golang v1.23.2
 	github.com/quic-go/quic-go v0.55.0

go.sum

@@ -107,8 +107,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
-github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
 github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -406,8 +406,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25 h1:iwAq/Ncaq0etl4uAlVsbNBzC1yY52o0AmY7uCm2AMTs=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20260210160626-df4b180c7b25/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f h1:CTBf0je/FpKr2lVSMZLak7m8aaWcS6ur4SOfhSSazFI=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20260122111742-a6f99668844f/go.mod h1:y7CxagMYzg9dgu+masRqYM7BQlOGA5Y8US85MCNFPlY=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -474,8 +474,6 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
-github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
-github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

idp/dex/provider.go

@@ -99,16 +99,15 @@ func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
 
 	// Build Dex server config - use Dex's types directly
 	dexConfig := server.Config{
-		Issuer:                     issuer,
-		Storage:                    stor,
-		SkipApprovalScreen:         true,
-		SupportedResponseTypes:     []string{"code"},
-		ContinueOnConnectorFailure: true,
-		Logger:                     logger,
-		PrometheusRegistry:         prometheus.NewRegistry(),
-		RotateKeysAfter:            6 * time.Hour,
-		IDTokensValidFor:           24 * time.Hour,
-		RefreshTokenPolicy:         refreshPolicy,
+		Issuer:                 issuer,
+		Storage:                stor,
+		SkipApprovalScreen:     true,
+		SupportedResponseTypes: []string{"code"},
+		Logger:                 logger,
+		PrometheusRegistry:     prometheus.NewRegistry(),
+		RotateKeysAfter:        6 * time.Hour,
+		IDTokensValidFor:       24 * time.Hour,
+		RefreshTokenPolicy:     refreshPolicy,
 		Web: server.WebConfig{
 			Issuer: "NetBird",
 		},
@@ -261,7 +260,6 @@ func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.L
 	if len(cfg.SupportedResponseTypes) == 0 {
 		cfg.SupportedResponseTypes = []string{"code"}
 	}
-	cfg.ContinueOnConnectorFailure = true
 	return cfg
 }
 

idp/dex/provider_test.go

@@ -2,7 +2,6 @@ package dex
 
 import (
 	"context"
-	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
@@ -196,64 +195,3 @@ enablePasswordDB: true
 
 	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
 }
-
-func TestNewProvider_ContinueOnConnectorFailure(t *testing.T) {
-	ctx := context.Background()
-
-	tmpDir, err := os.MkdirTemp("", "dex-connector-failure-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	config := &Config{
-		Issuer:  "http://localhost:5556/dex",
-		Port:    5556,
-		DataDir: tmpDir,
-	}
-
-	provider, err := NewProvider(ctx, config)
-	require.NoError(t, err)
-	defer func() { _ = provider.Stop(ctx) }()
-
-	// The provider should have started successfully even though
-	// ContinueOnConnectorFailure is an internal Dex config field.
-	// We verify the provider is functional by performing a basic operation.
-	assert.NotNil(t, provider.dexServer)
-	assert.NotNil(t, provider.storage)
-}
-
-func TestBuildDexConfig_ContinueOnConnectorFailure(t *testing.T) {
-	tmpDir, err := os.MkdirTemp("", "dex-build-config-*")
-	require.NoError(t, err)
-	defer os.RemoveAll(tmpDir)
-
-	yamlContent := `
-issuer: http://localhost:5556/dex
-storage:
-  type: sqlite3
-  config:
-    file: ` + filepath.Join(tmpDir, "dex.db") + `
-web:
-  http: 127.0.0.1:5556
-enablePasswordDB: true
-`
-	configPath := filepath.Join(tmpDir, "config.yaml")
-	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
-	require.NoError(t, err)
-
-	yamlConfig, err := LoadConfig(configPath)
-	require.NoError(t, err)
-
-	ctx := context.Background()
-	stor, err := yamlConfig.Storage.OpenStorage(slog.New(slog.NewTextHandler(os.Stderr, nil)))
-	require.NoError(t, err)
-	defer stor.Close()
-
-	err = initializeStorage(ctx, stor, yamlConfig)
-	require.NoError(t, err)
-
-	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	cfg := buildDexConfig(yamlConfig, stor, logger)
-
-	assert.True(t, cfg.ContinueOnConnectorFailure,
-		"buildDexConfig must set ContinueOnConnectorFailure to true so management starts even if an external IdP is down")
-}

management/Dockerfile.multistage

@@ -1,17 +0,0 @@
-FROM golang:1.25-bookworm AS builder
-WORKDIR /app
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y gcc libc6-dev && rm -rf /var/lib/apt/lists/*
-
-COPY go.mod go.sum ./
-RUN go mod download
-
-COPY . .
-RUN CGO_ENABLED=1 GOOS=linux go build -ldflags="-s -w" -o netbird-mgmt ./management
-
-FROM ubuntu:24.04
-RUN apt update && apt install -y ca-certificates && rm -fr /var/cache/apt
-ENTRYPOINT [ "/go/bin/netbird-mgmt","management"]
-CMD ["--log-file", "console"]
-COPY --from=builder /app/netbird-mgmt /go/bin/netbird-mgmt

management/cmd/management.go

@@ -29,11 +29,11 @@ import (
 	"github.com/netbirdio/netbird/util/crypt"
 )
 
-var newServer = func(cfg *server.Config) server.Server {
-	return server.NewServer(cfg)
+var newServer = func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server {
+	return server.NewServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 }
 
-func SetNewServer(fn func(*server.Config) server.Server) {
+func SetNewServer(fn func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server) {
 	newServer = fn
 }
 
@@ -57,7 +57,7 @@ var (
 			// detect whether user specified a port
 			userPort := cmd.Flag("port").Changed
 
-			config, err = LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+			config, err = loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 			if err != nil {
 				return fmt.Errorf("failed reading provided config file: %s: %v", nbconfig.MgmtConfigPath, err)
 			}
@@ -110,17 +110,7 @@ var (
 				mgmtSingleAccModeDomain = ""
 			}
 
-			srv := newServer(&server.Config{
-				NbConfig:                    config,
-				DNSDomain:                   dnsDomain,
-				MgmtSingleAccModeDomain:     mgmtSingleAccModeDomain,
-				MgmtPort:                    mgmtPort,
-				MgmtMetricsPort:             mgmtMetricsPort,
-				DisableLegacyManagementPort: disableLegacyManagementPort,
-				DisableMetrics:              disableMetrics,
-				DisableGeoliteUpdate:        disableGeoliteUpdate,
-				UserDeleteFromIDPEnabled:    userDeleteFromIDPEnabled,
-			})
+			srv := newServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
 			go func() {
 				if err := srv.Start(cmd.Context()); err != nil {
 					log.Fatalf("Server error: %v", err)
@@ -145,35 +135,35 @@ var (
 	}
 )
 
-func LoadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
+func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
 	loadedConfig := &nbconfig.Config{}
 	if _, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}
 
-	ApplyCommandLineOverrides(loadedConfig)
+	applyCommandLineOverrides(loadedConfig)
 
 	// Apply EmbeddedIdP config to HttpConfig if embedded IdP is enabled
-	err := ApplyEmbeddedIdPConfig(ctx, loadedConfig)
+	err := applyEmbeddedIdPConfig(ctx, loadedConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	if err := ApplyOIDCConfig(ctx, loadedConfig); err != nil {
+	if err := applyOIDCConfig(ctx, loadedConfig); err != nil {
 		return nil, err
 	}
 
-	LogConfigInfo(loadedConfig)
+	logConfigInfo(loadedConfig)
 
-	if err := EnsureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
+	if err := ensureEncryptionKey(ctx, mgmtConfigPath, loadedConfig); err != nil {
 		return nil, err
 	}
 
 	return loadedConfig, nil
 }
 
-// ApplyCommandLineOverrides applies command-line flag overrides to the config
-func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
+// applyCommandLineOverrides applies command-line flag overrides to the config
+func applyCommandLineOverrides(cfg *nbconfig.Config) {
 	if mgmtLetsencryptDomain != "" {
 		cfg.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
 	}
@@ -186,9 +176,9 @@ func ApplyCommandLineOverrides(cfg *nbconfig.Config) {
 	}
 }
 
-// ApplyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
+// applyEmbeddedIdPConfig populates HttpConfig and EmbeddedIdP storage from config when embedded IdP is enabled.
 // This allows users to only specify EmbeddedIdP config without duplicating values in HttpConfig.
-func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
+func applyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	if cfg.EmbeddedIdP == nil || !cfg.EmbeddedIdP.Enabled {
 		return nil
 	}
@@ -237,8 +227,8 @@ func ApplyEmbeddedIdPConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	return nil
 }
 
-// ApplyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
-func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
+// applyOIDCConfig fetches and applies OIDC configuration if endpoint is specified
+func applyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 	oidcEndpoint := cfg.HttpConfig.OIDCConfigEndpoint
 	if oidcEndpoint == "" {
 		return nil
@@ -264,16 +254,16 @@ func ApplyOIDCConfig(ctx context.Context, cfg *nbconfig.Config) error {
 		oidcConfig.JwksURI, cfg.HttpConfig.AuthKeysLocation)
 	cfg.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
 
-	if err := ApplyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
+	if err := applyDeviceAuthFlowConfig(ctx, cfg, &oidcConfig, oidcEndpoint); err != nil {
 		return err
 	}
-	ApplyPKCEFlowConfig(ctx, cfg, &oidcConfig)
+	applyPKCEFlowConfig(ctx, cfg, &oidcConfig)
 
 	return nil
 }
 
-// ApplyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
-func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
+// applyDeviceAuthFlowConfig applies OIDC config to DeviceAuthorizationFlow if enabled
+func applyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse, oidcEndpoint string) error {
 	if cfg.DeviceAuthorizationFlow == nil || strings.ToLower(cfg.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE) {
 		return nil
 	}
@@ -300,8 +290,8 @@ func ApplyDeviceAuthFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcCo
 	return nil
 }
 
-// ApplyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
-func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
+// applyPKCEFlowConfig applies OIDC config to PKCEAuthorizationFlow if configured
+func applyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *OIDCConfigResponse) {
 	if cfg.PKCEAuthorizationFlow == nil {
 		return
 	}
@@ -314,8 +304,8 @@ func ApplyPKCEFlowConfig(ctx context.Context, cfg *nbconfig.Config, oidcConfig *
 	cfg.PKCEAuthorizationFlow.ProviderConfig.AuthorizationEndpoint = oidcConfig.AuthorizationEndpoint
 }
 
-// LogConfigInfo logs informational messages about the loaded configuration
-func LogConfigInfo(cfg *nbconfig.Config) {
+// logConfigInfo logs informational messages about the loaded configuration
+func logConfigInfo(cfg *nbconfig.Config) {
 	if cfg.EmbeddedIdP != nil {
 		log.Infof("running with the embedded IdP: %v", cfg.EmbeddedIdP.Issuer)
 	}
@@ -324,8 +314,8 @@ func LogConfigInfo(cfg *nbconfig.Config) {
 	}
 }
 
-// EnsureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
-func EnsureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
+// ensureEncryptionKey generates and saves a DataStoreEncryptionKey if not set
+func ensureEncryptionKey(ctx context.Context, configPath string, cfg *nbconfig.Config) error {
 	if cfg.DataStoreEncryptionKey != "" {
 		return nil
 	}

management/cmd/management_test.go

@@ -30,7 +30,7 @@ func Test_loadMgmtConfig(t *testing.T) {
 		t.Fatalf("failed to create config: %s", err)
 	}
 
-	cfg, err := LoadMgmtConfig(context.Background(), tmpFile)
+	cfg, err := loadMgmtConfig(context.Background(), tmpFile)
 	if err != nil {
 		t.Fatalf("failed to load management config: %s", err)
 	}

management/cmd/root.go

@@ -16,22 +16,21 @@ const (
 )
 
 var (
-	dnsDomain                   string
-	mgmtDataDir                 string
-	logLevel                    string
-	logFile                     string
-	disableMetrics              bool
-	disableSingleAccMode        bool
-	disableGeoliteUpdate        bool
-	idpSignKeyRefreshEnabled    bool
-	userDeleteFromIDPEnabled    bool
-	mgmtPort                    int
-	mgmtMetricsPort             int
-	disableLegacyManagementPort bool
-	mgmtLetsencryptDomain       string
-	mgmtSingleAccModeDomain     string
-	certFile                    string
-	certKey                     string
+	dnsDomain                string
+	mgmtDataDir              string
+	logLevel                 string
+	logFile                  string
+	disableMetrics           bool
+	disableSingleAccMode     bool
+	disableGeoliteUpdate     bool
+	idpSignKeyRefreshEnabled bool
+	userDeleteFromIDPEnabled bool
+	mgmtPort                 int
+	mgmtMetricsPort          int
+	mgmtLetsencryptDomain    string
+	mgmtSingleAccModeDomain  string
+	certFile                 string
+	certKey                  string
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird-mgmt",
@@ -56,7 +55,6 @@ func Execute() error {
 
 func init() {
 	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 80, "server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise")
-	mgmtCmd.Flags().BoolVar(&disableLegacyManagementPort, "disable-legacy-port", false, "disabling the old legacy port (33073)")
 	mgmtCmd.Flags().IntVar(&mgmtMetricsPort, "metrics-port", 9090, "metrics endpoint http port. Metrics are accessible under host:metrics-port/metrics")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
 	mgmtCmd.Flags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
@@ -83,7 +81,9 @@ func init() {
 
 	rootCmd.AddCommand(migrationCmd)
 
-	tc := newTokenCommands()
-	tc.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
-	rootCmd.AddCommand(tc)
+	tokenCmd.PersistentFlags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location")
+	tokenCmd.AddCommand(tokenCreateCmd)
+	tokenCmd.AddCommand(tokenListCmd)
+	tokenCmd.AddCommand(tokenRevokeCmd)
+	rootCmd.AddCommand(tokenCmd)
 }

management/cmd/token.go

@@ -3,24 +3,62 @@ package cmd
 import (
 	"context"
 	"fmt"
+	"os"
+	"strconv"
+	"text/tabwriter"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/netbirdio/netbird/formatter/hook"
-	tokencmd "github.com/netbirdio/netbird/management/cmd/token"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/util"
 )
 
-var tokenDatadir string
+var (
+	tokenName     string
+	tokenExpireIn string
+	tokenDatadir  string
 
-// newTokenCommands creates the token command tree with management-specific store opener.
-func newTokenCommands() *cobra.Command {
-	cmd := tokencmd.NewCommands(withTokenStore)
-	cmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
-	return cmd
+	tokenCmd = &cobra.Command{
+		Use:   "token",
+		Short: "Manage proxy access tokens",
+		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
+	}
+
+	tokenCreateCmd = &cobra.Command{
+		Use:   "create",
+		Short: "Create a new proxy access token",
+		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
+		RunE:  tokenCreateRun,
+	}
+
+	tokenListCmd = &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List all proxy access tokens",
+		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
+		RunE:    tokenListRun,
+	}
+
+	tokenRevokeCmd = &cobra.Command{
+		Use:   "revoke [token-id]",
+		Short: "Revoke a proxy access token",
+		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
+		Args:  cobra.ExactArgs(1),
+		RunE:  tokenRevokeRun,
+	}
+)
+
+func init() {
+	tokenCmd.PersistentFlags().StringVar(&tokenDatadir, "datadir", "", "Override the data directory from config (where store.db is located)")
+
+	tokenCreateCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
+	tokenCreateCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
+	tokenCreateCmd.MarkFlagRequired("name") //nolint
 }
 
 // withTokenStore initializes logging, loads config, opens the store, and calls fn.
@@ -29,9 +67,9 @@ func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Sto
 		return fmt.Errorf("init log: %w", err)
 	}
 
-	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource) //nolint:staticcheck
+	ctx := context.WithValue(cmd.Context(), hook.ExecutionContextKey, hook.SystemSource)
 
-	config, err := LoadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
+	config, err := loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 	if err != nil {
 		return fmt.Errorf("load config: %w", err)
 	}
@@ -53,3 +91,118 @@ func withTokenStore(cmd *cobra.Command, fn func(ctx context.Context, s store.Sto
 
 	return fn(ctx, s)
 }
+
+func tokenCreateRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		expiresIn, err := parseDuration(tokenExpireIn)
+		if err != nil {
+			return fmt.Errorf("parse expiration: %w", err)
+		}
+
+		generated, err := types.CreateNewProxyAccessToken(tokenName, expiresIn, nil, "CLI")
+		if err != nil {
+			return fmt.Errorf("generate token: %w", err)
+		}
+
+		if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
+			return fmt.Errorf("save token: %w", err)
+		}
+
+		fmt.Println("Token created successfully!")
+		fmt.Printf("Token: %s\n", generated.PlainToken)
+		fmt.Println()
+		fmt.Println("IMPORTANT: Save this token now. It will not be shown again.")
+		fmt.Printf("Token ID: %s\n", generated.ID)
+
+		return nil
+	})
+}
+
+func tokenListRun(cmd *cobra.Command, _ []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
+		if err != nil {
+			return fmt.Errorf("list tokens: %w", err)
+		}
+
+		if len(tokens) == 0 {
+			fmt.Println("No proxy access tokens found.")
+			return nil
+		}
+
+		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+		fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
+		fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
+
+		for _, t := range tokens {
+			expires := "never"
+			if t.ExpiresAt != nil {
+				expires = t.ExpiresAt.Format("2006-01-02")
+			}
+
+			lastUsed := "never"
+			if t.LastUsed != nil {
+				lastUsed = t.LastUsed.Format("2006-01-02 15:04")
+			}
+
+			revoked := "no"
+			if t.Revoked {
+				revoked = "yes"
+			}
+
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
+				t.ID,
+				t.Name,
+				t.CreatedAt.Format("2006-01-02"),
+				expires,
+				lastUsed,
+				revoked,
+			)
+		}
+
+		w.Flush()
+
+		return nil
+	})
+}
+
+func tokenRevokeRun(cmd *cobra.Command, args []string) error {
+	return withTokenStore(cmd, func(ctx context.Context, s store.Store) error {
+		tokenID := args[0]
+
+		if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
+			return fmt.Errorf("revoke token: %w", err)
+		}
+
+		fmt.Printf("Token %s revoked successfully.\n", tokenID)
+		return nil
+	})
+}
+
+// parseDuration parses a duration string with support for days (e.g., "30d", "365d").
+// An empty string returns zero duration (no expiration).
+func parseDuration(s string) (time.Duration, error) {
+	if len(s) == 0 {
+		return 0, nil
+	}
+
+	if s[len(s)-1] == 'd' {
+		d, err := strconv.Atoi(s[:len(s)-1])
+		if err != nil {
+			return 0, fmt.Errorf("invalid day format: %s", s)
+		}
+		if d <= 0 {
+			return 0, fmt.Errorf("duration must be positive: %s", s)
+		}
+		return time.Duration(d) * 24 * time.Hour, nil
+	}
+
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		return 0, err
+	}
+	if d <= 0 {
+		return 0, fmt.Errorf("duration must be positive: %s", s)
+	}
+	return d, nil
+}

management/cmd/token/token.go

@@ -1,185 +0,0 @@
-// Package tokencmd provides reusable cobra commands for managing proxy access tokens.
-// Both the management and combined binaries use these commands, each providing
-// their own StoreOpener to handle config loading and store initialization.
-package tokencmd
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"strconv"
-	"text/tabwriter"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-)
-
-// StoreOpener initializes a store from the command context and calls fn.
-type StoreOpener func(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error
-
-// NewCommands creates the token command tree with the given store opener.
-// Returns the parent "token" command with create, list, and revoke subcommands.
-func NewCommands(opener StoreOpener) *cobra.Command {
-	var (
-		tokenName     string
-		tokenExpireIn string
-	)
-
-	tokenCmd := &cobra.Command{
-		Use:   "token",
-		Short: "Manage proxy access tokens",
-		Long:  "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
-	}
-
-	createCmd := &cobra.Command{
-		Use:   "create",
-		Short: "Create a new proxy access token",
-		Long:  "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runCreate(ctx, s, cmd.OutOrStdout(), tokenName, tokenExpireIn)
-			})
-		},
-	}
-	createCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
-	createCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
-	if err := createCmd.MarkFlagRequired("name"); err != nil {
-		panic(err)
-	}
-
-	listCmd := &cobra.Command{
-		Use:     "list",
-		Aliases: []string{"ls"},
-		Short:   "List all proxy access tokens",
-		Long:    "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
-		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runList(ctx, s, cmd.OutOrStdout())
-			})
-		},
-	}
-
-	revokeCmd := &cobra.Command{
-		Use:   "revoke [token-id]",
-		Short: "Revoke a proxy access token",
-		Long:  "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return opener(cmd, func(ctx context.Context, s store.Store) error {
-				return runRevoke(ctx, s, cmd.OutOrStdout(), args[0])
-			})
-		},
-	}
-
-	tokenCmd.AddCommand(createCmd, listCmd, revokeCmd)
-	return tokenCmd
-}
-
-func runCreate(ctx context.Context, s store.Store, w io.Writer, name string, expireIn string) error {
-	expiresIn, err := ParseDuration(expireIn)
-	if err != nil {
-		return fmt.Errorf("parse expiration: %w", err)
-	}
-
-	generated, err := types.CreateNewProxyAccessToken(name, expiresIn, nil, "CLI")
-	if err != nil {
-		return fmt.Errorf("generate token: %w", err)
-	}
-
-	if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
-		return fmt.Errorf("save token: %w", err)
-	}
-
-	_, _ = fmt.Fprintln(w, "Token created successfully!")
-	_, _ = fmt.Fprintf(w, "Token: %s\n", generated.PlainToken)
-	_, _ = fmt.Fprintln(w)
-	_, _ = fmt.Fprintln(w, "IMPORTANT: Save this token now. It will not be shown again.")
-	_, _ = fmt.Fprintf(w, "Token ID: %s\n", generated.ID)
-	return nil
-}
-
-func runList(ctx context.Context, s store.Store, out io.Writer) error {
-	tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
-	if err != nil {
-		return fmt.Errorf("list tokens: %w", err)
-	}
-
-	if len(tokens) == 0 {
-		_, _ = fmt.Fprintln(out, "No proxy access tokens found.")
-		return nil
-	}
-
-	w := tabwriter.NewWriter(out, 0, 0, 2, ' ', 0)
-	_, _ = fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
-	_, _ = fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
-
-	for _, t := range tokens {
-		expires := "never"
-		if t.ExpiresAt != nil {
-			expires = t.ExpiresAt.Format("2006-01-02")
-		}
-
-		lastUsed := "never"
-		if t.LastUsed != nil {
-			lastUsed = t.LastUsed.Format("2006-01-02 15:04")
-		}
-
-		revoked := "no"
-		if t.Revoked {
-			revoked = "yes"
-		}
-
-		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
-			t.ID,
-			t.Name,
-			t.CreatedAt.Format("2006-01-02"),
-			expires,
-			lastUsed,
-			revoked,
-		)
-	}
-
-	w.Flush()
-
-	return nil
-}
-
-func runRevoke(ctx context.Context, s store.Store, w io.Writer, tokenID string) error {
-	if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
-		return fmt.Errorf("revoke token: %w", err)
-	}
-
-	_, _ = fmt.Fprintf(w, "Token %s revoked successfully.\n", tokenID)
-	return nil
-}
-
-// ParseDuration parses a duration string with support for days (e.g., "30d", "365d").
-// An empty string returns zero duration (no expiration).
-func ParseDuration(s string) (time.Duration, error) {
-	if len(s) == 0 {
-		return 0, nil
-	}
-
-	if s[len(s)-1] == 'd' {
-		d, err := strconv.Atoi(s[:len(s)-1])
-		if err != nil {
-			return 0, fmt.Errorf("invalid day format: %s", s)
-		}
-		if d <= 0 {
-			return 0, fmt.Errorf("duration must be positive: %s", s)
-		}
-		return time.Duration(d) * 24 * time.Hour, nil
-	}
-
-	d, err := time.ParseDuration(s)
-	if err != nil {
-		return 0, err
-	}
-	if d <= 0 {
-		return 0, fmt.Errorf("duration must be positive: %s", s)
-	}
-	return d, nil
-}

management/cmd/token_test.go

@@ -1,4 +1,4 @@
-package tokencmd
+package cmd
 
 import (
 	"testing"
@@ -89,7 +89,7 @@ func TestParseDuration(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := ParseDuration(tt.input)
+			result, err := parseDuration(tt.input)
 			if tt.wantErr {
 				assert.Error(t, err)
 				return

management/internals/modules/peers/manager_mock.go

@@ -162,17 +162,3 @@ func (mr *MockManagerMockRecorder) SetNetworkMapController(networkMapController
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetworkMapController", reflect.TypeOf((*MockManager)(nil).SetNetworkMapController), networkMapController)
 }
-
-// CreateProxyPeer mocks base method.
-func (m *MockManager) CreateProxyPeer(ctx context.Context, accountID string, peerKey string, cluster string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateProxyPeer", ctx, accountID, peerKey, cluster)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// CreateProxyPeer indicates an expected call of CreateProxyPeer.
-func (mr *MockManagerMockRecorder) CreateProxyPeer(ctx, accountID, peerKey, cluster interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProxyPeer", reflect.TypeOf((*MockManager)(nil).CreateProxyPeer), ctx, accountID, peerKey, cluster)
-}

management/internals/modules/reverseproxy/accesslogs/filter.go

@@ -39,63 +39,78 @@ type AccessLogFilter struct {
 func (f *AccessLogFilter) ParseFromRequest(r *http.Request) {
 	queryParams := r.URL.Query()
 
-	f.Page = parsePositiveInt(queryParams.Get("page"), 1)
-	f.PageSize = min(parsePositiveInt(queryParams.Get("page_size"), DefaultPageSize), MaxPageSize)
+	f.Page = 1
+	if pageStr := queryParams.Get("page"); pageStr != "" {
+		if page, err := strconv.Atoi(pageStr); err == nil && page > 0 {
+			f.Page = page
+		}
+	}
 
-	f.Search = parseOptionalString(queryParams.Get("search"))
-	f.SourceIP = parseOptionalString(queryParams.Get("source_ip"))
-	f.Host = parseOptionalString(queryParams.Get("host"))
-	f.Path = parseOptionalString(queryParams.Get("path"))
-	f.UserID = parseOptionalString(queryParams.Get("user_id"))
-	f.UserEmail = parseOptionalString(queryParams.Get("user_email"))
-	f.UserName = parseOptionalString(queryParams.Get("user_name"))
-	f.Method = parseOptionalString(queryParams.Get("method"))
-	f.Status = parseOptionalString(queryParams.Get("status"))
-	f.StatusCode = parseOptionalInt(queryParams.Get("status_code"))
-	f.StartDate = parseOptionalRFC3339(queryParams.Get("start_date"))
-	f.EndDate = parseOptionalRFC3339(queryParams.Get("end_date"))
-}
+	f.PageSize = DefaultPageSize
+	if pageSizeStr := queryParams.Get("page_size"); pageSizeStr != "" {
+		if pageSize, err := strconv.Atoi(pageSizeStr); err == nil && pageSize > 0 {
+			f.PageSize = pageSize
+			if f.PageSize > MaxPageSize {
+				f.PageSize = MaxPageSize
+			}
+		}
+	}
 
-// parsePositiveInt parses a positive integer from a string, returning defaultValue if invalid
-func parsePositiveInt(s string, defaultValue int) int {
-	if s == "" {
-		return defaultValue
+	if search := queryParams.Get("search"); search != "" {
+		f.Search = &search
 	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		return val
-	}
-	return defaultValue
-}
 
-// parseOptionalString returns a pointer to the string if non-empty, otherwise nil
-func parseOptionalString(s string) *string {
-	if s == "" {
-		return nil
+	if sourceIP := queryParams.Get("source_ip"); sourceIP != "" {
+		f.SourceIP = &sourceIP
 	}
-	return &s
-}
 
-// parseOptionalInt parses an optional positive integer from a string
-func parseOptionalInt(s string) *int {
-	if s == "" {
-		return nil
+	if host := queryParams.Get("host"); host != "" {
+		f.Host = &host
 	}
-	if val, err := strconv.Atoi(s); err == nil && val > 0 {
-		v := val
-		return &v
-	}
-	return nil
-}
 
-// parseOptionalRFC3339 parses an optional RFC3339 timestamp from a string
-func parseOptionalRFC3339(s string) *time.Time {
-	if s == "" {
-		return nil
+	if path := queryParams.Get("path"); path != "" {
+		f.Path = &path
 	}
-	if t, err := time.Parse(time.RFC3339, s); err == nil {
-		return &t
+
+	if userID := queryParams.Get("user_id"); userID != "" {
+		f.UserID = &userID
+	}
+
+	if userEmail := queryParams.Get("user_email"); userEmail != "" {
+		f.UserEmail = &userEmail
+	}
+
+	if userName := queryParams.Get("user_name"); userName != "" {
+		f.UserName = &userName
+	}
+
+	if method := queryParams.Get("method"); method != "" {
+		f.Method = &method
+	}
+
+	if status := queryParams.Get("status"); status != "" {
+		f.Status = &status
+	}
+
+	if statusCodeStr := queryParams.Get("status_code"); statusCodeStr != "" {
+		if statusCode, err := strconv.Atoi(statusCodeStr); err == nil && statusCode > 0 {
+			f.StatusCode = &statusCode
+		}
+	}
+
+	if startDate := queryParams.Get("start_date"); startDate != "" {
+		parsedStartDate, err := time.Parse(time.RFC3339, startDate)
+		if err == nil {
+			f.StartDate = &parsedStartDate
+		}
+	}
+
+	if endDate := queryParams.Get("end_date"); endDate != "" {
+		parsedEndDate, err := time.Parse(time.RFC3339, endDate)
+		if err == nil {
+			f.EndDate = &parsedEndDate
+		}
 	}
-	return nil
 }
 
 // GetOffset calculates the database offset for pagination

management/internals/modules/reverseproxy/accesslogs/filter_test.go

@@ -4,10 +4,8 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func TestAccessLogFilter_ParseFromRequest(t *testing.T) {
@@ -161,211 +159,3 @@ func TestAccessLogFilter_GetLimit(t *testing.T) {
 	limit := filter.GetLimit()
 	assert.Equal(t, 25, limit, "GetLimit should return PageSize")
 }
-
-func TestAccessLogFilter_ParseFromRequest_FilterParams(t *testing.T) {
-	startDate := "2024-01-15T10:30:00Z"
-	endDate := "2024-01-16T15:45:00Z"
-
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("search", "test query")
-	q.Set("source_ip", "192.168.1.1")
-	q.Set("host", "example.com")
-	q.Set("path", "/api/users")
-	q.Set("user_id", "user123")
-	q.Set("user_email", "user@example.com")
-	q.Set("user_name", "John Doe")
-	q.Set("method", "GET")
-	q.Set("status", "success")
-	q.Set("status_code", "200")
-	q.Set("start_date", startDate)
-	q.Set("end_date", endDate)
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	require.NotNil(t, filter.Search)
-	assert.Equal(t, "test query", *filter.Search)
-
-	require.NotNil(t, filter.SourceIP)
-	assert.Equal(t, "192.168.1.1", *filter.SourceIP)
-
-	require.NotNil(t, filter.Host)
-	assert.Equal(t, "example.com", *filter.Host)
-
-	require.NotNil(t, filter.Path)
-	assert.Equal(t, "/api/users", *filter.Path)
-
-	require.NotNil(t, filter.UserID)
-	assert.Equal(t, "user123", *filter.UserID)
-
-	require.NotNil(t, filter.UserEmail)
-	assert.Equal(t, "user@example.com", *filter.UserEmail)
-
-	require.NotNil(t, filter.UserName)
-	assert.Equal(t, "John Doe", *filter.UserName)
-
-	require.NotNil(t, filter.Method)
-	assert.Equal(t, "GET", *filter.Method)
-
-	require.NotNil(t, filter.Status)
-	assert.Equal(t, "success", *filter.Status)
-
-	require.NotNil(t, filter.StatusCode)
-	assert.Equal(t, 200, *filter.StatusCode)
-
-	require.NotNil(t, filter.StartDate)
-	expectedStart, _ := time.Parse(time.RFC3339, startDate)
-	assert.Equal(t, expectedStart, *filter.StartDate)
-
-	require.NotNil(t, filter.EndDate)
-	expectedEnd, _ := time.Parse(time.RFC3339, endDate)
-	assert.Equal(t, expectedEnd, *filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_EmptyFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.Search)
-	assert.Nil(t, filter.SourceIP)
-	assert.Nil(t, filter.Host)
-	assert.Nil(t, filter.Path)
-	assert.Nil(t, filter.UserID)
-	assert.Nil(t, filter.UserEmail)
-	assert.Nil(t, filter.UserName)
-	assert.Nil(t, filter.Method)
-	assert.Nil(t, filter.Status)
-	assert.Nil(t, filter.StatusCode)
-	assert.Nil(t, filter.StartDate)
-	assert.Nil(t, filter.EndDate)
-}
-
-func TestAccessLogFilter_ParseFromRequest_InvalidFilters(t *testing.T) {
-	req := httptest.NewRequest(http.MethodGet, "/test", nil)
-	q := req.URL.Query()
-	q.Set("status_code", "invalid")
-	q.Set("start_date", "not-a-date")
-	q.Set("end_date", "2024-99-99")
-	req.URL.RawQuery = q.Encode()
-
-	filter := &AccessLogFilter{}
-	filter.ParseFromRequest(req)
-
-	assert.Nil(t, filter.StatusCode, "invalid status_code should be nil")
-	assert.Nil(t, filter.StartDate, "invalid start_date should be nil")
-	assert.Nil(t, filter.EndDate, "invalid end_date should be nil")
-}
-
-func TestParsePositiveInt(t *testing.T) {
-	tests := []struct {
-		name         string
-		input        string
-		defaultValue int
-		expected     int
-	}{
-		{"empty string", "", 10, 10},
-		{"valid positive int", "25", 10, 25},
-		{"zero", "0", 10, 10},
-		{"negative", "-5", 10, 10},
-		{"invalid string", "abc", 10, 10},
-		{"float", "3.14", 10, 10},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parsePositiveInt(tt.input, tt.defaultValue)
-			assert.Equal(t, tt.expected, result)
-		})
-	}
-}
-
-func TestParseOptionalString(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *string
-	}{
-		{"empty string", "", nil},
-		{"valid string", "hello", strPtr("hello")},
-		{"whitespace", "  ", strPtr("  ")},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalString(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalInt(t *testing.T) {
-	tests := []struct {
-		name     string
-		input    string
-		expected *int
-	}{
-		{"empty string", "", nil},
-		{"valid positive int", "42", intPtr(42)},
-		{"zero", "0", nil},
-		{"negative", "-10", nil},
-		{"invalid string", "abc", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalInt(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-func TestParseOptionalRFC3339(t *testing.T) {
-	validDate := "2024-01-15T10:30:00Z"
-	expectedTime, _ := time.Parse(time.RFC3339, validDate)
-
-	tests := []struct {
-		name     string
-		input    string
-		expected *time.Time
-	}{
-		{"empty string", "", nil},
-		{"valid RFC3339", validDate, &expectedTime},
-		{"invalid format", "2024-01-15", nil},
-		{"invalid date", "not-a-date", nil},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := parseOptionalRFC3339(tt.input)
-			if tt.expected == nil {
-				assert.Nil(t, result)
-			} else {
-				require.NotNil(t, result)
-				assert.Equal(t, *tt.expected, *result)
-			}
-		})
-	}
-}
-
-// Helper functions for creating pointers
-func strPtr(s string) *string {
-	return &s
-}
-
-func intPtr(i int) *int {
-	return &i
-}

management/internals/modules/reverseproxy/domain/api.go

@@ -1,12 +1,10 @@
-package manager
+package domain
 
 import (
 	"encoding/json"
 	"net/http"
 
 	"github.com/gorilla/mux"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -28,11 +26,11 @@ func RegisterEndpoints(router *mux.Router, manager Manager) {
 	router.HandleFunc("/domains/{domainId}/validate", h.triggerCustomDomainValidation).Methods("GET", "OPTIONS")
 }
 
-func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
+func domainTypeToApi(t domainType) api.ReverseProxyDomainType {
 	switch t {
-	case domain.TypeCustom:
+	case TypeCustom:
 		return api.ReverseProxyDomainTypeCustom
-	case domain.TypeFree:
+	case TypeFree:
 		return api.ReverseProxyDomainTypeFree
 	}
 	// By default return as a "free" domain as that is more restrictive.
@@ -40,7 +38,7 @@ func domainTypeToApi(t domain.Type) api.ReverseProxyDomainType {
 	return api.ReverseProxyDomainTypeFree
 }
 
-func domainToApi(d *domain.Domain) api.ReverseProxyDomain {
+func domainToApi(d *Domain) api.ReverseProxyDomain {
 	resp := api.ReverseProxyDomain{
 		Domain:    d.Domain,
 		Id:        d.ID,
@@ -60,7 +58,7 @@ func (h *handler) getAllDomains(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId, userAuth.UserId)
+	domains, err := h.manager.GetDomains(r.Context(), userAuth.AccountId)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -87,7 +85,7 @@ func (h *handler) createCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, req.Domain, req.TargetCluster)
+	domain, err := h.manager.CreateDomain(r.Context(), userAuth.AccountId, req.Domain, req.TargetCluster)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
@@ -109,7 +107,7 @@ func (h *handler) deleteCustomDomain(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID); err != nil {
+	if err := h.manager.DeleteDomain(r.Context(), userAuth.AccountId, domainID); err != nil {
 		util.WriteError(r.Context(), err, w)
 		return
 	}
@@ -130,7 +128,7 @@ func (h *handler) triggerCustomDomainValidation(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	go h.manager.ValidateDomain(r.Context(), userAuth.AccountId, userAuth.UserId, domainID)
+	go h.manager.ValidateDomain(userAuth.AccountId, domainID)
 
 	w.WriteHeader(http.StatusAccepted)
 }

management/internals/modules/reverseproxy/domain/domain.go

@@ -1,17 +0,0 @@
-package domain
-
-type Type string
-
-const (
-	TypeFree   Type = "free"
-	TypeCustom Type = "custom"
-)
-
-type Domain struct {
-	ID            string `gorm:"unique;primaryKey;autoIncrement"`
-	Domain        string `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
-	AccountID     string `gorm:"index"`
-	TargetCluster string // The proxy cluster this domain should be validated against
-	Type          Type   `gorm:"-"`
-	Validated     bool
-}

management/internals/modules/reverseproxy/domain/interface.go

@@ -1,12 +0,0 @@
-package domain
-
-import (
-	"context"
-)
-
-type Manager interface {
-	GetDomains(ctx context.Context, accountID, userID string) ([]*Domain, error)
-	CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*Domain, error)
-	DeleteDomain(ctx context.Context, accountID, userID, domainID string) error
-	ValidateDomain(ctx context.Context, accountID, userID, domainID string)
-}

management/internals/modules/reverseproxy/domain/manager.go

@@ -1,29 +1,40 @@
-package manager
+package domain
 
 import (
 	"context"
 	"fmt"
 	"net"
+	"net/url"
 	"strings"
 
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/shared/management/status"
+	log "github.com/sirupsen/logrus"
 )
 
+type domainType string
+
+const (
+	TypeFree   domainType = "free"
+	TypeCustom domainType = "custom"
+)
+
+type Domain struct {
+	ID            string     `gorm:"unique;primaryKey;autoIncrement"`
+	Domain        string     `gorm:"unique"` // Domain records must be unique, this avoids domain reuse across accounts.
+	AccountID     string     `gorm:"index"`
+	TargetCluster string     // The proxy cluster this domain should be validated against
+	Type          domainType `gorm:"-"`
+	Validated     bool
+}
+
 type store interface {
 	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
 
-	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*domain.Domain, error)
+	GetCustomDomain(ctx context.Context, accountID string, domainID string) (*Domain, error)
 	ListFreeDomains(ctx context.Context, accountID string) ([]string, error)
-	ListCustomDomains(ctx context.Context, accountID string) ([]*domain.Domain, error)
-	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*domain.Domain, error)
-	UpdateCustomDomain(ctx context.Context, accountID string, d *domain.Domain) (*domain.Domain, error)
+	ListCustomDomains(ctx context.Context, accountID string) ([]*Domain, error)
+	CreateCustomDomain(ctx context.Context, accountID string, domainName string, targetCluster string, validated bool) (*Domain, error)
+	UpdateCustomDomain(ctx context.Context, accountID string, d *Domain) (*Domain, error)
 	DeleteCustomDomain(ctx context.Context, accountID string, domainID string) error
 }
 
@@ -32,38 +43,28 @@ type proxyURLProvider interface {
 }
 
 type Manager struct {
-	store              store
-	validator          domain.Validator
-	proxyURLProvider   proxyURLProvider
-	permissionsManager permissions.Manager
+	store            store
+	validator        Validator
+	proxyURLProvider proxyURLProvider
 }
 
-func NewManager(store store, proxyURLProvider proxyURLProvider, permissionsManager permissions.Manager) Manager {
+func NewManager(store store, proxyURLProvider proxyURLProvider) Manager {
 	return Manager{
 		store:            store,
 		proxyURLProvider: proxyURLProvider,
-		validator: domain.Validator{
-			Resolver: net.DefaultResolver,
+		validator: Validator{
+			resolver: net.DefaultResolver,
 		},
-		permissionsManager: permissionsManager,
 	}
 }
 
-func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*domain.Domain, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
-
+func (m Manager) GetDomains(ctx context.Context, accountID string) ([]*Domain, error) {
 	domains, err := m.store.ListCustomDomains(ctx, accountID)
 	if err != nil {
 		return nil, fmt.Errorf("list custom domains: %w", err)
 	}
 
-	var ret []*domain.Domain
+	var ret []*Domain
 
 	// Add connected proxy clusters as free domains.
 	// The cluster address itself is the free domain base (e.g., "eu.proxy.netbird.io").
@@ -74,37 +75,30 @@ func (m Manager) GetDomains(ctx context.Context, accountID, userID string) ([]*d
 	}).Debug("getting domains with proxy allow list")
 
 	for _, cluster := range allowList {
-		ret = append(ret, &domain.Domain{
+		ret = append(ret, &Domain{
 			Domain:    cluster,
 			AccountID: accountID,
-			Type:      domain.TypeFree,
+			Type:      TypeFree,
 			Validated: true,
 		})
 	}
 
 	// Add custom domains.
-	for _, d := range domains {
-		ret = append(ret, &domain.Domain{
-			ID:            d.ID,
-			Domain:        d.Domain,
+	for _, domain := range domains {
+		ret = append(ret, &Domain{
+			ID:            domain.ID,
+			Domain:        domain.Domain,
 			AccountID:     accountID,
-			TargetCluster: d.TargetCluster,
-			Type:          domain.TypeCustom,
-			Validated:     d.Validated,
+			TargetCluster: domain.TargetCluster,
+			Type:          TypeCustom,
+			Validated:     domain.Validated,
 		})
 	}
 
 	return ret, nil
 }
 
-func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName, targetCluster string) (*domain.Domain, error) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return nil, status.NewPermissionDeniedError()
-	}
+func (m Manager) CreateDomain(ctx context.Context, accountID, domainName, targetCluster string) (*Domain, error) {
 
 	// Verify the target cluster is in the available clusters
 	allowList := m.proxyURLAllowList()
@@ -132,15 +126,7 @@ func (m Manager) CreateDomain(ctx context.Context, accountID, userID, domainName
 	return d, nil
 }
 
-func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID string) error {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Delete)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !ok {
-		return status.NewPermissionDeniedError()
-	}
-
+func (m Manager) DeleteDomain(ctx context.Context, accountID, domainID string) error {
 	if err := m.store.DeleteCustomDomain(ctx, accountID, domainID); err != nil {
 		// TODO: check for "no records" type error. Because that is a success condition.
 		return fmt.Errorf("delete domain from store: %w", err)
@@ -148,22 +134,7 @@ func (m Manager) DeleteDomain(ctx context.Context, accountID, userID, domainID s
 	return nil
 }
 
-func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID string) {
-	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Create)
-	if err != nil {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("validate domain")
-		return
-	}
-	if !ok {
-		log.WithFields(log.Fields{
-			"accountID": accountID,
-			"domainID":  domainID,
-		}).WithError(err).Error("validate domain")
-	}
-
+func (m Manager) ValidateDomain(accountID, domainID string) {
 	log.WithFields(log.Fields{
 		"accountID": accountID,
 		"domainID":  domainID,
@@ -222,19 +193,57 @@ func (m Manager) ValidateDomain(ctx context.Context, accountID, userID, domainID
 }
 
 // proxyURLAllowList retrieves a list of currently connected proxies and
-// their URLs
+// their URLs (as reported by the proxy servers). It performs some clean
+// up on those URLs to attempt to retrieve domain names as we would
+// expect to see them in a validation check.
 func (m Manager) proxyURLAllowList() []string {
 	var reverseProxyAddresses []string
 	if m.proxyURLProvider != nil {
 		reverseProxyAddresses = m.proxyURLProvider.GetConnectedProxyURLs()
 	}
-	return reverseProxyAddresses
+	var allowedProxyURLs []string
+	for _, addr := range reverseProxyAddresses {
+		if addr == "" {
+			continue
+		}
+		host := extractHostFromAddress(addr)
+		if host != "" {
+			allowedProxyURLs = append(allowedProxyURLs, host)
+		}
+	}
+	return allowedProxyURLs
+}
+
+// extractHostFromAddress extracts the hostname from an address string.
+// It handles both URL format (https://host:port) and plain hostname (host or host:port).
+func extractHostFromAddress(addr string) string {
+	// If it looks like a URL with a scheme, parse it
+	if strings.Contains(addr, "://") {
+		proxyUrl, err := url.Parse(addr)
+		if err != nil {
+			log.WithError(err).Debugf("failed to parse proxy URL %s", addr)
+			return ""
+		}
+		host, _, err := net.SplitHostPort(proxyUrl.Host)
+		if err != nil {
+			return proxyUrl.Host
+		}
+		return host
+	}
+
+	// Otherwise treat as hostname or host:port
+	host, _, err := net.SplitHostPort(addr)
+	if err != nil {
+		// No port, use as-is
+		return addr
+	}
+	return host
 }
 
 // DeriveClusterFromDomain determines the proxy cluster for a given domain.
 // For free domains (those ending with a known cluster suffix), the cluster is extracted from the domain.
-// For custom domains, the cluster is determined by checking the registered custom domain's target cluster.
-func (m Manager) DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error) {
+// For custom domains, the cluster is determined by looking up the CNAME target.
+func (m Manager) DeriveClusterFromDomain(ctx context.Context, domain string) (string, error) {
 	allowList := m.proxyURLAllowList()
 	if len(allowList) == 0 {
 		return "", fmt.Errorf("no proxy clusters available")
@@ -244,36 +253,10 @@ func (m Manager) DeriveClusterFromDomain(ctx context.Context, accountID, domain
 		return cluster, nil
 	}
 
-	customDomains, err := m.store.ListCustomDomains(ctx, accountID)
-	if err != nil {
-		return "", fmt.Errorf("list custom domains: %w", err)
-	}
-
-	targetCluster, valid := extractClusterFromCustomDomains(domain, customDomains)
+	cluster, valid := m.validator.ValidateWithCluster(ctx, domain, allowList)
 	if valid {
-		return targetCluster, nil
+		return cluster, nil
 	}
 
 	return "", fmt.Errorf("domain %s does not match any available proxy cluster", domain)
 }
-
-func extractClusterFromCustomDomains(domain string, customDomains []*domain.Domain) (string, bool) {
-	for _, customDomain := range customDomains {
-		if strings.HasSuffix(domain, "."+customDomain.Domain) {
-			return customDomain.TargetCluster, true
-		}
-	}
-	return "", false
-}
-
-// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
-// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
-// It matches the domain suffix against available clusters and returns the matching cluster.
-func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
-	for _, cluster := range availableClusters {
-		if strings.HasSuffix(domain, "."+cluster) {
-			return cluster, true
-		}
-	}
-	return "", false
-}

management/internals/modules/reverseproxy/domain/validator.go

@@ -13,15 +13,15 @@ type resolver interface {
 }
 
 type Validator struct {
-	Resolver resolver
+	resolver resolver
 }
 
-// NewValidator initializes a validator with a specific DNS Resolver.
-// If a Validator is used without specifying a Resolver, then it will
+// NewValidator initializes a validator with a specific DNS resolver.
+// If a Validator is used without specifying a resolver, then it will
 // use the net.DefaultResolver.
 func NewValidator(resolver resolver) *Validator {
 	return &Validator{
-		Resolver: resolver,
+		resolver: resolver,
 	}
 }
 
@@ -39,8 +39,8 @@ func (v *Validator) IsValid(ctx context.Context, domain string, accept []string)
 // ValidateWithCluster validates a custom domain and returns the matched cluster address.
 // Returns the cluster address and true if valid, or empty string and false if invalid.
 func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, accept []string) (string, bool) {
-	if v.Resolver == nil {
-		v.Resolver = net.DefaultResolver
+	if v.resolver == nil {
+		v.resolver = net.DefaultResolver
 	}
 
 	lookupDomain := "validation." + domain
@@ -50,7 +50,7 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 		"acceptList":   accept,
 	}).Debug("looking up CNAME for domain validation")
 
-	cname, err := v.Resolver.LookupCNAME(ctx, lookupDomain)
+	cname, err := v.resolver.LookupCNAME(ctx, lookupDomain)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"domain":       domain,
@@ -86,3 +86,15 @@ func (v *Validator) ValidateWithCluster(ctx context.Context, domain string, acce
 	}).Warn("domain CNAME does not match any accepted cluster")
 	return "", false
 }
+
+// ExtractClusterFromFreeDomain extracts the cluster address from a free domain.
+// Free domains have the format: <name>.<nonce>.<cluster> (e.g., myapp.abc123.eu.proxy.netbird.io)
+// It matches the domain suffix against available clusters and returns the matching cluster.
+func ExtractClusterFromFreeDomain(domain string, availableClusters []string) (string, bool) {
+	for _, cluster := range availableClusters {
+		if strings.HasSuffix(domain, "."+cluster) {
+			return cluster, true
+		}
+	}
+	return "", false
+}

management/internals/modules/reverseproxy/interface.go

@@ -1,7 +1,5 @@
 package reverseproxy
 
-//go:generate go run github.com/golang/mock/mockgen -package reverseproxy -destination=interface_mock.go -source=./interface.go -build_flags=-mod=mod
-
 import (
 	"context"
 )

management/internals/modules/reverseproxy/interface_mock.go

@@ -1,225 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: ./interface.go
-
-// Package reverseproxy is a generated GoMock package.
-package reverseproxy
-
-import (
-	context "context"
-	reflect "reflect"
-
-	gomock "github.com/golang/mock/gomock"
-)
-
-// MockManager is a mock of Manager interface.
-type MockManager struct {
-	ctrl     *gomock.Controller
-	recorder *MockManagerMockRecorder
-}
-
-// MockManagerMockRecorder is the mock recorder for MockManager.
-type MockManagerMockRecorder struct {
-	mock *MockManager
-}
-
-// NewMockManager creates a new mock instance.
-func NewMockManager(ctrl *gomock.Controller) *MockManager {
-	mock := &MockManager{ctrl: ctrl}
-	mock.recorder = &MockManagerMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockManager) EXPECT() *MockManagerMockRecorder {
-	return m.recorder
-}
-
-// CreateService mocks base method.
-func (m *MockManager) CreateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "CreateService", ctx, accountID, userID, service)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateService indicates an expected call of CreateService.
-func (mr *MockManagerMockRecorder) CreateService(ctx, accountID, userID, service interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateService", reflect.TypeOf((*MockManager)(nil).CreateService), ctx, accountID, userID, service)
-}
-
-// DeleteService mocks base method.
-func (m *MockManager) DeleteService(ctx context.Context, accountID, userID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "DeleteService", ctx, accountID, userID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// DeleteService indicates an expected call of DeleteService.
-func (mr *MockManagerMockRecorder) DeleteService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteService", reflect.TypeOf((*MockManager)(nil).DeleteService), ctx, accountID, userID, serviceID)
-}
-
-// GetAccountServices mocks base method.
-func (m *MockManager) GetAccountServices(ctx context.Context, accountID string) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAccountServices", ctx, accountID)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetAccountServices indicates an expected call of GetAccountServices.
-func (mr *MockManagerMockRecorder) GetAccountServices(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAccountServices", reflect.TypeOf((*MockManager)(nil).GetAccountServices), ctx, accountID)
-}
-
-// GetAllServices mocks base method.
-func (m *MockManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetAllServices", ctx, accountID, userID)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetAllServices indicates an expected call of GetAllServices.
-func (mr *MockManagerMockRecorder) GetAllServices(ctx, accountID, userID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllServices", reflect.TypeOf((*MockManager)(nil).GetAllServices), ctx, accountID, userID)
-}
-
-// GetGlobalServices mocks base method.
-func (m *MockManager) GetGlobalServices(ctx context.Context) ([]*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetGlobalServices", ctx)
-	ret0, _ := ret[0].([]*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetGlobalServices indicates an expected call of GetGlobalServices.
-func (mr *MockManagerMockRecorder) GetGlobalServices(ctx interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGlobalServices", reflect.TypeOf((*MockManager)(nil).GetGlobalServices), ctx)
-}
-
-// GetService mocks base method.
-func (m *MockManager) GetService(ctx context.Context, accountID, userID, serviceID string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetService", ctx, accountID, userID, serviceID)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetService indicates an expected call of GetService.
-func (mr *MockManagerMockRecorder) GetService(ctx, accountID, userID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetService", reflect.TypeOf((*MockManager)(nil).GetService), ctx, accountID, userID, serviceID)
-}
-
-// GetServiceByID mocks base method.
-func (m *MockManager) GetServiceByID(ctx context.Context, accountID, serviceID string) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceByID", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceByID indicates an expected call of GetServiceByID.
-func (mr *MockManagerMockRecorder) GetServiceByID(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceByID", reflect.TypeOf((*MockManager)(nil).GetServiceByID), ctx, accountID, serviceID)
-}
-
-// GetServiceIDByTargetID mocks base method.
-func (m *MockManager) GetServiceIDByTargetID(ctx context.Context, accountID, resourceID string) (string, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "GetServiceIDByTargetID", ctx, accountID, resourceID)
-	ret0, _ := ret[0].(string)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetServiceIDByTargetID indicates an expected call of GetServiceIDByTargetID.
-func (mr *MockManagerMockRecorder) GetServiceIDByTargetID(ctx, accountID, resourceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetServiceIDByTargetID", reflect.TypeOf((*MockManager)(nil).GetServiceIDByTargetID), ctx, accountID, resourceID)
-}
-
-// ReloadAllServicesForAccount mocks base method.
-func (m *MockManager) ReloadAllServicesForAccount(ctx context.Context, accountID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReloadAllServicesForAccount", ctx, accountID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// ReloadAllServicesForAccount indicates an expected call of ReloadAllServicesForAccount.
-func (mr *MockManagerMockRecorder) ReloadAllServicesForAccount(ctx, accountID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadAllServicesForAccount", reflect.TypeOf((*MockManager)(nil).ReloadAllServicesForAccount), ctx, accountID)
-}
-
-// ReloadService mocks base method.
-func (m *MockManager) ReloadService(ctx context.Context, accountID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "ReloadService", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// ReloadService indicates an expected call of ReloadService.
-func (mr *MockManagerMockRecorder) ReloadService(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReloadService", reflect.TypeOf((*MockManager)(nil).ReloadService), ctx, accountID, serviceID)
-}
-
-// SetCertificateIssuedAt mocks base method.
-func (m *MockManager) SetCertificateIssuedAt(ctx context.Context, accountID, serviceID string) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetCertificateIssuedAt", ctx, accountID, serviceID)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetCertificateIssuedAt indicates an expected call of SetCertificateIssuedAt.
-func (mr *MockManagerMockRecorder) SetCertificateIssuedAt(ctx, accountID, serviceID interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetCertificateIssuedAt", reflect.TypeOf((*MockManager)(nil).SetCertificateIssuedAt), ctx, accountID, serviceID)
-}
-
-// SetStatus mocks base method.
-func (m *MockManager) SetStatus(ctx context.Context, accountID, serviceID string, status ProxyStatus) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetStatus", ctx, accountID, serviceID, status)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetStatus indicates an expected call of SetStatus.
-func (mr *MockManagerMockRecorder) SetStatus(ctx, accountID, serviceID, status interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetStatus", reflect.TypeOf((*MockManager)(nil).SetStatus), ctx, accountID, serviceID, status)
-}
-
-// UpdateService mocks base method.
-func (m *MockManager) UpdateService(ctx context.Context, accountID, userID string, service *Service) (*Service, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "UpdateService", ctx, accountID, userID, service)
-	ret0, _ := ret[0].(*Service)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateService indicates an expected call of UpdateService.
-func (mr *MockManagerMockRecorder) UpdateService(ctx, accountID, userID, service interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateService", reflect.TypeOf((*MockManager)(nil).UpdateService), ctx, accountID, userID, service)
-}

management/internals/modules/reverseproxy/manager/api.go

@@ -9,7 +9,7 @@ import (
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
-	domainmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -21,21 +21,21 @@ type handler struct {
 }
 
 // RegisterEndpoints registers all service HTTP endpoints.
-func RegisterEndpoints(manager reverseproxy.Manager, domainManager domainmanager.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
+func RegisterEndpoints(manager reverseproxy.Manager, domainManager domain.Manager, accessLogsManager accesslogs.Manager, router *mux.Router) {
 	h := &handler{
 		manager: manager,
 	}
 
-	domainRouter := router.PathPrefix("/reverse-proxies").Subrouter()
-	domainmanager.RegisterEndpoints(domainRouter, domainManager)
+	domainRouter := router.PathPrefix("/services").Subrouter()
+	domain.RegisterEndpoints(domainRouter, domainManager)
 
 	accesslogsmanager.RegisterEndpoints(router, accessLogsManager)
 
-	router.HandleFunc("/reverse-proxies/services", h.getAllServices).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services", h.createService).Methods("POST", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
-	router.HandleFunc("/reverse-proxies/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
+	router.HandleFunc("/services", h.getAllServices).Methods("GET", "OPTIONS")
+	router.HandleFunc("/services", h.createService).Methods("POST", "OPTIONS")
+	router.HandleFunc("/services/{serviceId}", h.getService).Methods("GET", "OPTIONS")
+	router.HandleFunc("/services/{serviceId}", h.updateService).Methods("PUT", "OPTIONS")
+	router.HandleFunc("/services/{serviceId}", h.deleteService).Methods("DELETE", "OPTIONS")
 }
 
 func (h *handler) getAllServices(w http.ResponseWriter, r *http.Request) {

management/internals/modules/reverseproxy/manager/manager.go

@@ -23,7 +23,7 @@ const unknownHostPlaceholder = "unknown"
 
 // ClusterDeriver derives the proxy cluster from a domain.
 type ClusterDeriver interface {
-	DeriveClusterFromDomain(ctx context.Context, accountID, domain string) (string, error)
+	DeriveClusterFromDomain(ctx context.Context, domain string) (string, error)
 }
 
 type managerImpl struct {
@@ -31,16 +31,18 @@ type managerImpl struct {
 	accountManager     account.Manager
 	permissionsManager permissions.Manager
 	proxyGRPCServer    *nbgrpc.ProxyServiceServer
+	tokenStore         *nbgrpc.OneTimeTokenStore
 	clusterDeriver     ClusterDeriver
 }
 
 // NewManager creates a new service manager.
-func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, clusterDeriver ClusterDeriver) reverseproxy.Manager {
+func NewManager(store store.Store, accountManager account.Manager, permissionsManager permissions.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, tokenStore *nbgrpc.OneTimeTokenStore, clusterDeriver ClusterDeriver) reverseproxy.Manager {
 	return &managerImpl{
 		store:              store,
 		accountManager:     accountManager,
 		permissionsManager: permissionsManager,
 		proxyGRPCServer:    proxyGRPCServer,
+		tokenStore:         tokenStore,
 		clusterDeriver:     clusterDeriver,
 	}
 }
@@ -135,12 +137,59 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	if err := m.initializeServiceForCreate(ctx, accountID, service); err != nil {
+	var proxyCluster string
+	if m.clusterDeriver != nil {
+		proxyCluster, err = m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
+		if err != nil {
+			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
+		}
+	}
+
+	service.AccountID = accountID
+	service.ProxyCluster = proxyCluster
+	service.InitNewRecord()
+	err = service.Auth.HashSecrets()
+	if err != nil {
+		return nil, fmt.Errorf("hash secrets: %w", err)
+	}
+
+	// Generate session JWT signing keys
+	keyPair, err := sessionkey.GenerateKeyPair()
+	if err != nil {
+		return nil, fmt.Errorf("generate session keys: %w", err)
+	}
+	service.SessionPrivateKey = keyPair.PrivateKey
+	service.SessionPublicKey = keyPair.PublicKey
+
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		// Check for duplicate domain
+		existingService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
+		if err != nil {
+			if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+				return fmt.Errorf("failed to check existing service: %w", err)
+			}
+		}
+		if existingService != nil {
+			return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
+		}
+
+		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.CreateService(ctx, service); err != nil {
+			return fmt.Errorf("failed to create service: %w", err)
+		}
+
+		return nil
+	})
+	if err != nil {
 		return nil, err
 	}
 
-	if err := m.persistNewService(ctx, accountID, service); err != nil {
-		return nil, err
+	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
 	}
 
 	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceCreated, service.EventMeta())
@@ -150,74 +199,13 @@ func (m *managerImpl) CreateService(ctx context.Context, accountID, userID strin
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
 	}
 
-	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
 
 	m.accountManager.UpdateAccountPeers(ctx, accountID)
 
 	return service, nil
 }
 
-func (m *managerImpl) initializeServiceForCreate(ctx context.Context, accountID string, service *reverseproxy.Service) error {
-	if m.clusterDeriver != nil {
-		proxyCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s, updates will broadcast to all proxy servers", service.Domain)
-			return status.Errorf(status.PreconditionFailed, "could not derive cluster from domain %s: %v", service.Domain, err)
-		}
-		service.ProxyCluster = proxyCluster
-	}
-
-	service.AccountID = accountID
-	service.InitNewRecord()
-
-	if err := service.Auth.HashSecrets(); err != nil {
-		return fmt.Errorf("hash secrets: %w", err)
-	}
-
-	keyPair, err := sessionkey.GenerateKeyPair()
-	if err != nil {
-		return fmt.Errorf("generate session keys: %w", err)
-	}
-	service.SessionPrivateKey = keyPair.PrivateKey
-	service.SessionPublicKey = keyPair.PublicKey
-
-	return nil
-}
-
-func (m *managerImpl) persistNewService(ctx context.Context, accountID string, service *reverseproxy.Service) error {
-	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, ""); err != nil {
-			return err
-		}
-
-		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err := transaction.CreateService(ctx, service); err != nil {
-			return fmt.Errorf("failed to create service: %w", err)
-		}
-
-		return nil
-	})
-}
-
-func (m *managerImpl) checkDomainAvailable(ctx context.Context, transaction store.Store, accountID, domain, excludeServiceID string) error {
-	existingService, err := transaction.GetServiceByDomain(ctx, accountID, domain)
-	if err != nil {
-		if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
-			return fmt.Errorf("failed to check existing service: %w", err)
-		}
-		return nil
-	}
-
-	if existingService != nil && existingService.ID != excludeServiceID {
-		return status.Errorf(status.AlreadyExists, "service with domain %s already exists", domain)
-	}
-
-	return nil
-}
-
 func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID string, service *reverseproxy.Service) (*reverseproxy.Service, error) {
 	ok, err := m.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Services, operations.Update)
 	if err != nil {
@@ -227,124 +215,106 @@ func (m *managerImpl) UpdateService(ctx context.Context, accountID, userID strin
 		return nil, status.NewPermissionDeniedError()
 	}
 
-	if err := service.Auth.HashSecrets(); err != nil {
+	var oldCluster string
+	var domainChanged bool
+	var serviceEnabledChanged bool
+
+	err = service.Auth.HashSecrets()
+	if err != nil {
 		return nil, fmt.Errorf("hash secrets: %w", err)
 	}
 
-	updateInfo, err := m.persistServiceUpdate(ctx, accountID, service)
+	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
+		if err != nil {
+			return err
+		}
+
+		oldCluster = existingService.ProxyCluster
+
+		if existingService.Domain != service.Domain {
+			domainChanged = true
+			conflictService, err := transaction.GetServiceByDomain(ctx, accountID, service.Domain)
+			if err != nil {
+				if sErr, ok := status.FromError(err); !ok || sErr.Type() != status.NotFound {
+					return fmt.Errorf("check existing service: %w", err)
+				}
+			}
+			if conflictService != nil && conflictService.ID != service.ID {
+				return status.Errorf(status.AlreadyExists, "service with domain %s already exists", service.Domain)
+			}
+
+			if m.clusterDeriver != nil {
+				newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, service.Domain)
+				if err != nil {
+					log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
+				}
+				service.ProxyCluster = newCluster
+			}
+		} else {
+			service.ProxyCluster = existingService.ProxyCluster
+		}
+
+		if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
+			existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
+			service.Auth.PasswordAuth.Password == "" {
+			service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
+		}
+
+		if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
+			existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
+			service.Auth.PinAuth.Pin == "" {
+			service.Auth.PinAuth = existingService.Auth.PinAuth
+		}
+
+		service.Meta = existingService.Meta
+		service.SessionPrivateKey = existingService.SessionPrivateKey
+		service.SessionPublicKey = existingService.SessionPublicKey
+		serviceEnabledChanged = existingService.Enabled != service.Enabled
+
+		if err = validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
+			return err
+		}
+
+		if err = transaction.UpdateService(ctx, service); err != nil {
+			return fmt.Errorf("update service: %w", err)
+		}
+
+		return nil
+	})
 	if err != nil {
 		return nil, err
 	}
 
 	m.accountManager.StoreEvent(ctx, userID, service.ID, accountID, activity.ServiceUpdated, service.EventMeta())
 
-	if err := m.replaceHostByLookup(ctx, accountID, service); err != nil {
+	err = m.replaceHostByLookup(ctx, accountID, service)
+	if err != nil {
 		return nil, fmt.Errorf("failed to replace host by lookup for service %s: %w", service.ID, err)
 	}
 
-	m.sendServiceUpdateNotifications(service, updateInfo)
+	token, err := m.tokenStore.GenerateToken(accountID, service.ID, 5*time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate authentication token: %w", err)
+	}
+
+	switch {
+	case domainChanged && oldCluster != service.ProxyCluster:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), oldCluster)
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	case !service.Enabled && serviceEnabledChanged:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	case service.Enabled && serviceEnabledChanged:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, token, m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+	default:
+		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
+
+	}
 	m.accountManager.UpdateAccountPeers(ctx, accountID)
 
 	return service, nil
 }
 
-type serviceUpdateInfo struct {
-	oldCluster            string
-	domainChanged         bool
-	serviceEnabledChanged bool
-}
-
-func (m *managerImpl) persistServiceUpdate(ctx context.Context, accountID string, service *reverseproxy.Service) (*serviceUpdateInfo, error) {
-	var updateInfo serviceUpdateInfo
-
-	err := m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
-		if err != nil {
-			return err
-		}
-
-		updateInfo.oldCluster = existingService.ProxyCluster
-		updateInfo.domainChanged = existingService.Domain != service.Domain
-
-		if updateInfo.domainChanged {
-			if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
-				return err
-			}
-		} else {
-			service.ProxyCluster = existingService.ProxyCluster
-		}
-
-		m.preserveExistingAuthSecrets(service, existingService)
-		m.preserveServiceMetadata(service, existingService)
-		updateInfo.serviceEnabledChanged = existingService.Enabled != service.Enabled
-
-		if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-			return err
-		}
-
-		if err := transaction.UpdateService(ctx, service); err != nil {
-			return fmt.Errorf("update service: %w", err)
-		}
-
-		return nil
-	})
-
-	return &updateInfo, err
-}
-
-func (m *managerImpl) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, service *reverseproxy.Service) error {
-	if err := m.checkDomainAvailable(ctx, transaction, accountID, service.Domain, service.ID); err != nil {
-		return err
-	}
-
-	if m.clusterDeriver != nil {
-		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, service.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", service.Domain)
-		} else {
-			service.ProxyCluster = newCluster
-		}
-	}
-
-	return nil
-}
-
-func (m *managerImpl) preserveExistingAuthSecrets(service, existingService *reverseproxy.Service) {
-	if service.Auth.PasswordAuth != nil && service.Auth.PasswordAuth.Enabled &&
-		existingService.Auth.PasswordAuth != nil && existingService.Auth.PasswordAuth.Enabled &&
-		service.Auth.PasswordAuth.Password == "" {
-		service.Auth.PasswordAuth = existingService.Auth.PasswordAuth
-	}
-
-	if service.Auth.PinAuth != nil && service.Auth.PinAuth.Enabled &&
-		existingService.Auth.PinAuth != nil && existingService.Auth.PinAuth.Enabled &&
-		service.Auth.PinAuth.Pin == "" {
-		service.Auth.PinAuth = existingService.Auth.PinAuth
-	}
-}
-
-func (m *managerImpl) preserveServiceMetadata(service, existingService *reverseproxy.Service) {
-	service.Meta = existingService.Meta
-	service.SessionPrivateKey = existingService.SessionPrivateKey
-	service.SessionPublicKey = existingService.SessionPublicKey
-}
-
-func (m *managerImpl) sendServiceUpdateNotifications(service *reverseproxy.Service, updateInfo *serviceUpdateInfo) {
-	oidcCfg := m.proxyGRPCServer.GetOIDCValidationConfig()
-
-	switch {
-	case updateInfo.domainChanged && updateInfo.oldCluster != service.ProxyCluster:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), updateInfo.oldCluster)
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
-	case !service.Enabled && updateInfo.serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Delete, "", oidcCfg), service.ProxyCluster)
-	case service.Enabled && updateInfo.serviceEnabledChanged:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Create, "", oidcCfg), service.ProxyCluster)
-	default:
-		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", oidcCfg), service.ProxyCluster)
-	}
-}
-
 // validateTargetReferences checks that all target IDs reference existing peers or resources in the account.
 func validateTargetReferences(ctx context.Context, transaction store.Store, accountID string, targets []*reverseproxy.Target) error {
 	for _, target := range targets {
@@ -473,6 +443,8 @@ func (m *managerImpl) ReloadAllServicesForAccount(ctx context.Context, accountID
 		m.proxyGRPCServer.SendServiceUpdateToCluster(service.ToProtoMapping(reverseproxy.Update, "", m.proxyGRPCServer.GetOIDCValidationConfig()), service.ProxyCluster)
 	}
 
+	m.accountManager.UpdateAccountPeers(ctx, accountID)
+
 	return nil
 }
 
@@ -525,9 +497,6 @@ func (m *managerImpl) GetAccountServices(ctx context.Context, accountID string)
 func (m *managerImpl) GetServiceIDByTargetID(ctx context.Context, accountID string, resourceID string) (string, error) {
 	target, err := m.store.GetServiceTargetByTargetID(ctx, store.LockingStrengthNone, accountID, resourceID)
 	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Type() == status.NotFound {
-			return "", nil
-		}
 		return "", fmt.Errorf("failed to get service target by resource ID: %w", err)
 	}
 

management/internals/modules/reverseproxy/manager/manager_test.go

@@ -1,375 +0,0 @@
-package manager
-
-import (
-	"context"
-	"errors"
-	"testing"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/shared/management/status"
-)
-
-func TestInitializeServiceForCreate(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("successful initialization without cluster deriver", func(t *testing.T) {
-		mgr := &managerImpl{
-			clusterDeriver: nil,
-		}
-
-		service := &reverseproxy.Service{
-			Domain: "example.com",
-			Auth:   reverseproxy.AuthConfig{},
-		}
-
-		err := mgr.initializeServiceForCreate(ctx, accountID, service)
-
-		assert.NoError(t, err)
-		assert.Equal(t, accountID, service.AccountID)
-		assert.Empty(t, service.ProxyCluster, "proxy cluster should be empty when no deriver")
-		assert.NotEmpty(t, service.ID, "service ID should be initialized")
-		assert.NotEmpty(t, service.SessionPrivateKey, "session private key should be generated")
-		assert.NotEmpty(t, service.SessionPublicKey, "session public key should be generated")
-	})
-
-	t.Run("verifies session keys are different", func(t *testing.T) {
-		mgr := &managerImpl{
-			clusterDeriver: nil,
-		}
-
-		service1 := &reverseproxy.Service{Domain: "test1.com", Auth: reverseproxy.AuthConfig{}}
-		service2 := &reverseproxy.Service{Domain: "test2.com", Auth: reverseproxy.AuthConfig{}}
-
-		err1 := mgr.initializeServiceForCreate(ctx, accountID, service1)
-		err2 := mgr.initializeServiceForCreate(ctx, accountID, service2)
-
-		assert.NoError(t, err1)
-		assert.NoError(t, err2)
-		assert.NotEqual(t, service1.SessionPrivateKey, service2.SessionPrivateKey, "private keys should be unique")
-		assert.NotEqual(t, service1.SessionPublicKey, service2.SessionPublicKey, "public keys should be unique")
-	})
-}
-
-func TestCheckDomainAvailable(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	tests := []struct {
-		name             string
-		domain           string
-		excludeServiceID string
-		setupMock        func(*store.MockStore)
-		expectedError    bool
-		errorType        status.Type
-	}{
-		{
-			name:             "domain available - not found",
-			domain:           "available.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "available.com").
-					Return(nil, status.Errorf(status.NotFound, "not found"))
-			},
-			expectedError: false,
-		},
-		{
-			name:             "domain already exists",
-			domain:           "exists.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "existing-id", Domain: "exists.com"}, nil)
-			},
-			expectedError: true,
-			errorType:     status.AlreadyExists,
-		},
-		{
-			name:             "domain exists but excluded (same ID)",
-			domain:           "exists.com",
-			excludeServiceID: "service-123",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
-			},
-			expectedError: false,
-		},
-		{
-			name:             "domain exists with different ID",
-			domain:           "exists.com",
-			excludeServiceID: "service-456",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "exists.com").
-					Return(&reverseproxy.Service{ID: "service-123", Domain: "exists.com"}, nil)
-			},
-			expectedError: true,
-			errorType:     status.AlreadyExists,
-		},
-		{
-			name:             "store error (non-NotFound)",
-			domain:           "error.com",
-			excludeServiceID: "",
-			setupMock: func(ms *store.MockStore) {
-				ms.EXPECT().
-					GetServiceByDomain(ctx, accountID, "error.com").
-					Return(nil, errors.New("database error"))
-			},
-			expectedError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-
-			mockStore := store.NewMockStore(ctrl)
-			tt.setupMock(mockStore)
-
-			mgr := &managerImpl{}
-			err := mgr.checkDomainAvailable(ctx, mockStore, accountID, tt.domain, tt.excludeServiceID)
-
-			if tt.expectedError {
-				require.Error(t, err)
-				if tt.errorType != 0 {
-					sErr, ok := status.FromError(err)
-					require.True(t, ok, "error should be a status error")
-					assert.Equal(t, tt.errorType, sErr.Type())
-				}
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}
-
-func TestCheckDomainAvailable_EdgeCases(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("empty domain", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "").
-			Return(nil, status.Errorf(status.NotFound, "not found"))
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "", "")
-
-		assert.NoError(t, err)
-	})
-
-	t.Run("empty exclude ID with existing service", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "test.com").
-			Return(&reverseproxy.Service{ID: "some-id", Domain: "test.com"}, nil)
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "test.com", "")
-
-		assert.Error(t, err)
-		sErr, ok := status.FromError(err)
-		require.True(t, ok)
-		assert.Equal(t, status.AlreadyExists, sErr.Type())
-	})
-
-	t.Run("nil existing service with nil error", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		mockStore.EXPECT().
-			GetServiceByDomain(ctx, accountID, "nil.com").
-			Return(nil, nil)
-
-		mgr := &managerImpl{}
-		err := mgr.checkDomainAvailable(ctx, mockStore, accountID, "nil.com", "")
-
-		assert.NoError(t, err)
-	})
-}
-
-func TestPersistNewService(t *testing.T) {
-	ctx := context.Background()
-	accountID := "test-account"
-
-	t.Run("successful service creation with no targets", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		service := &reverseproxy.Service{
-			ID:      "service-123",
-			Domain:  "new.com",
-			Targets: []*reverseproxy.Target{},
-		}
-
-		// Mock ExecuteInTransaction to execute the function immediately
-		mockStore.EXPECT().
-			ExecuteInTransaction(ctx, gomock.Any()).
-			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
-				// Create another mock for the transaction
-				txMock := store.NewMockStore(ctrl)
-				txMock.EXPECT().
-					GetServiceByDomain(ctx, accountID, "new.com").
-					Return(nil, status.Errorf(status.NotFound, "not found"))
-				txMock.EXPECT().
-					CreateService(ctx, service).
-					Return(nil)
-
-				return fn(txMock)
-			})
-
-		mgr := &managerImpl{store: mockStore}
-		err := mgr.persistNewService(ctx, accountID, service)
-
-		assert.NoError(t, err)
-	})
-
-	t.Run("domain already exists", func(t *testing.T) {
-		ctrl := gomock.NewController(t)
-		defer ctrl.Finish()
-
-		mockStore := store.NewMockStore(ctrl)
-		service := &reverseproxy.Service{
-			ID:      "service-123",
-			Domain:  "existing.com",
-			Targets: []*reverseproxy.Target{},
-		}
-
-		mockStore.EXPECT().
-			ExecuteInTransaction(ctx, gomock.Any()).
-			DoAndReturn(func(ctx context.Context, fn func(store.Store) error) error {
-				txMock := store.NewMockStore(ctrl)
-				txMock.EXPECT().
-					GetServiceByDomain(ctx, accountID, "existing.com").
-					Return(&reverseproxy.Service{ID: "other-id", Domain: "existing.com"}, nil)
-
-				return fn(txMock)
-			})
-
-		mgr := &managerImpl{store: mockStore}
-		err := mgr.persistNewService(ctx, accountID, service)
-
-		require.Error(t, err)
-		sErr, ok := status.FromError(err)
-		require.True(t, ok)
-		assert.Equal(t, status.AlreadyExists, sErr.Type())
-	})
-}
-func TestPreserveExistingAuthSecrets(t *testing.T) {
-	mgr := &managerImpl{}
-
-	t.Run("preserve password when empty", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "hashed-password",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
-	})
-
-	t.Run("preserve pin when empty", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PinAuth: &reverseproxy.PINAuthConfig{
-					Enabled: true,
-					Pin:     "hashed-pin",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PinAuth: &reverseproxy.PINAuthConfig{
-					Enabled: true,
-					Pin:     "",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, existing.Auth.PinAuth, updated.Auth.PinAuth)
-	})
-
-	t.Run("do not preserve when password is provided", func(t *testing.T) {
-		existing := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "old-password",
-				},
-			},
-		}
-
-		updated := &reverseproxy.Service{
-			Auth: reverseproxy.AuthConfig{
-				PasswordAuth: &reverseproxy.PasswordAuthConfig{
-					Enabled:  true,
-					Password: "new-password",
-				},
-			},
-		}
-
-		mgr.preserveExistingAuthSecrets(updated, existing)
-
-		assert.Equal(t, "new-password", updated.Auth.PasswordAuth.Password)
-		assert.NotEqual(t, existing.Auth.PasswordAuth, updated.Auth.PasswordAuth)
-	})
-}
-
-func TestPreserveServiceMetadata(t *testing.T) {
-	mgr := &managerImpl{}
-
-	existing := &reverseproxy.Service{
-		Meta: reverseproxy.ServiceMeta{
-			CertificateIssuedAt: time.Now(),
-			Status:              "active",
-		},
-		SessionPrivateKey: "private-key",
-		SessionPublicKey:  "public-key",
-	}
-
-	updated := &reverseproxy.Service{
-		Domain: "updated.com",
-	}
-
-	mgr.preserveServiceMetadata(updated, existing)
-
-	assert.Equal(t, existing.Meta, updated.Meta)
-	assert.Equal(t, existing.SessionPrivateKey, updated.SessionPrivateKey)
-	assert.Equal(t, existing.SessionPublicKey, updated.SessionPublicKey)
-}

management/internals/server/boot.go

@@ -94,7 +94,7 @@ func (s *BaseServer) EventStore() activity.Store {
 
 func (s *BaseServer) APIHandler() http.Handler {
 	return Create(s, func() http.Handler {
-		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer(), s.Config.ReverseProxy.TrustedHTTPProxies)
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager(), s.ZonesManager(), s.RecordsManager(), s.NetworkMapController(), s.IdpManager(), s.ReverseProxyManager(), s.ReverseProxyDomainManager(), s.AccessLogsManager(), s.ReverseProxyGRPCServer())
 		if err != nil {
 			log.Fatalf("failed to create API handler: %v", err)
 		}

management/internals/server/modules.go

@@ -9,7 +9,7 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	nbreverseproxy "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -192,13 +192,13 @@ func (s *BaseServer) RecordsManager() records.Manager {
 
 func (s *BaseServer) ReverseProxyManager() reverseproxy.Manager {
 	return Create(s, func() reverseproxy.Manager {
-		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ReverseProxyDomainManager())
+		return nbreverseproxy.NewManager(s.Store(), s.AccountManager(), s.PermissionsManager(), s.ReverseProxyGRPCServer(), s.ProxyTokenStore(), s.ReverseProxyDomainManager())
 	})
 }
 
-func (s *BaseServer) ReverseProxyDomainManager() *manager.Manager {
-	return Create(s, func() *manager.Manager {
-		m := manager.NewManager(s.Store(), s.ReverseProxyGRPCServer(), s.PermissionsManager())
+func (s *BaseServer) ReverseProxyDomainManager() *domain.Manager {
+	return Create(s, func() *domain.Manager {
+		m := domain.NewManager(s.Store(), s.ReverseProxyGRPCServer())
 		return &m
 	})
 }

management/internals/server/server.go

@@ -50,14 +50,13 @@ type BaseServer struct {
 	// AfterInit is a function that will be called after the server is initialized
 	afterInit []func(s *BaseServer)
 
-	disableMetrics              bool
-	dnsDomain                   string
-	disableGeoliteUpdate        bool
-	userDeleteFromIDPEnabled    bool
-	mgmtSingleAccModeDomain     string
-	mgmtMetricsPort             int
-	mgmtPort                    int
-	disableLegacyManagementPort bool
+	disableMetrics           bool
+	dnsDomain                string
+	disableGeoliteUpdate     bool
+	userDeleteFromIDPEnabled bool
+	mgmtSingleAccModeDomain  string
+	mgmtMetricsPort          int
+	mgmtPort                 int
 
 	proxyAuthClose func()
 
@@ -70,32 +69,18 @@ type BaseServer struct {
 	cancel context.CancelFunc
 }
 
-// Config holds the configuration parameters for creating a new server
-type Config struct {
-	NbConfig                    *nbconfig.Config
-	DNSDomain                   string
-	MgmtSingleAccModeDomain     string
-	MgmtPort                    int
-	MgmtMetricsPort             int
-	DisableLegacyManagementPort bool
-	DisableMetrics              bool
-	DisableGeoliteUpdate        bool
-	UserDeleteFromIDPEnabled    bool
-}
-
 // NewServer initializes and configures a new Server instance
-func NewServer(cfg *Config) *BaseServer {
+func NewServer(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) *BaseServer {
 	return &BaseServer{
-		Config:                      cfg.NbConfig,
-		container:                   make(map[string]any),
-		dnsDomain:                   cfg.DNSDomain,
-		mgmtSingleAccModeDomain:     cfg.MgmtSingleAccModeDomain,
-		disableMetrics:              cfg.DisableMetrics,
-		disableGeoliteUpdate:        cfg.DisableGeoliteUpdate,
-		userDeleteFromIDPEnabled:    cfg.UserDeleteFromIDPEnabled,
-		mgmtPort:                    cfg.MgmtPort,
-		disableLegacyManagementPort: cfg.DisableLegacyManagementPort,
-		mgmtMetricsPort:             cfg.MgmtMetricsPort,
+		Config:                   config,
+		container:                make(map[string]any),
+		dnsDomain:                dnsDomain,
+		mgmtSingleAccModeDomain:  mgmtSingleAccModeDomain,
+		disableMetrics:           disableMetrics,
+		disableGeoliteUpdate:     disableGeoliteUpdate,
+		userDeleteFromIDPEnabled: userDeleteFromIDPEnabled,
+		mgmtPort:                 mgmtPort,
+		mgmtMetricsPort:          mgmtMetricsPort,
 	}
 }
 
@@ -155,19 +140,8 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		go metricsWorker.Run(srvCtx)
 	}
 
-	// Eagerly create the gRPC server so that all AfterInit hooks are registered
-	// before we iterate them. Lazy creation after the loop would miss hooks
-	// registered during GRPCServer() construction (e.g., SetProxyManager).
-	s.GRPCServer()
-
-	for _, fn := range s.afterInit {
-		if fn != nil {
-			fn(s)
-		}
-	}
-
 	var compatListener net.Listener
-	if s.mgmtPort != ManagementLegacyPort && !s.disableLegacyManagementPort {
+	if s.mgmtPort != ManagementLegacyPort {
 		// The Management gRPC server was running on port 33073 previously. Old agents that are already connected to it
 		// are using port 33073. For compatibility purposes we keep running a 2nd gRPC server on port 33073.
 		compatListener, err = s.serveGRPC(srvCtx, s.GRPCServer(), ManagementLegacyPort)
@@ -206,6 +180,12 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		}
 	}
 
+	for _, fn := range s.afterInit {
+		if fn != nil {
+			fn(s)
+		}
+	}
+
 	log.WithContext(ctx).Infof("management server version %s", version.NetbirdVersion())
 	log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", s.listener.Addr().String())
 	s.serveGRPCWithHTTP(ctx, s.listener, rootHandler, tlsEnabled)
@@ -237,7 +217,6 @@ func (s *BaseServer) Stop() error {
 		_ = s.certManager.Listener().Close()
 	}
 	s.GRPCServer().Stop()
-	s.ReverseProxyGRPCServer().Close()
 	if s.proxyAuthClose != nil {
 		s.proxyAuthClose()
 		s.proxyAuthClose = nil
@@ -282,23 +261,7 @@ func (s *BaseServer) SetContainer(key string, container any) {
 	log.Tracef("container with key %s set successfully", key)
 }
 
-// SetHandlerFunc allows overriding the default HTTP handler function.
-// This is useful for multiplexing additional services on the same port.
-func (s *BaseServer) SetHandlerFunc(handler http.Handler) {
-	s.container["customHandler"] = handler
-	log.Tracef("custom handler set successfully")
-}
-
 func (s *BaseServer) handlerFunc(_ context.Context, gRPCHandler *grpc.Server, httpHandler http.Handler, meter metric.Meter) http.Handler {
-	// Check if a custom handler was set (for multiplexing additional services)
-	if customHandler, ok := s.GetContainer("customHandler"); ok {
-		if handler, ok := customHandler.(http.Handler); ok {
-			log.Tracef("using custom handler")
-			return handler
-		}
-	}
-
-	// Use default handler
 	wsProxy := wsproxyserver.New(gRPCHandler, wsproxyserver.WithOTelMeter(meter))
 
 	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {

management/internals/shared/grpc/proxy.go

@@ -3,12 +3,12 @@ package grpc
 import (
 	"context"
 	"crypto/hmac"
-	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"net"
 	"net/url"
 	"strings"
 	"sync"
@@ -21,8 +21,6 @@ import (
 	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 
-	"github.com/netbirdio/netbird/shared/management/domain"
-
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
@@ -83,17 +81,7 @@ type ProxyServiceServer struct {
 	oidcConfig ProxyOIDCConfig
 
 	// TODO: use database to store these instead?
-	// pkceVerifiers stores PKCE code verifiers keyed by OAuth state.
-	// Entries expire after pkceVerifierTTL to prevent unbounded growth.
-	pkceVerifiers     sync.Map
-	pkceCleanupCancel context.CancelFunc
-}
-
-const pkceVerifierTTL = 10 * time.Minute
-
-type pkceEntry struct {
-	verifier  string
-	createdAt time.Time
+	pkceVerifiers sync.Map
 }
 
 // proxyConnection represents a connected proxy
@@ -104,47 +92,19 @@ type proxyConnection struct {
 	sendChan chan *proto.ProxyMapping
 	ctx      context.Context
 	cancel   context.CancelFunc
+	mu       sync.RWMutex
 }
 
 // NewProxyServiceServer creates a new proxy service server.
 func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeTokenStore, oidcConfig ProxyOIDCConfig, peersManager peers.Manager, usersManager users.Manager) *ProxyServiceServer {
-	ctx, cancel := context.WithCancel(context.Background())
-	s := &ProxyServiceServer{
-		updatesChan:       make(chan *proto.ProxyMapping, 100),
-		accessLogManager:  accessLogMgr,
-		oidcConfig:        oidcConfig,
-		tokenStore:        tokenStore,
-		peersManager:      peersManager,
-		usersManager:      usersManager,
-		pkceCleanupCancel: cancel,
+	return &ProxyServiceServer{
+		updatesChan:      make(chan *proto.ProxyMapping, 100),
+		accessLogManager: accessLogMgr,
+		oidcConfig:       oidcConfig,
+		tokenStore:       tokenStore,
+		peersManager:     peersManager,
+		usersManager:     usersManager,
 	}
-	go s.cleanupPKCEVerifiers(ctx)
-	return s
-}
-
-// cleanupPKCEVerifiers periodically removes expired PKCE verifiers.
-func (s *ProxyServiceServer) cleanupPKCEVerifiers(ctx context.Context) {
-	ticker := time.NewTicker(pkceVerifierTTL)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			now := time.Now()
-			s.pkceVerifiers.Range(func(key, value any) bool {
-				if entry, ok := value.(pkceEntry); ok && now.Sub(entry.createdAt) > pkceVerifierTTL {
-					s.pkceVerifiers.Delete(key)
-				}
-				return true
-			})
-		}
-	}
-}
-
-// Close stops background goroutines.
-func (s *ProxyServiceServer) Close() {
-	s.pkceCleanupCancel()
 }
 
 func (s *ProxyServiceServer) SetProxyManager(manager reverseproxy.Manager) {
@@ -168,9 +128,12 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	}
 
 	proxyAddress := req.GetAddress()
-	if !isProxyAddressValid(proxyAddress) {
-		return status.Errorf(codes.InvalidArgument, "proxy address is invalid")
-	}
+	log.WithFields(log.Fields{
+		"proxy_id": proxyID,
+		"address":  proxyAddress,
+		"version":  req.GetVersion(),
+		"started":  req.GetStartedAt().AsTime(),
+	}).Info("Proxy connected")
 
 	connCtx, cancel := context.WithCancel(ctx)
 	conn := &proxyConnection{
@@ -187,7 +150,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	log.WithFields(log.Fields{
 		"proxy_id":      proxyID,
 		"address":       proxyAddress,
-		"cluster_addr":  proxyAddress,
+		"cluster_addr":  extractClusterAddr(proxyAddress),
 		"total_proxies": len(s.GetConnectedProxies()),
 	}).Info("Proxy registered in cluster")
 	defer func() {
@@ -198,7 +161,8 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	}()
 
 	if err := s.sendSnapshot(ctx, conn); err != nil {
-		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
+		log.Errorf("Failed to send snapshot to proxy %s: %v", proxyID, err)
+		return err
 	}
 
 	errChan := make(chan error, 2)
@@ -206,7 +170,7 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 
 	select {
 	case err := <-errChan:
-		return fmt.Errorf("send update to proxy %s: %w", proxyID, err)
+		return err
 	case <-connCtx.Done():
 		return connCtx.Err()
 	}
@@ -220,31 +184,17 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		return fmt.Errorf("get services from store: %w", err)
 	}
 
-	if !isProxyAddressValid(conn.address) {
-		return fmt.Errorf("proxy address is invalid")
-	}
+	proxyClusterAddr := extractClusterAddr(conn.address)
 
-	var filtered []*reverseproxy.Service
 	for _, service := range services {
 		if !service.Enabled {
 			continue
 		}
-		if service.ProxyCluster == "" || service.ProxyCluster != conn.address {
+
+		if service.ProxyCluster != "" && proxyClusterAddr != "" && service.ProxyCluster != proxyClusterAddr {
 			continue
 		}
-		filtered = append(filtered, service)
-	}
 
-	if len(filtered) == 0 {
-		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
-			InitialSyncComplete: true,
-		}); err != nil {
-			return fmt.Errorf("send snapshot completion: %w", err)
-		}
-		return nil
-	}
-
-	for i, service := range filtered {
 		// Generate one-time authentication token for each service in the snapshot
 		// Tokens are not persistent on the proxy, so we need to generate new ones on reconnection
 		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, 5*time.Minute)
@@ -252,7 +202,7 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 			log.WithFields(log.Fields{
 				"service": service.Name,
 				"account": service.AccountID,
-			}).WithError(err).Error("failed to generate auth token for snapshot")
+			}).WithError(err).Error("Failed to generate auth token for snapshot")
 			continue
 		}
 
@@ -264,23 +214,29 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 					s.GetOIDCValidationConfig(),
 				),
 			},
-			InitialSyncComplete: i == len(filtered)-1,
 		}); err != nil {
-			log.WithFields(log.Fields{
-				"domain":  service.Domain,
-				"account": service.AccountID,
-			}).WithError(err).Error("failed to send proxy mapping")
-			return fmt.Errorf("send proxy mapping: %w", err)
+			log.WithError(err).Error("Failed to send proxy mapping")
+			continue
 		}
 	}
 
 	return nil
 }
 
-// isProxyAddressValid validates a proxy address
-func isProxyAddressValid(addr string) bool {
-	_, err := domain.ValidateDomains([]string{addr})
-	return err == nil
+// extractClusterAddr extracts the host from a proxy address URL.
+func extractClusterAddr(addr string) string {
+	if addr == "" {
+		return ""
+	}
+	u, err := url.Parse(addr)
+	if err != nil {
+		return addr
+	}
+	host := u.Host
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		return h
+	}
+	return host
 }
 
 // sender handles sending messages to proxy
@@ -289,6 +245,7 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 		select {
 		case msg := <-conn.sendChan:
 			if err := conn.stream.Send(&proto.GetMappingUpdateResponse{Mapping: []*proto.ProxyMapping{msg}}); err != nil {
+				log.Errorf("Failed to send message to proxy %s: %v", conn.proxyID, err)
 				errChan <- err
 				return
 			}
@@ -329,26 +286,21 @@ func (s *ProxyServiceServer) SendAccessLog(ctx context.Context, req *proto.SendA
 
 	if err := s.accessLogManager.SaveAccessLog(ctx, logEntry); err != nil {
 		log.WithContext(ctx).Errorf("failed to save access log: %v", err)
-		return nil, status.Errorf(codes.Internal, "save access log: %v", err)
+		return nil, status.Errorf(codes.Internal, "failed to save access log: %v", err)
 	}
 
 	return &proto.SendAccessLogResponse{}, nil
 }
 
 // SendServiceUpdate broadcasts a service update to all connected proxy servers.
-// Management should call this when services are created/updated/removed.
-// For create/update operations a unique one-time auth token is generated per
-// proxy so that every replica can independently authenticate with management.
+// Management should call this when services are created/updated/removed
 func (s *ProxyServiceServer) SendServiceUpdate(update *proto.ProxyMapping) {
+	// Send it to all connected proxy servers
 	log.Debugf("Broadcasting service update to all connected proxy servers")
 	s.connectedProxies.Range(func(key, value interface{}) bool {
 		conn := value.(*proxyConnection)
-		msg := s.perProxyMessage(update, conn.proxyID)
-		if msg == nil {
-			return true
-		}
 		select {
-		case conn.sendChan <- msg:
+		case conn.sendChan <- update:
 			log.Debugf("Sent service update with id %s to proxy server %s", update.Id, conn.proxyID)
 		default:
 			log.Warnf("Failed to send service update to proxy server %s (channel full)", conn.proxyID)
@@ -416,8 +368,6 @@ func (s *ProxyServiceServer) removeFromCluster(clusterAddr, proxyID string) {
 
 // SendServiceUpdateToCluster sends a service update to all proxy servers in a specific cluster.
 // If clusterAddr is empty, broadcasts to all connected proxy servers (backward compatibility).
-// For create/update operations a unique one-time auth token is generated per
-// proxy so that every replica can independently authenticate with management.
 func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMapping, clusterAddr string) {
 	if clusterAddr == "" {
 		s.SendServiceUpdate(update)
@@ -435,12 +385,8 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMappi
 		proxyID := key.(string)
 		if connVal, ok := s.connectedProxies.Load(proxyID); ok {
 			conn := connVal.(*proxyConnection)
-			msg := s.perProxyMessage(update, proxyID)
-			if msg == nil {
-				return true
-			}
 			select {
-			case conn.sendChan <- msg:
+			case conn.sendChan <- update:
 				log.Debugf("Sent service update with id %s to proxy %s in cluster %s", update.Id, proxyID, clusterAddr)
 			default:
 				log.Warnf("Failed to send service update to proxy %s in cluster %s (channel full)", proxyID, clusterAddr)
@@ -450,42 +396,6 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(update *proto.ProxyMappi
 	})
 }
 
-// perProxyMessage returns a copy of update with a fresh one-time token for
-// create/update operations. For delete operations the original message is
-// returned unchanged because proxies do not need to authenticate for removal.
-// Returns nil if token generation fails (the proxy should be skipped).
-func (s *ProxyServiceServer) perProxyMessage(update *proto.ProxyMapping, proxyID string) *proto.ProxyMapping {
-	if update.Type == proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED || update.AccountId == "" {
-		return update
-	}
-
-	token, err := s.tokenStore.GenerateToken(update.AccountId, update.Id, 5*time.Minute)
-	if err != nil {
-		log.Warnf("Failed to generate token for proxy %s: %v", proxyID, err)
-		return nil
-	}
-
-	msg := shallowCloneMapping(update)
-	msg.AuthToken = token
-	return msg
-}
-
-// shallowCloneMapping creates a shallow copy of a ProxyMapping, reusing the
-// same slice/pointer fields. Only scalar fields that differ per proxy (AuthToken)
-// should be set on the copy.
-func shallowCloneMapping(m *proto.ProxyMapping) *proto.ProxyMapping {
-	return &proto.ProxyMapping{
-		Type:             m.Type,
-		Id:               m.Id,
-		AccountId:        m.AccountId,
-		Domain:           m.Domain,
-		Path:             m.Path,
-		Auth:             m.Auth,
-		PassHostHeader:   m.PassHostHeader,
-		RewriteRedirects: m.RewriteRedirects,
-	}
-}
-
 // GetAvailableClusters returns information about all connected proxy clusters.
 func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
 	clusterCounts := make(map[string]int)
@@ -516,15 +426,67 @@ func (s *ProxyServiceServer) GetAvailableClusters() []ClusterInfo {
 func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
 	service, err := s.reverseProxyManager.GetServiceByID(ctx, req.GetAccountId(), req.GetId())
 	if err != nil {
-		log.WithContext(ctx).Debugf("failed to get service from store: %v", err)
-		return nil, status.Errorf(codes.FailedPrecondition, "get service from store: %v", err)
+		// TODO: log the error
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get service from store: %v", err)
 	}
 
-	authenticated, userId, method := s.authenticateRequest(ctx, req, service)
+	var authenticated bool
+	var userId string
+	var method proxyauth.Method
+	switch v := req.GetRequest().(type) {
+	case *proto.AuthenticateRequest_Pin:
+		auth := service.Auth.PinAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		err = argon2id.Verify(v.Pin.GetPin(), auth.Pin)
+		if err != nil {
+			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
+				log.WithContext(ctx).Tracef("PIN authentication failed: invalid PIN")
+			} else {
+				log.WithContext(ctx).Errorf("PIN authentication error: %v", err)
+			}
+			break
+		}
+		authenticated = true
+		userId = "pin-user"
+		method = proxyauth.MethodPIN
+	case *proto.AuthenticateRequest_Password:
+		auth := service.Auth.PasswordAuth
+		if auth == nil || !auth.Enabled {
+			// TODO: log
+			// Break here and use the default authenticated == false.
+			break
+		}
+		err = argon2id.Verify(v.Password.GetPassword(), auth.Password)
+		if err != nil {
+			if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
+				log.WithContext(ctx).Tracef("Password authentication failed: invalid password")
+			} else {
+				log.WithContext(ctx).Errorf("Password authentication error: %v", err)
+			}
+			break
+		}
+		authenticated = true
+		userId = "password-user"
+		method = proxyauth.MethodPassword
+	}
 
-	token, err := s.generateSessionToken(ctx, authenticated, service, userId, method)
-	if err != nil {
-		return nil, err
+	var token string
+	if authenticated && service.SessionPrivateKey != "" {
+		token, err = sessionkey.SignToken(
+			service.SessionPrivateKey,
+			userId,
+			service.Domain,
+			method,
+			proxyauth.DefaultSessionExpiry,
+		)
+		if err != nil {
+			log.WithError(err).Error("Failed to sign session token")
+			authenticated = false
+		}
 	}
 
 	return &proto.AuthenticateResponse{
@@ -533,73 +495,6 @@ func (s *ProxyServiceServer) Authenticate(ctx context.Context, req *proto.Authen
 	}, nil
 }
 
-func (s *ProxyServiceServer) authenticateRequest(ctx context.Context, req *proto.AuthenticateRequest, service *reverseproxy.Service) (bool, string, proxyauth.Method) {
-	switch v := req.GetRequest().(type) {
-	case *proto.AuthenticateRequest_Pin:
-		return s.authenticatePIN(ctx, req.GetId(), v, service.Auth.PinAuth)
-	case *proto.AuthenticateRequest_Password:
-		return s.authenticatePassword(ctx, req.GetId(), v, service.Auth.PasswordAuth)
-	default:
-		return false, "", ""
-	}
-}
-
-func (s *ProxyServiceServer) authenticatePIN(ctx context.Context, serviceID string, req *proto.AuthenticateRequest_Pin, auth *reverseproxy.PINAuthConfig) (bool, string, proxyauth.Method) {
-	if auth == nil || !auth.Enabled {
-		log.WithContext(ctx).Debugf("PIN authentication attempted but not enabled for service %s", serviceID)
-		return false, "", ""
-	}
-
-	if err := argon2id.Verify(req.Pin.GetPin(), auth.Pin); err != nil {
-		s.logAuthenticationError(ctx, err, "PIN")
-		return false, "", ""
-	}
-
-	return true, "pin-user", proxyauth.MethodPIN
-}
-
-func (s *ProxyServiceServer) authenticatePassword(ctx context.Context, serviceID string, req *proto.AuthenticateRequest_Password, auth *reverseproxy.PasswordAuthConfig) (bool, string, proxyauth.Method) {
-	if auth == nil || !auth.Enabled {
-		log.WithContext(ctx).Debugf("password authentication attempted but not enabled for service %s", serviceID)
-		return false, "", ""
-	}
-
-	if err := argon2id.Verify(req.Password.GetPassword(), auth.Password); err != nil {
-		s.logAuthenticationError(ctx, err, "Password")
-		return false, "", ""
-	}
-
-	return true, "password-user", proxyauth.MethodPassword
-}
-
-func (s *ProxyServiceServer) logAuthenticationError(ctx context.Context, err error, authType string) {
-	if errors.Is(err, argon2id.ErrMismatchedHashAndPassword) {
-		log.WithContext(ctx).Tracef("%s authentication failed: invalid credentials", authType)
-	} else {
-		log.WithContext(ctx).Errorf("%s authentication error: %v", authType, err)
-	}
-}
-
-func (s *ProxyServiceServer) generateSessionToken(ctx context.Context, authenticated bool, service *reverseproxy.Service, userId string, method proxyauth.Method) (string, error) {
-	if !authenticated || service.SessionPrivateKey == "" {
-		return "", nil
-	}
-
-	token, err := sessionkey.SignToken(
-		service.SessionPrivateKey,
-		userId,
-		service.Domain,
-		method,
-		proxyauth.DefaultSessionExpiry,
-	)
-	if err != nil {
-		log.WithContext(ctx).WithError(err).Error("failed to sign session token")
-		return "", status.Errorf(codes.Internal, "sign session token: %v", err)
-	}
-
-	return token, nil
-}
-
 // SendStatusUpdate handles status updates from proxy clients
 func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.SendStatusUpdateRequest) (*proto.SendStatusUpdateResponse, error) {
 	accountID := req.GetAccountId()
@@ -621,8 +516,8 @@ func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.Se
 
 	if certificateIssued {
 		if err := s.reverseProxyManager.SetCertificateIssuedAt(ctx, accountID, serviceID); err != nil {
-			log.WithContext(ctx).WithError(err).Error("failed to set certificate issued timestamp")
-			return nil, status.Errorf(codes.Internal, "update certificate timestamp: %v", err)
+			log.WithContext(ctx).WithError(err).Error("Failed to set certificate issued timestamp")
+			return nil, status.Errorf(codes.Internal, "failed to update certificate timestamp: %v", err)
 		}
 		log.WithFields(log.Fields{
 			"service_id": serviceID,
@@ -633,8 +528,8 @@ func (s *ProxyServiceServer) SendStatusUpdate(ctx context.Context, req *proto.Se
 	internalStatus := protoStatusToInternal(protoStatus)
 
 	if err := s.reverseProxyManager.SetStatus(ctx, accountID, serviceID, internalStatus); err != nil {
-		log.WithContext(ctx).WithError(err).Error("failed to update service status")
-		return nil, status.Errorf(codes.Internal, "update service status: %v", err)
+		log.WithContext(ctx).WithError(err).Error("Failed to set service status")
+		return nil, status.Errorf(codes.Internal, "failed to update service status: %v", err)
 	}
 
 	log.WithFields(log.Fields{
@@ -696,7 +591,7 @@ func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.Cre
 		return &proto.CreateProxyPeerResponse{
 			Success:      false,
 			ErrorMessage: strPtr("authentication failed: invalid or expired token"),
-		}, status.Errorf(codes.Unauthenticated, "token validation: %v", err)
+		}, status.Errorf(codes.Unauthenticated, "token validation failed: %v", err)
 	}
 
 	err := s.peersManager.CreateProxyPeer(ctx, accountID, key, cluster)
@@ -704,11 +599,11 @@ func (s *ProxyServiceServer) CreateProxyPeer(ctx context.Context, req *proto.Cre
 		log.WithFields(log.Fields{
 			"service_id": serviceID,
 			"account_id": accountID,
-		}).WithError(err).Error("failed to create proxy peer")
+		}).WithError(err).Error("CreateProxyPeer: failed to create proxy peer")
 		return &proto.CreateProxyPeerResponse{
 			Success:      false,
-			ErrorMessage: strPtr(fmt.Sprintf("create proxy peer: %v", err)),
-		}, status.Errorf(codes.Internal, "create proxy peer: %v", err)
+			ErrorMessage: strPtr(fmt.Sprintf("failed to create proxy peer: %v", err)),
+		}, status.Errorf(codes.Internal, "failed to create proxy peer: %v", err)
 	}
 
 	return &proto.CreateProxyPeerResponse{
@@ -724,13 +619,14 @@ func strPtr(s string) *string {
 func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCURLRequest) (*proto.GetOIDCURLResponse, error) {
 	redirectURL, err := url.Parse(req.GetRedirectUrl())
 	if err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "parse redirect url: %v", err)
+		// TODO: log
+		return nil, status.Errorf(codes.InvalidArgument, "failed to parse redirect url: %v", err)
 	}
 	// Validate redirectURL against known service endpoints to avoid abuse of OIDC redirection.
 	services, err := s.reverseProxyManager.GetAccountServices(ctx, req.GetAccountId())
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to get account services: %v", err)
-		return nil, status.Errorf(codes.FailedPrecondition, "get account services: %v", err)
+		// TODO: log
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to get services from store: %v", err)
 	}
 	var found bool
 	for _, service := range services {
@@ -740,14 +636,14 @@ func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCU
 		}
 	}
 	if !found {
-		log.WithContext(ctx).Debugf("OIDC redirect URL %q does not match any service domain", redirectURL.Hostname())
+		// TODO: log
 		return nil, status.Errorf(codes.FailedPrecondition, "service not found in store")
 	}
 
 	provider, err := oidc.NewProvider(ctx, s.oidcConfig.Issuer)
 	if err != nil {
-		log.WithContext(ctx).Errorf("failed to create OIDC provider: %v", err)
-		return nil, status.Errorf(codes.FailedPrecondition, "create OIDC provider: %v", err)
+		// TODO: log
+		return nil, status.Errorf(codes.FailedPrecondition, "failed to create OIDC provider: %v", err)
 	}
 
 	scopes := s.oidcConfig.Scopes
@@ -755,23 +651,13 @@ func (s *ProxyServiceServer) GetOIDCURL(ctx context.Context, req *proto.GetOIDCU
 		scopes = []string{oidc.ScopeOpenID, "profile", "email"}
 	}
 
-	// Generate a random nonce to ensure each OIDC request gets a unique state.
-	// Without this, multiple requests to the same URL would generate the same state
-	// but different PKCE verifiers, causing the later verifier to overwrite the earlier one.
-	nonce := make([]byte, 16)
-	if _, err := rand.Read(nonce); err != nil {
-		return nil, status.Errorf(codes.Internal, "generate nonce: %v", err)
-	}
-	nonceB64 := base64.URLEncoding.EncodeToString(nonce)
-
 	// Using an HMAC here to avoid redirection state being modified.
-	// State format: base64(redirectURL)|nonce|hmac(redirectURL|nonce)
-	payload := redirectURL.String() + "|" + nonceB64
-	hmacSum := s.generateHMAC(payload)
-	state := fmt.Sprintf("%s|%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), nonceB64, hmacSum)
+	// State format: base64(redirectURL)|hmac
+	hmacSum := s.generateHMAC(redirectURL.String())
+	state := fmt.Sprintf("%s|%s", base64.URLEncoding.EncodeToString([]byte(redirectURL.String())), hmacSum)
 
 	codeVerifier := oauth2.GenerateVerifier()
-	s.pkceVerifiers.Store(state, pkceEntry{verifier: codeVerifier, createdAt: time.Now()})
+	s.pkceVerifiers.Store(state, codeVerifier)
 
 	return &proto.GetOIDCURLResponse{
 		Url: (&oauth2.Config{
@@ -812,24 +698,18 @@ func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL
 	if !ok {
 		return "", "", errors.New("no verifier for state")
 	}
-	entry, ok := v.(pkceEntry)
+	verifier, ok = v.(string)
 	if !ok {
 		return "", "", errors.New("invalid verifier for state")
 	}
-	if time.Since(entry.createdAt) > pkceVerifierTTL {
-		return "", "", errors.New("PKCE verifier expired")
-	}
-	verifier = entry.verifier
 
-	// State format: base64(redirectURL)|nonce|hmac(redirectURL|nonce)
 	parts := strings.Split(state, "|")
-	if len(parts) != 3 {
+	if len(parts) != 2 {
 		return "", "", errors.New("invalid state format")
 	}
 
 	encodedURL := parts[0]
-	nonce := parts[1]
-	providedHMAC := parts[2]
+	providedHMAC := parts[1]
 
 	redirectURLBytes, err := base64.URLEncoding.DecodeString(encodedURL)
 	if err != nil {
@@ -837,11 +717,10 @@ func (s *ProxyServiceServer) ValidateState(state string) (verifier, redirectURL
 	}
 	redirectURL = string(redirectURLBytes)
 
-	payload := redirectURL + "|" + nonce
-	expectedHMAC := s.generateHMAC(payload)
+	expectedHMAC := s.generateHMAC(redirectURL)
 
 	if !hmac.Equal([]byte(providedHMAC), []byte(expectedHMAC)) {
-		return "", "", errors.New("invalid state signature")
+		return "", "", fmt.Errorf("invalid state signature")
 	}
 
 	return verifier, redirectURL, nil
@@ -954,7 +833,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Debug("ValidateSession: service not found")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "service_not_found",
@@ -967,7 +845,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Error("ValidateSession: decode public key")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "invalid_service_config",
@@ -980,7 +857,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"domain": domain,
 			"error":  err.Error(),
 		}).Debug("ValidateSession: invalid session token")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "invalid_token",
@@ -994,7 +870,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_id": userID,
 			"error":   err.Error(),
 		}).Debug("ValidateSession: user not found")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "user_not_found",
@@ -1008,7 +883,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_account":    user.AccountID,
 			"service_account": service.AccountID,
 		}).Debug("ValidateSession: user account mismatch")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			DeniedReason: "account_mismatch",
@@ -1021,7 +895,6 @@ func (s *ProxyServiceServer) ValidateSession(ctx context.Context, req *proto.Val
 			"user_id": userID,
 			"error":   err.Error(),
 		}).Debug("ValidateSession: access denied")
-		//nolint:nilerr
 		return &proto.ValidateSessionResponse{
 			Valid:        false,
 			UserId:       user.Id,

management/internals/shared/grpc/proxy_group_access_test.go

@@ -29,19 +29,19 @@ func (m *mockReverseProxyManager) GetGlobalServices(ctx context.Context) ([]*rev
 }
 
 func (m *mockReverseProxyManager) GetAllServices(ctx context.Context, accountID, userID string) ([]*reverseproxy.Service, error) {
-	return []*reverseproxy.Service{}, nil
+	return nil, nil
 }
 
 func (m *mockReverseProxyManager) GetService(ctx context.Context, accountID, userID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return &reverseproxy.Service{}, nil
+	return nil, nil
 }
 
 func (m *mockReverseProxyManager) CreateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return &reverseproxy.Service{}, nil
+	return nil, nil
 }
 
 func (m *mockReverseProxyManager) UpdateService(ctx context.Context, accountID, userID string, rp *reverseproxy.Service) (*reverseproxy.Service, error) {
-	return &reverseproxy.Service{}, nil
+	return nil, nil
 }
 
 func (m *mockReverseProxyManager) DeleteService(ctx context.Context, accountID, userID, reverseProxyID string) error {
@@ -65,7 +65,7 @@ func (m *mockReverseProxyManager) ReloadService(ctx context.Context, accountID,
 }
 
 func (m *mockReverseProxyManager) GetServiceByID(ctx context.Context, accountID, reverseProxyID string) (*reverseproxy.Service, error) {
-	return &reverseproxy.Service{}, nil
+	return nil, nil
 }
 
 func (m *mockReverseProxyManager) GetServiceIDByTargetID(_ context.Context, _, _ string) (string, error) {
@@ -120,7 +120,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "service not found",
+			expectErrMsg: "reverse proxy not found",
 		},
 		{
 			name:   "proxy exists in different account - not accessible",
@@ -133,7 +133,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "service not found",
+			expectErrMsg: "reverse proxy not found",
 		},
 		{
 			name:   "no bearer auth configured - same account allows access",
@@ -260,7 +260,7 @@ func TestValidateUserGroupAccess(t *testing.T) {
 				"user1": {Id: "user1", AccountID: "account1"},
 			},
 			expectErr:    true,
-			expectErrMsg: "get account services",
+			expectErrMsg: "get account reverse proxies",
 		},
 		{
 			name:   "multiple proxies in account - finds correct one",
@@ -366,7 +366,7 @@ func TestGetAccountProxyByDomain(t *testing.T) {
 				},
 			}
 
-			proxy, err := server.getAccountServiceByDomain(context.Background(), tt.accountID, tt.domain)
+			proxy, err := server.getAccountProxyByDomain(context.Background(), tt.accountID, tt.domain)
 
 			if tt.expectErr {
 				require.Error(t, err)

management/internals/shared/grpc/proxy_test.go

@@ -1,232 +0,0 @@
-package grpc
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// registerFakeProxy adds a fake proxy connection to the server's internal maps
-// and returns the channel where messages will be received.
-func registerFakeProxy(s *ProxyServiceServer, proxyID, clusterAddr string) chan *proto.ProxyMapping {
-	ch := make(chan *proto.ProxyMapping, 10)
-	conn := &proxyConnection{
-		proxyID:  proxyID,
-		address:  clusterAddr,
-		sendChan: ch,
-	}
-	s.connectedProxies.Store(proxyID, conn)
-
-	proxySet, _ := s.clusterProxies.LoadOrStore(clusterAddr, &sync.Map{})
-	proxySet.(*sync.Map).Store(proxyID, struct{}{})
-
-	return ch
-}
-
-func drainChannel(ch chan *proto.ProxyMapping) *proto.ProxyMapping {
-	select {
-	case msg := <-ch:
-		return msg
-	case <-time.After(time.Second):
-		return nil
-	}
-}
-
-func TestSendServiceUpdateToCluster_UniqueTokensPerProxy(t *testing.T) {
-	tokenStore := NewOneTimeTokenStore(time.Hour)
-	defer tokenStore.Close()
-
-	s := &ProxyServiceServer{
-		tokenStore:  tokenStore,
-		updatesChan: make(chan *proto.ProxyMapping, 100),
-	}
-
-	const cluster = "proxy.example.com"
-	const numProxies = 3
-
-	channels := make([]chan *proto.ProxyMapping, numProxies)
-	for i := range numProxies {
-		id := "proxy-" + string(rune('a'+i))
-		channels[i] = registerFakeProxy(s, id, cluster)
-	}
-
-	update := &proto.ProxyMapping{
-		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-		Id:        "service-1",
-		AccountId: "account-1",
-		Domain:    "test.example.com",
-		Path: []*proto.PathMapping{
-			{Path: "/", Target: "http://10.0.0.1:8080/"},
-		},
-	}
-
-	s.SendServiceUpdateToCluster(update, cluster)
-
-	tokens := make([]string, numProxies)
-	for i, ch := range channels {
-		msg := drainChannel(ch)
-		require.NotNil(t, msg, "proxy %d should receive a message", i)
-		assert.Equal(t, update.Domain, msg.Domain)
-		assert.Equal(t, update.Id, msg.Id)
-		assert.NotEmpty(t, msg.AuthToken, "proxy %d should have a non-empty token", i)
-		tokens[i] = msg.AuthToken
-	}
-
-	// All tokens must be unique
-	tokenSet := make(map[string]struct{})
-	for i, tok := range tokens {
-		_, exists := tokenSet[tok]
-		assert.False(t, exists, "proxy %d got duplicate token", i)
-		tokenSet[tok] = struct{}{}
-	}
-
-	// Each token must be independently consumable
-	for i, tok := range tokens {
-		err := tokenStore.ValidateAndConsume(tok, "account-1", "service-1")
-		assert.NoError(t, err, "proxy %d token should validate successfully", i)
-	}
-}
-
-func TestSendServiceUpdateToCluster_DeleteNoToken(t *testing.T) {
-	tokenStore := NewOneTimeTokenStore(time.Hour)
-	defer tokenStore.Close()
-
-	s := &ProxyServiceServer{
-		tokenStore:  tokenStore,
-		updatesChan: make(chan *proto.ProxyMapping, 100),
-	}
-
-	const cluster = "proxy.example.com"
-	ch1 := registerFakeProxy(s, "proxy-a", cluster)
-	ch2 := registerFakeProxy(s, "proxy-b", cluster)
-
-	update := &proto.ProxyMapping{
-		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED,
-		Id:        "service-1",
-		AccountId: "account-1",
-		Domain:    "test.example.com",
-	}
-
-	s.SendServiceUpdateToCluster(update, cluster)
-
-	msg1 := drainChannel(ch1)
-	msg2 := drainChannel(ch2)
-	require.NotNil(t, msg1)
-	require.NotNil(t, msg2)
-
-	// Delete operations should not generate tokens
-	assert.Empty(t, msg1.AuthToken)
-	assert.Empty(t, msg2.AuthToken)
-
-	// No tokens should have been created
-	assert.Equal(t, 0, tokenStore.GetTokenCount())
-}
-
-func TestSendServiceUpdate_UniqueTokensPerProxy(t *testing.T) {
-	tokenStore := NewOneTimeTokenStore(time.Hour)
-	defer tokenStore.Close()
-
-	s := &ProxyServiceServer{
-		tokenStore:  tokenStore,
-		updatesChan: make(chan *proto.ProxyMapping, 100),
-	}
-
-	// Register proxies in different clusters (SendServiceUpdate broadcasts to all)
-	ch1 := registerFakeProxy(s, "proxy-a", "cluster-a")
-	ch2 := registerFakeProxy(s, "proxy-b", "cluster-b")
-
-	update := &proto.ProxyMapping{
-		Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-		Id:        "service-1",
-		AccountId: "account-1",
-		Domain:    "test.example.com",
-	}
-
-	s.SendServiceUpdate(update)
-
-	msg1 := drainChannel(ch1)
-	msg2 := drainChannel(ch2)
-	require.NotNil(t, msg1)
-	require.NotNil(t, msg2)
-
-	assert.NotEmpty(t, msg1.AuthToken)
-	assert.NotEmpty(t, msg2.AuthToken)
-	assert.NotEqual(t, msg1.AuthToken, msg2.AuthToken, "tokens must be unique per proxy")
-
-	// Both tokens should validate
-	assert.NoError(t, tokenStore.ValidateAndConsume(msg1.AuthToken, "account-1", "service-1"))
-	assert.NoError(t, tokenStore.ValidateAndConsume(msg2.AuthToken, "account-1", "service-1"))
-}
-
-// generateState creates a state using the same format as GetOIDCURL.
-func generateState(s *ProxyServiceServer, redirectURL string) string {
-	nonce := make([]byte, 16)
-	_, _ = rand.Read(nonce)
-	nonceB64 := base64.URLEncoding.EncodeToString(nonce)
-
-	payload := redirectURL + "|" + nonceB64
-	hmacSum := s.generateHMAC(payload)
-	return base64.URLEncoding.EncodeToString([]byte(redirectURL)) + "|" + nonceB64 + "|" + hmacSum
-}
-
-func TestOAuthState_NeverTheSame(t *testing.T) {
-	s := &ProxyServiceServer{
-		oidcConfig: ProxyOIDCConfig{
-			HMACKey: []byte("test-hmac-key"),
-		},
-	}
-
-	redirectURL := "https://app.example.com/callback"
-
-	// Generate 100 states for the same redirect URL
-	states := make(map[string]bool)
-	for i := 0; i < 100; i++ {
-		state := generateState(s, redirectURL)
-
-		// State must have 3 parts: base64(url)|nonce|hmac
-		parts := strings.Split(state, "|")
-		require.Equal(t, 3, len(parts), "state must have 3 parts")
-
-		// State must be unique
-		require.False(t, states[state], "state %d is a duplicate", i)
-		states[state] = true
-	}
-}
-
-func TestValidateState_RejectsOldTwoPartFormat(t *testing.T) {
-	s := &ProxyServiceServer{
-		oidcConfig: ProxyOIDCConfig{
-			HMACKey: []byte("test-hmac-key"),
-		},
-	}
-
-	// Old format had only 2 parts: base64(url)|hmac
-	s.pkceVerifiers.Store("base64url|hmac", pkceEntry{verifier: "test", createdAt: time.Now()})
-
-	_, _, err := s.ValidateState("base64url|hmac")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid state format")
-}
-
-func TestValidateState_RejectsInvalidHMAC(t *testing.T) {
-	s := &ProxyServiceServer{
-		oidcConfig: ProxyOIDCConfig{
-			HMACKey: []byte("test-hmac-key"),
-		},
-	}
-
-	// Store with tampered HMAC
-	s.pkceVerifiers.Store("dGVzdA==|nonce|wrong-hmac", pkceEntry{verifier: "test", createdAt: time.Now()})
-
-	_, _, err := s.ValidateState("dGVzdA==|nonce|wrong-hmac")
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "invalid state signature")
-}

management/internals/shared/grpc/server.go

@@ -224,7 +224,6 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	s.syncSem.Add(1)
 
 	reqStart := time.Now()
-	syncStart := reqStart.UTC()
 
 	ctx := srv.Context()
 
@@ -301,7 +300,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	metahash := metaHash(peerMeta, realIP.String())
 	s.loginFilter.addLogin(peerKey.String(), metahash)
 
-	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP, syncStart)
+	peer, netMap, postureChecks, dnsFwdPort, err := s.accountManager.SyncAndMarkPeer(ctx, accountID, peerKey.String(), peerMeta, realIP, reqStart)
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while syncing peer %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
@@ -312,7 +311,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while sending initial sync for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, syncStart)
+		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
 		return err
 	}
 
@@ -320,7 +319,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 	if err != nil {
 		log.WithContext(ctx).Debugf("error while notify peer connected for %s: %v", peerKey.String(), err)
 		s.syncSem.Add(-1)
-		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, syncStart)
+		s.cancelPeerRoutinesWithoutLock(ctx, accountID, peer, reqStart)
 		return err
 	}
 
@@ -337,7 +336,7 @@ func (s *Server) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_S
 
 	s.syncSem.Add(-1)
 
-	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv, syncStart)
+	return s.handleUpdates(ctx, accountID, peerKey, peer, updates, srv, reqStart)
 }
 
 func (s *Server) handleHandshake(ctx context.Context, srv proto.ManagementService_JobServer) (wgtypes.Key, error) {

management/server/account.go

@@ -297,7 +297,6 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 	var oldSettings *types.Settings
 	var updateAccountPeers bool
 	var groupChangesAffectPeers bool
-	var reloadReverseProxy bool
 
 	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var groupsUpdated bool
@@ -328,7 +327,9 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 			if err = am.reallocateAccountPeerIPs(ctx, transaction, accountID, newSettings.NetworkRange); err != nil {
 				return err
 			}
-			reloadReverseProxy = true
+			if err = am.reverseProxyManager.ReloadAllServicesForAccount(ctx, accountID); err != nil {
+				log.WithContext(ctx).Warnf("failed to reload all services for account %s: %v", accountID, err)
+			}
 			updateAccountPeers = true
 		}
 
@@ -393,11 +394,6 @@ func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, acco
 		}
 		am.StoreEvent(ctx, userID, accountID, accountID, activity.AccountNetworkRangeUpdated, eventMeta)
 	}
-	if reloadReverseProxy {
-		if err = am.reverseProxyManager.ReloadAllServicesForAccount(ctx, accountID); err != nil {
-			log.WithContext(ctx).Warnf("failed to reload all services for account %s: %v", accountID, err)
-		}
-	}
 
 	if updateAccountPeers || extraSettingsChanged || groupChangesAffectPeers {
 		go am.UpdateAccountPeers(ctx, accountID)

management/server/account_test.go

@@ -27,8 +27,6 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	ephemeral_manager "github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
@@ -1802,14 +1800,6 @@ func TestAccount_Copy(t *testing.T) {
 				Address:   "172.12.6.1/24",
 			},
 		},
-		Services: []*reverseproxy.Service{
-			{
-				ID:        "service1",
-				Name:      "test-service",
-				AccountID: "account1",
-				Targets:   []*reverseproxy.Target{},
-			},
-		},
 		NetworkMapCache: &types.NetworkMapBuilder{},
 	}
 	account.InitOnce()
@@ -3122,8 +3112,6 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 		return nil, nil, err
 	}
 
-	manager.SetServiceManager(reverseproxymanager.NewManager(store, manager, permissionsManager, nil, nil))
-
 	return manager, updateManager, nil
 }
 
@@ -3918,36 +3906,3 @@ func TestAddNewUserToDomainAccountWithoutApproval(t *testing.T) {
 	assert.False(t, user.PendingApproval, "User should not be pending approval")
 	assert.Equal(t, existingAccountID, user.AccountID)
 }
-
-// TestDefaultAccountManager_UpdateAccountSettings_NetworkRangeChange verifies that
-// changing NetworkRange via UpdateAccountSettings does not deadlock.
-// The deadlock occurs because ReloadAllServicesForAccount is called inside a DB
-// transaction but uses the main store connection, which blocks on the transaction lock.
-func TestDefaultAccountManager_UpdateAccountSettings_NetworkRangeChange(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err)
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err)
-
-	ctx := context.Background()
-
-	// Use a channel to detect if the call completes or hangs
-	done := make(chan error, 1)
-	go func() {
-		_, err := manager.UpdateAccountSettings(ctx, accountID, userID, &types.Settings{
-			PeerLoginExpiration:        time.Hour,
-			PeerLoginExpirationEnabled: true,
-			NetworkRange:               netip.MustParsePrefix("10.100.0.0/16"),
-			Extra:                      &types.ExtraSettings{},
-		})
-		done <- err
-	}()
-
-	select {
-	case err := <-done:
-		require.NoError(t, err, "UpdateAccountSettings should complete without error")
-	case <-time.After(10 * time.Second):
-		t.Fatal("UpdateAccountSettings deadlocked when changing NetworkRange")
-	}
-}

management/server/group_test.go

@@ -703,7 +703,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
 	t.Run("saving group linked to network router", func(t *testing.T) {
 		permissionsManager := permissions.NewManager(manager.Store)
 		groupsManager := groups.NewManager(manager.Store, permissionsManager, manager)
-		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager, manager.reverseProxyManager)
+		resourcesManager := resources.NewManager(manager.Store, permissionsManager, groupsManager, manager)
 		routersManager := routers.NewManager(manager.Store, permissionsManager, manager)
 		networksManager := networks.NewManager(manager.Store, permissionsManager, resourcesManager, routersManager, manager)
 

management/server/http/handler.go

@@ -4,28 +4,23 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"net/netip"
 	"os"
 	"strconv"
 	"time"
 
 	"github.com/gorilla/mux"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
-
-	"github.com/netbirdio/netbird/management/server/types"
-
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain"
 	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
-
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	idpmanager "github.com/netbirdio/netbird/management/server/idp"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/modules/zones"
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
@@ -37,8 +32,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 
-	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
-
 	nbpeers "github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/geolocation"
@@ -52,6 +45,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/handlers/networks"
 	"github.com/netbirdio/netbird/management/server/http/handlers/peers"
 	"github.com/netbirdio/netbird/management/server/http/handlers/policies"
+	"github.com/netbirdio/netbird/management/server/http/handlers/proxy"
 	"github.com/netbirdio/netbird/management/server/http/handlers/routes"
 	"github.com/netbirdio/netbird/management/server/http/handlers/setup_keys"
 	"github.com/netbirdio/netbird/management/server/http/handlers/users"
@@ -73,7 +67,7 @@ const (
 )
 
 // NewAPIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *manager.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer, trustedHTTPProxies []netip.Prefix) (http.Handler, error) {
+func NewAPIHandler(ctx context.Context, accountManager account.Manager, networksManager nbnetworks.Manager, resourceManager resources.Manager, routerManager routers.Manager, groupsManager nbgroups.Manager, LocationManager geolocation.Geolocation, authManager auth.Manager, appMetrics telemetry.AppMetrics, integratedValidator integrated_validator.IntegratedValidator, proxyController port_forwarding.Controller, permissionsManager permissions.Manager, peersManager nbpeers.Manager, settingsManager settings.Manager, zManager zones.Manager, rManager records.Manager, networkMapController network_map.Controller, idpManager idpmanager.Manager, reverseProxyManager reverseproxy.Manager, reverseProxyDomainManager *domain.Manager, reverseProxyAccessLogsManager accesslogs.Manager, proxyGRPCServer *nbgrpc.ProxyServiceServer) (http.Handler, error) {
 
 	// Register bypass paths for unauthenticated endpoints
 	if err := bypass.AddBypassPath("/api/instance"); err != nil {
@@ -179,7 +173,7 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 
 	// Register OAuth callback handler for proxy authentication
 	if proxyGRPCServer != nil {
-		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer, trustedHTTPProxies)
+		oauthHandler := proxy.NewAuthCallbackHandler(proxyGRPCServer)
 		oauthHandler.RegisterEndpoints(router)
 	}
 

management/server/http/handlers/peers/peers_handler.go

@@ -18,8 +18,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/groups"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/management/http/api"
 	"github.com/netbirdio/netbird/shared/management/http/util"
@@ -154,11 +152,6 @@ func (h *Handler) getPeer(ctx context.Context, accountID, peerID, userID string,
 		return
 	}
 
-	if peer.ProxyMeta.Embedded {
-		util.WriteError(ctx, status.Errorf(status.InvalidArgument, "not allowed to read peer"), w)
-		return
-	}
-
 	settings, err := h.accountManager.GetAccountSettings(ctx, accountID, activity.SystemInitiator)
 	if err != nil {
 		util.WriteError(ctx, err, w)
@@ -326,9 +319,6 @@ func (h *Handler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
 	grpsInfoMap := groups.ToGroupsInfoMap(grps, len(peers))
 	respBody := make([]*api.PeerBatch, 0, len(peers))
 	for _, peer := range peers {
-		if peer.ProxyMeta.Embedded {
-			continue
-		}
 		respBody = append(respBody, toPeerListItemResponse(peer, grpsInfoMap[peer.ID], dnsDomain, 0))
 	}
 
@@ -378,9 +368,9 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	allowed, err := h.permissionsManager.ValidateUserPermissions(r.Context(), accountID, userID, modules.Peers, operations.Read)
+	err = h.permissionsManager.ValidateAccountAccess(r.Context(), accountID, user, false)
 	if err != nil {
-		util.WriteError(r.Context(), status.NewPermissionValidationError(err), w)
+		util.WriteError(r.Context(), status.NewPermissionDeniedError(), w)
 		return
 	}
 
@@ -390,12 +380,9 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !allowed && !userAuth.IsChild {
-		if account.Settings.RegularUsersViewBlocked {
-			util.WriteJSONObject(r.Context(), w, []api.AccessiblePeer{})
-			return
-		}
-
+	// If the user is regular user and does not own the peer
+	// with the given peerID return an empty list
+	if !user.HasAdminPower() && !user.IsServiceUser && !userAuth.IsChild {
 		peer, ok := account.Peers[peerID]
 		if !ok {
 			util.WriteError(r.Context(), status.Errorf(status.NotFound, "peer not found"), w)

management/server/http/handlers/peers/peers_handler_test.go

@@ -22,8 +22,6 @@ import (
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/http/api"
@@ -117,16 +115,6 @@ func initTestMetaData(t *testing.T, peers ...*nbpeer.Peer) *Handler {
 	ctrl2 := gomock.NewController(t)
 	permissionsManager := permissions.NewMockManager(ctrl2)
 	permissionsManager.EXPECT().ValidateAccountAccess(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
-	permissionsManager.EXPECT().
-		ValidateUserPermissions(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Eq(modules.Peers), gomock.Eq(operations.Read)).
-		DoAndReturn(func(ctx context.Context, accountID, userID string, module modules.Module, operation operations.Operation) (bool, error) {
-			user, ok := account.Users[userID]
-			if !ok {
-				return false, fmt.Errorf("user not found")
-			}
-			return user.HasAdminPower() || user.IsServiceUser, nil
-		}).
-		AnyTimes()
 
 	return &Handler{
 		accountManager: &mock_server.MockAccountManager{
@@ -395,11 +383,12 @@ func TestGetAccessiblePeers(t *testing.T) {
 		UserID:                 regularUser,
 	}
 
+	p := initTestMetaData(t, peer1, peer2, peer3)
+
 	tt := []struct {
 		name           string
 		peerID         string
 		callerUserID   string
-		viewBlocked    bool
 		expectedStatus int
 		expectedPeers  []string
 	}{
@@ -438,56 +427,10 @@ func TestGetAccessiblePeers(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedPeers:  []string{"peer1", "peer2"},
 		},
-		{
-			name:           "regular user gets empty for owned peer list when view blocked",
-			peerID:         "peer1",
-			callerUserID:   regularUser,
-			viewBlocked:    true,
-			expectedStatus: http.StatusOK,
-			expectedPeers:  []string{},
-		},
-		{
-			name:           "regular user gets empty list for unowned peer when view blocked",
-			peerID:         "peer2",
-			callerUserID:   regularUser,
-			viewBlocked:    true,
-			expectedStatus: http.StatusOK,
-			expectedPeers:  []string{},
-		},
-		{
-			name:           "admin user still sees accessible peers when view blocked",
-			peerID:         "peer2",
-			callerUserID:   adminUser,
-			viewBlocked:    true,
-			expectedStatus: http.StatusOK,
-			expectedPeers:  []string{"peer1", "peer3"},
-		},
-		{
-			name:           "service user still sees accessible peers when view blocked",
-			peerID:         "peer3",
-			callerUserID:   serviceUser,
-			viewBlocked:    true,
-			expectedStatus: http.StatusOK,
-			expectedPeers:  []string{"peer1", "peer2"},
-		},
 	}
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
-			p := initTestMetaData(t, peer1, peer2, peer3)
-
-			if tc.viewBlocked {
-				mockAM := p.accountManager.(*mock_server.MockAccountManager)
-				originalGetAccountByIDFunc := mockAM.GetAccountByIDFunc
-				mockAM.GetAccountByIDFunc = func(ctx context.Context, accountID string, userID string) (*types.Account, error) {
-					account, err := originalGetAccountByIDFunc(ctx, accountID, userID)
-					if err != nil {
-						return nil, err
-					}
-					account.Settings.RegularUsersViewBlocked = true
-					return account, nil
-				}
-			}
 
 			recorder := httptest.NewRecorder()
 			req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/api/peers/%s/accessible-peers", tc.peerID), nil)

management/server/http/handlers/proxy/auth.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"
 	"net/http"
-	"net/netip"
 	"net/url"
 	"strings"
 	"time"
@@ -22,13 +21,12 @@ import (
 
 // AuthCallbackHandler handles OAuth callbacks for proxy authentication.
 type AuthCallbackHandler struct {
-	proxyService   *nbgrpc.ProxyServiceServer
-	rateLimiter    *middleware.APIRateLimiter
-	trustedProxies []netip.Prefix
+	proxyService *nbgrpc.ProxyServiceServer
+	rateLimiter  *middleware.APIRateLimiter
 }
 
 // NewAuthCallbackHandler creates a new OAuth callback handler.
-func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer, trustedProxies []netip.Prefix) *AuthCallbackHandler {
+func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer) *AuthCallbackHandler {
 	rateLimiterConfig := &middleware.RateLimiterConfig{
 		RequestsPerMinute: 10,
 		Burst:             15,
@@ -37,9 +35,8 @@ func NewAuthCallbackHandler(proxyService *nbgrpc.ProxyServiceServer, trustedProx
 	}
 
 	return &AuthCallbackHandler{
-		proxyService:   proxyService,
-		rateLimiter:    middleware.NewAPIRateLimiter(rateLimiterConfig),
-		trustedProxies: trustedProxies,
+		proxyService: proxyService,
+		rateLimiter:  middleware.NewAPIRateLimiter(rateLimiterConfig),
 	}
 }
 
@@ -49,7 +46,7 @@ func (h *AuthCallbackHandler) RegisterEndpoints(router *mux.Router) {
 }
 
 func (h *AuthCallbackHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
-	clientIP := h.resolveClientIP(r)
+	clientIP := getClientIP(r)
 	if !h.rateLimiter.Allow(clientIP) {
 		log.WithField("client_ip", clientIP).Warn("OAuth callback rate limit exceeded")
 		http.Error(w, "Too many requests. Please try again later.", http.StatusTooManyRequests)
@@ -152,57 +149,23 @@ func extractUserIDFromToken(ctx context.Context, provider *oidc.Provider, config
 	return claims.Subject
 }
 
-// resolveClientIP extracts the real client IP from the request.
-// When trustedProxies is non-empty and the direct peer is trusted,
-// it walks X-Forwarded-For right-to-left skipping trusted IPs.
-// Otherwise it returns RemoteAddr directly.
-func (h *AuthCallbackHandler) resolveClientIP(r *http.Request) string {
-	remoteIP := extractHost(r.RemoteAddr)
-
-	if len(h.trustedProxies) == 0 || !isTrustedProxy(remoteIP, h.trustedProxies) {
-		return remoteIP
-	}
-
-	xff := r.Header.Get("X-Forwarded-For")
-	if xff == "" {
-		return remoteIP
-	}
-
-	parts := strings.Split(xff, ",")
-	for i := len(parts) - 1; i >= 0; i-- {
-		ip := strings.TrimSpace(parts[i])
-		if ip == "" {
-			continue
-		}
-		if !isTrustedProxy(ip, h.trustedProxies) {
-			return ip
+// getClientIP extracts the client IP address from the request.
+func getClientIP(r *http.Request) string {
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		if idx := strings.Index(xff, ","); idx != -1 {
+			return strings.TrimSpace(xff[:idx])
 		}
+		return xff
 	}
 
-	// All IPs in XFF are trusted; return the leftmost as best guess.
-	if first := strings.TrimSpace(parts[0]); first != "" {
-		return first
+	if xri := r.Header.Get("X-Real-IP"); xri != "" {
+		return xri
 	}
-	return remoteIP
-}
 
-func extractHost(remoteAddr string) string {
-	host, _, err := net.SplitHostPort(remoteAddr)
+	// Fall back to RemoteAddr
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
-		return remoteAddr
+		return r.RemoteAddr
 	}
 	return host
 }
-
-func isTrustedProxy(ipStr string, trusted []netip.Prefix) bool {
-	addr, err := netip.ParseAddr(ipStr)
-	if err != nil {
-		return false
-	}
-	for _, prefix := range trusted {
-		if prefix.Contains(addr) {
-			return true
-		}
-	}
-	return false
-}

management/server/http/handlers/proxy/auth_callback_integration_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
+	accesslogs "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -161,8 +161,8 @@ func (m *testAccessLogManager) SaveAccessLog(_ context.Context, _ *accesslogs.Ac
 	return nil
 }
 
-func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string, _ *accesslogs.AccessLogFilter) ([]*accesslogs.AccessLogEntry, int64, error) {
-	return nil, 0, nil
+func (m *testAccessLogManager) GetAllAccessLogs(_ context.Context, _, _ string) ([]*accesslogs.AccessLogEntry, error) {
+	return nil, nil
 }
 
 func setupAuthCallbackTest(t *testing.T) *testSetup {
@@ -200,7 +200,7 @@ func setupAuthCallbackTest(t *testing.T) *testSetup {
 
 	proxyService.SetProxyManager(&testServiceManager{store: testStore})
 
-	handler := NewAuthCallbackHandler(proxyService, nil)
+	handler := NewAuthCallbackHandler(proxyService)
 
 	router := mux.NewRouter()
 	handler.RegisterEndpoints(router)
@@ -382,7 +382,7 @@ func (m *testServiceManager) ReloadService(_ context.Context, _, _ string) error
 }
 
 func (m *testServiceManager) GetGlobalServices(ctx context.Context) ([]*reverseproxy.Service, error) {
-	return m.store.GetServices(ctx, store.LockingStrengthNone)
+	return m.store.GetReverseProxies(ctx, store.LockingStrengthNone)
 }
 
 func (m *testServiceManager) GetServiceByID(ctx context.Context, accountID, proxyID string) (*reverseproxy.Service, error) {

management/server/http/handlers/proxy/auth_test.go

@@ -3,7 +3,6 @@ package proxy
 import (
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -13,7 +12,7 @@ import (
 )
 
 func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
 	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
 
 	req := httptest.NewRequest(http.MethodGet, "/callback?state=test&code=test", nil)
@@ -55,7 +54,7 @@ func TestAuthCallbackHandler_RateLimiting(t *testing.T) {
 }
 
 func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
 	testIP := "10.0.0.50"
 
 	handler.rateLimiter.Reset(testIP)
@@ -76,76 +75,46 @@ func TestAuthCallbackHandler_RateLimitInHandleCallback(t *testing.T) {
 	})
 }
 
-func TestResolveClientIP(t *testing.T) {
-	trusted := []netip.Prefix{
-		netip.MustParsePrefix("10.0.0.0/8"),
-		netip.MustParsePrefix("172.16.0.0/12"),
-	}
-
+func TestGetClientIP(t *testing.T) {
 	tests := []struct {
 		name          string
 		remoteAddr    string
 		xForwardedFor string
-		trustedProxy  []netip.Prefix
+		xRealIP       string
 		expectedIP    string
 	}{
 		{
-			name:          "no trusted proxies returns RemoteAddr",
-			remoteAddr:    "203.0.113.50:9999",
-			xForwardedFor: "1.2.3.4",
-			trustedProxy:  nil,
-			expectedIP:    "203.0.113.50",
+			name:       "extract from RemoteAddr",
+			remoteAddr: "192.168.1.100:12345",
+			expectedIP: "192.168.1.100",
 		},
 		{
-			name:          "untrusted RemoteAddr ignores XFF",
-			remoteAddr:    "203.0.113.50:9999",
-			xForwardedFor: "1.2.3.4, 10.0.0.1",
-			trustedProxy:  trusted,
-			expectedIP:    "203.0.113.50",
+			name:          "extract from X-Forwarded-For single IP",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195",
+			expectedIP:    "203.0.113.195",
 		},
 		{
-			name:          "trusted RemoteAddr with single client in XFF",
-			remoteAddr:    "10.0.0.1:5000",
-			xForwardedFor: "203.0.113.50",
-			trustedProxy:  trusted,
-			expectedIP:    "203.0.113.50",
+			name:          "extract from X-Forwarded-For multiple IPs",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195, 70.41.3.18, 150.172.238.178",
+			expectedIP:    "203.0.113.195",
 		},
 		{
-			name:          "trusted RemoteAddr walks past trusted entries in XFF",
-			remoteAddr:    "10.0.0.1:5000",
-			xForwardedFor: "203.0.113.50, 10.0.0.2, 172.16.0.5",
-			trustedProxy:  trusted,
-			expectedIP:    "203.0.113.50",
+			name:       "extract from X-Real-IP",
+			remoteAddr: "10.0.0.1:54321",
+			xRealIP:    "198.51.100.42",
+			expectedIP: "198.51.100.42",
 		},
 		{
-			name:         "trusted RemoteAddr with empty XFF falls back to RemoteAddr",
-			remoteAddr:   "10.0.0.1:5000",
-			trustedProxy: trusted,
-			expectedIP:   "10.0.0.1",
+			name:          "X-Forwarded-For takes precedence over X-Real-IP",
+			remoteAddr:    "10.0.0.1:54321",
+			xForwardedFor: "203.0.113.195",
+			xRealIP:       "198.51.100.42",
+			expectedIP:    "203.0.113.195",
 		},
 		{
-			name:          "all XFF IPs trusted returns leftmost",
-			remoteAddr:    "10.0.0.1:5000",
-			xForwardedFor: "10.0.0.2, 172.16.0.1, 10.0.0.3",
-			trustedProxy:  trusted,
-			expectedIP:    "10.0.0.2",
-		},
-		{
-			name:          "XFF with whitespace",
-			remoteAddr:    "10.0.0.1:5000",
-			xForwardedFor: " 203.0.113.50 , 10.0.0.2 ",
-			trustedProxy:  trusted,
-			expectedIP:    "203.0.113.50",
-		},
-		{
-			name:          "multi-hop with mixed trust",
-			remoteAddr:    "10.0.0.1:5000",
-			xForwardedFor: "8.8.8.8, 203.0.113.50, 172.16.0.1",
-			trustedProxy:  trusted,
-			expectedIP:    "203.0.113.50",
-		},
-		{
-			name:       "RemoteAddr without port",
+			name:       "handle RemoteAddr without port",
 			remoteAddr: "192.168.1.100",
 			expectedIP: "192.168.1.100",
 		},
@@ -153,22 +122,24 @@ func TestResolveClientIP(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, tt.trustedProxy)
-
 			req := httptest.NewRequest(http.MethodGet, "/test", nil)
 			req.RemoteAddr = tt.remoteAddr
+
 			if tt.xForwardedFor != "" {
 				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
 			}
+			if tt.xRealIP != "" {
+				req.Header.Set("X-Real-IP", tt.xRealIP)
+			}
 
-			ip := handler.resolveClientIP(req)
-			assert.Equal(t, tt.expectedIP, ip)
+			ip := getClientIP(req)
+			assert.Equal(t, tt.expectedIP, ip, "Extracted IP should match expected")
 		})
 	}
 }
 
 func TestAuthCallbackHandler_RateLimiterConfiguration(t *testing.T) {
-	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{}, nil)
+	handler := NewAuthCallbackHandler(&nbgrpc.ProxyServiceServer{})
 
 	require.NotNil(t, handler.rateLimiter, "Rate limiter should be initialized")
 

management/server/http/middleware/auth_middleware.go

@@ -11,7 +11,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"go.opentelemetry.io/otel/metric"
 
-	"github.com/netbirdio/management-integrations/integrations"
 	serverauth "github.com/netbirdio/netbird/management/server/auth"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
@@ -131,10 +130,8 @@ func (m *AuthMiddleware) checkJWTFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if integrations.IsValidChildAccount(ctx, userAuth.UserId, userAuth.AccountId, impersonate[0]) {
-			userAuth.AccountId = impersonate[0]
-			userAuth.IsChild = true
-		}
+		userAuth.AccountId = impersonate[0]
+		userAuth.IsChild = ok
 	}
 
 	// Email is now extracted in ToUserAuth (from claims or userinfo endpoint)
@@ -210,10 +207,8 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, authHeaderParts []
 	}
 
 	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
-		if integrations.IsValidChildAccount(r.Context(), userAuth.UserId, userAuth.AccountId, impersonate[0]) {
-			userAuth.AccountId = impersonate[0]
-			userAuth.IsChild = true
-		}
+		userAuth.AccountId = impersonate[0]
+		userAuth.IsChild = ok
 	}
 
 	return nbcontext.SetUserAuthInRequest(r, userAuth), nil

management/server/http/middleware/auth_middleware_test.go

@@ -627,14 +627,15 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 			},
 		},
 		{
-			name:       "PAT Token with account param ignored in public version",
+			name:       "Valid PAT Token accesses child",
 			path:       "/test?account=xyz",
 			authHeader: "Token " + PAT,
 			expectedUserAuth: &nbauth.UserAuth{
-				AccountId:      accountID,
+				AccountId:      "xyz",
 				UserId:         userID,
 				Domain:         testAccount.Domain,
 				DomainCategory: testAccount.DomainCategory,
+				IsChild:        true,
 				IsPAT:          true,
 			},
 		},
@@ -651,14 +652,15 @@ func TestAuthMiddleware_Handler_Child(t *testing.T) {
 		},
 
 		{
-			name:       "JWT Token with account param ignored in public version",
+			name:       "Valid JWT Token with child",
 			path:       "/test?account=xyz",
 			authHeader: "Bearer " + JWT,
 			expectedUserAuth: &nbauth.UserAuth{
-				AccountId:      accountID,
+				AccountId:      "xyz",
 				UserId:         userID,
 				Domain:         testAccount.Domain,
 				DomainCategory: testAccount.DomainCategory,
+				IsChild:        true,
 			},
 		},
 	}

management/server/http/testing/testing_tools/channel/channel.go

@@ -10,10 +10,6 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/netbirdio/management-integrations/integrations"
-	accesslogsmanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/accesslogs/manager"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy/domain/manager"
-	reverseproxymanager "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/manager"
-	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 
 	zonesManager "github.com/netbirdio/netbird/management/internals/modules/zones/manager"
 	recordsManager "github.com/netbirdio/netbird/management/internals/modules/zones/records/manager"
@@ -90,14 +86,6 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 		t.Fatalf("Failed to create manager: %v", err)
 	}
 
-	accessLogsManager := accesslogsmanager.NewManager(store, permissionsManager, nil)
-	proxyTokenStore := nbgrpc.NewOneTimeTokenStore(1 * time.Minute)
-	proxyServiceServer := nbgrpc.NewProxyServiceServer(accessLogsManager, proxyTokenStore, nbgrpc.ProxyOIDCConfig{}, peersManager, userManager)
-	domainManager := manager.NewManager(store, proxyServiceServer, permissionsManager)
-	reverseProxyManager := reverseproxymanager.NewManager(store, am, permissionsManager, proxyServiceServer, domainManager)
-	proxyServiceServer.SetProxyManager(reverseProxyManager)
-	am.SetServiceManager(reverseProxyManager)
-
 	// @note this is required so that PAT's validate from store, but JWT's are mocked
 	authManager := serverauth.NewManager(store, "", "", "", "", []string{}, false)
 	authManagerMock := &serverauth.MockManager{
@@ -114,7 +102,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 	customZonesManager := zonesManager.NewManager(store, am, permissionsManager, "")
 	zoneRecordsManager := recordsManager.NewManager(store, am, permissionsManager)
 
-	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, reverseProxyManager, nil, nil, nil, nil)
+	apiHandler, err := http2.NewAPIHandler(context.Background(), am, networksManagerMock, resourcesManagerMock, routersManagerMock, groupsManagerMock, geoMock, authManagerMock, metrics, validatorMock, proxyController, permissionsManager, peersManager, settingsManager, customZonesManager, zoneRecordsManager, networkMapController, nil, nil, nil, nil, nil)
 	if err != nil {
 		t.Fatalf("Failed to create API handler: %v", err)
 	}

management/server/networks/manager_test.go

@@ -29,7 +29,7 @@ func Test_GetAllNetworksReturnsNetworks(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -52,7 +52,7 @@ func Test_GetAllNetworksReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetAllNetworks(ctx, accountID, userID)
@@ -75,7 +75,7 @@ func Test_GetNetworkReturnsNetwork(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	networks, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -98,7 +98,7 @@ func Test_GetNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	network, err := manager.GetNetwork(ctx, accountID, userID, networkID)
@@ -123,7 +123,7 @@ func Test_CreateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -148,7 +148,7 @@ func Test_CreateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	createdNetwork, err := manager.CreateNetwork(ctx, userID, network)
@@ -171,7 +171,7 @@ func Test_DeleteNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -193,7 +193,7 @@ func Test_DeleteNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	err = manager.DeleteNetwork(ctx, accountID, userID, networkID)
@@ -218,7 +218,7 @@ func Test_UpdateNetworkSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)
@@ -245,7 +245,7 @@ func Test_UpdateNetworkFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(s)
 	groupsManager := groups.NewManagerMock()
 	routerManager := routers.NewManagerMock()
-	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am, nil)
+	resourcesManager := resources.NewManager(s, permissionsManager, groupsManager, &am)
 	manager := NewManager(s, permissionsManager, resourcesManager, routerManager, &am)
 
 	updatedNetwork, err := manager.UpdateNetwork(ctx, userID, network)

management/server/networks/resources/manager_test.go

@@ -4,10 +4,8 @@ import (
 	"context"
 	"testing"
 
-	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/mock_server"
 	"github.com/netbirdio/netbird/management/server/networks/resources/types"
@@ -30,9 +28,7 @@ func Test_GetAllResourcesInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.NoError(t, err)
@@ -53,9 +49,7 @@ func Test_GetAllResourcesInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resources, err := manager.GetAllResourcesInNetwork(ctx, accountID, userID, networkID)
 	require.Error(t, err)
@@ -75,9 +69,7 @@ func Test_GetAllResourcesInAccountReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.NoError(t, err)
@@ -97,9 +89,7 @@ func Test_GetAllResourcesInAccountReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resources, err := manager.GetAllResourcesInAccount(ctx, accountID, userID)
 	require.Error(t, err)
@@ -122,9 +112,7 @@ func Test_GetResourceInNetworkReturnsResources(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resource, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -146,9 +134,7 @@ func Test_GetResourceInNetworkReturnsPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	resources, err := manager.GetResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)
@@ -175,10 +161,7 @@ func Test_CreateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), resource.AccountID).Return(nil).AnyTimes()
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -204,9 +187,7 @@ func Test_CreateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -233,9 +214,7 @@ func Test_CreateResourceFailsWithInvalidAddress(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -261,9 +240,7 @@ func Test_CreateResourceFailsWithUsedName(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	createdResource, err := manager.CreateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -293,10 +270,7 @@ func Test_UpdateResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	reverseProxyManager.EXPECT().ReloadAllServicesForAccount(gomock.Any(), accountID).Return(nil).AnyTimes()
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.NoError(t, err)
@@ -328,9 +302,7 @@ func Test_UpdateResourceFailsWithResourceNotFound(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -360,9 +332,7 @@ func Test_UpdateResourceFailsWithNameInUse(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -391,9 +361,7 @@ func Test_UpdateResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	updatedResource, err := manager.UpdateResource(ctx, userID, resource)
 	require.Error(t, err)
@@ -415,10 +383,7 @@ func Test_DeleteResourceSuccessfully(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	reverseProxyManager.EXPECT().GetServiceIDByTargetID(gomock.Any(), accountID, resourceID).Return("", nil).AnyTimes()
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.NoError(t, err)
@@ -439,9 +404,7 @@ func Test_DeleteResourceFailsWithPermissionDenied(t *testing.T) {
 	permissionsManager := permissions.NewManager(store)
 	am := mock_server.MockAccountManager{}
 	groupsManager := groups.NewManagerMock()
-	ctrl := gomock.NewController(t)
-	reverseProxyManager := reverseproxy.NewMockManager(ctrl)
-	manager := NewManager(store, permissionsManager, groupsManager, &am, reverseProxyManager)
+	manager := NewManager(store, permissionsManager, groupsManager, &am)
 
 	err = manager.DeleteResource(ctx, accountID, userID, networkID, resourceID)
 	require.Error(t, err)

management/server/peer.go

@@ -221,10 +221,6 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 			return err
 		}
 
-		if peer.ProxyMeta.Embedded {
-			return fmt.Errorf("not allowed to update peer")
-		}
-
 		settings, err = transaction.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 		if err != nil {
 			return err
@@ -561,99 +557,6 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 	return account.Network.Copy(), err
 }
 
-type peerAddAuthConfig struct {
-	AccountID           string
-	SetupKeyID          string
-	SetupKeyName        string
-	GroupsToAdd         []string
-	AllowExtraDNSLabels bool
-	Ephemeral           bool
-}
-
-func (am *DefaultAccountManager) processPeerAddAuth(ctx context.Context, accountID, userID, encodedHashedKey string, peer *nbpeer.Peer, temporary, addedByUser, addedBySetupKey bool, opEvent *activity.Event) (*peerAddAuthConfig, error) {
-	config := &peerAddAuthConfig{
-		AccountID: accountID,
-		Ephemeral: peer.Ephemeral,
-	}
-
-	switch {
-	case addedByUser:
-		if err := am.handleUserAddedPeer(ctx, accountID, userID, temporary, opEvent, config); err != nil {
-			return nil, err
-		}
-	case addedBySetupKey:
-		if err := am.handleSetupKeyAddedPeer(ctx, encodedHashedKey, peer, opEvent, config); err != nil {
-			return nil, err
-		}
-	default:
-		if peer.ProxyMeta.Embedded {
-			log.WithContext(ctx).Debugf("adding peer for proxy embedded, accountID: %s", accountID)
-		} else {
-			log.WithContext(ctx).Warnf("adding peer without setup key or userID, accountID: %s", accountID)
-		}
-	}
-
-	opEvent.AccountID = config.AccountID
-	if temporary {
-		config.Ephemeral = true
-	}
-
-	return config, nil
-}
-
-func (am *DefaultAccountManager) handleUserAddedPeer(ctx context.Context, accountID, userID string, temporary bool, opEvent *activity.Event, config *peerAddAuthConfig) error {
-	user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
-	if err != nil {
-		return status.Errorf(status.NotFound, "failed adding new peer: user not found")
-	}
-	if user.PendingApproval {
-		return status.Errorf(status.PermissionDenied, "user pending approval cannot add peers")
-	}
-
-	if temporary {
-		allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
-		if err != nil {
-			return status.NewPermissionValidationError(err)
-		}
-		if !allowed {
-			return status.NewPermissionDeniedError()
-		}
-	} else {
-		config.AccountID = user.AccountID
-		config.GroupsToAdd = user.AutoGroups
-	}
-
-	opEvent.InitiatorID = userID
-	opEvent.Activity = activity.PeerAddedByUser
-	return nil
-}
-
-func (am *DefaultAccountManager) handleSetupKeyAddedPeer(ctx context.Context, encodedHashedKey string, peer *nbpeer.Peer, opEvent *activity.Event, config *peerAddAuthConfig) error {
-	sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
-	if err != nil {
-		return status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
-	}
-
-	if !sk.IsValid() {
-		return status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
-	}
-
-	if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
-		return status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
-	}
-
-	opEvent.InitiatorID = sk.Id
-	opEvent.Activity = activity.PeerAddedWithSetupKey
-	config.GroupsToAdd = sk.AutoGroups
-	config.Ephemeral = sk.Ephemeral
-	config.SetupKeyID = sk.Id
-	config.SetupKeyName = sk.Name
-	config.AllowExtraDNSLabels = sk.AllowExtraDNSLabels
-	config.AccountID = sk.AccountID
-
-	return nil
-}
-
 // AddPeer adds a new peer to the Store.
 // Each Account has a list of pre-authorized SetupKey and if no Account has a given key err with a code status.PermissionDenied
 // will be returned, meaning the setup key is invalid or not found.
@@ -689,12 +592,70 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 
 	var newPeer *nbpeer.Peer
 
-	peerAddConfig, err := am.processPeerAddAuth(ctx, accountID, userID, encodedHashedKey, peer, temporary, addedByUser, addedBySetupKey, opEvent)
-	if err != nil {
-		return nil, nil, nil, err
+	var setupKeyID string
+	var setupKeyName string
+	var groupsToAdd []string
+	var allowExtraDNSLabels bool
+	ephemeral := peer.Ephemeral
+	switch {
+	case addedByUser:
+		user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
+		if err != nil {
+			return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: user not found")
+		}
+		if user.PendingApproval {
+			return nil, nil, nil, status.Errorf(status.PermissionDenied, "user pending approval cannot add peers")
+		}
+		if temporary {
+			allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
+			if err != nil {
+				return nil, nil, nil, status.NewPermissionValidationError(err)
+			}
+
+			if !allowed {
+				return nil, nil, nil, status.NewPermissionDeniedError()
+			}
+		} else {
+			accountID = user.AccountID
+			groupsToAdd = user.AutoGroups
+		}
+		opEvent.InitiatorID = userID
+		opEvent.Activity = activity.PeerAddedByUser
+	case addedBySetupKey:
+		// Validate the setup key
+		sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
+		if err != nil {
+			return nil, nil, nil, status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
+		}
+
+		// we will check key twice for early return
+		if !sk.IsValid() {
+			return nil, nil, nil, status.Errorf(status.NotFound, "couldn't add peer: setup key is invalid")
+		}
+
+		opEvent.InitiatorID = sk.Id
+		opEvent.Activity = activity.PeerAddedWithSetupKey
+		groupsToAdd = sk.AutoGroups
+		ephemeral = sk.Ephemeral
+		setupKeyID = sk.Id
+		setupKeyName = sk.Name
+		allowExtraDNSLabels = sk.AllowExtraDNSLabels
+		accountID = sk.AccountID
+		if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
+			return nil, nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
+		}
+	default:
+		if peer.ProxyMeta.Embedded {
+			log.WithContext(ctx).Debugf("adding peer for proxy embedded, accountID: %s", accountID)
+		} else {
+			log.WithContext(ctx).Warnf("adding peer without setup key or userID, accountID: %s", accountID)
+		}
+	}
+	opEvent.AccountID = accountID
+
+	if temporary {
+		ephemeral = true
 	}
-	accountID = peerAddConfig.AccountID
-	ephemeral := peerAddConfig.Ephemeral
 
 	if (strings.ToLower(peer.Meta.Hostname) == "iphone" || strings.ToLower(peer.Meta.Hostname) == "ipad") && userID != "" {
 		if am.idpManager != nil {
@@ -728,7 +689,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		Location:                    peer.Location,
 		InactivityExpirationEnabled: addedByUser && !temporary,
 		ExtraDNSLabels:              peer.ExtraDNSLabels,
-		AllowExtraDNSLabels:         peerAddConfig.AllowExtraDNSLabels,
+		AllowExtraDNSLabels:         allowExtraDNSLabels,
 	}
 	settings, err := am.Store.GetAccountSettings(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -746,7 +707,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 	}
 
-	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary)
+	newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, groupsToAdd, settings.Extra, temporary)
 
 	network, err := am.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
@@ -782,8 +743,8 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				return err
 			}
 
-			if len(peerAddConfig.GroupsToAdd) > 0 {
-				for _, g := range peerAddConfig.GroupsToAdd {
+			if len(groupsToAdd) > 0 {
+				for _, g := range groupsToAdd {
 					err = transaction.AddPeerToGroup(ctx, newPeer.AccountID, newPeer.ID, g)
 					if err != nil {
 						return err
@@ -815,7 +776,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 					return status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key is invalid")
 				}
 
-				err = transaction.IncrementSetupKeyUsage(ctx, peerAddConfig.SetupKeyID)
+				err = transaction.IncrementSetupKeyUsage(ctx, setupKeyID)
 				if err != nil {
 					return fmt.Errorf("failed to increment setup key usage: %w", err)
 				}
@@ -856,7 +817,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	opEvent.TargetID = newPeer.ID
 	opEvent.Meta = newPeer.EventMeta(am.networkMapController.GetDNSDomain(settings))
 	if !addedByUser {
-		opEvent.Meta["setup_key_name"] = peerAddConfig.SetupKeyName
+		opEvent.Meta["setup_key_name"] = setupKeyName
 	}
 
 	am.StoreEvent(ctx, opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)

management/server/peer_test.go

@@ -2489,252 +2489,3 @@ func TestLoginPeer_ApprovedUserCanLogin(t *testing.T) {
 	_, _, _, err = manager.LoginPeer(context.Background(), login)
 	require.NoError(t, err, "Regular user should be able to login peers")
 }
-
-func TestHandleUserAddedPeer(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err)
-
-	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
-	err = manager.Store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	t.Run("regular user can add peer", func(t *testing.T) {
-		regularUser := types.NewRegularUser("regular-user-1", "", "")
-		regularUser.AccountID = account.Id
-		regularUser.AutoGroups = []string{"group1", "group2"}
-		err = manager.Store.SaveUser(context.Background(), regularUser)
-		require.NoError(t, err)
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-
-		err = manager.handleUserAddedPeer(context.Background(), account.Id, regularUser.Id, false, opEvent, config)
-		require.NoError(t, err)
-		assert.Equal(t, account.Id, config.AccountID)
-		assert.Equal(t, regularUser.AutoGroups, config.GroupsToAdd)
-		assert.Equal(t, regularUser.Id, opEvent.InitiatorID)
-		assert.Equal(t, activity.PeerAddedByUser, opEvent.Activity)
-	})
-
-	t.Run("pending approval user cannot add peer", func(t *testing.T) {
-		pendingUser := types.NewRegularUser("pending-user", "", "")
-		pendingUser.AccountID = account.Id
-		pendingUser.PendingApproval = true
-		err = manager.Store.SaveUser(context.Background(), pendingUser)
-		require.NoError(t, err)
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-
-		err = manager.handleUserAddedPeer(context.Background(), account.Id, pendingUser.Id, false, opEvent, config)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "user pending approval cannot add peers")
-	})
-
-	t.Run("user not found", func(t *testing.T) {
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-
-		err = manager.handleUserAddedPeer(context.Background(), account.Id, "non-existent-user", false, opEvent, config)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "user not found")
-	})
-
-	t.Run("temporary peer requires permissions", func(t *testing.T) {
-		regularUser := types.NewRegularUser("regular-user-2", "", "")
-		regularUser.AccountID = account.Id
-		err = manager.Store.SaveUser(context.Background(), regularUser)
-		require.NoError(t, err)
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-
-		// Should fail because user doesn't have permissions for temporary peers
-		err = manager.handleUserAddedPeer(context.Background(), account.Id, regularUser.Id, true, opEvent, config)
-		require.Error(t, err)
-	})
-}
-
-func TestHandleSetupKeyAddedPeer(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err)
-
-	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
-	err = manager.Store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	// Create admin user for setup key creation
-	adminUser := types.NewAdminUser("admin-user")
-	adminUser.AccountID = account.Id
-	err = manager.Store.SaveUser(context.Background(), adminUser)
-	require.NoError(t, err)
-
-	t.Run("valid setup key", func(t *testing.T) {
-		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "test-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, false)
-		require.NoError(t, err)
-
-		upperKey := strings.ToUpper(setupKey.Key)
-		hashedKey := sha256.Sum256([]byte(upperKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-		peer := &nbpeer.Peer{ExtraDNSLabels: []string{}}
-
-		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
-		require.NoError(t, err)
-		assert.Equal(t, setupKey.Id, config.SetupKeyID)
-		assert.Equal(t, setupKey.Name, config.SetupKeyName)
-		assert.Equal(t, setupKey.AutoGroups, config.GroupsToAdd)
-		assert.Equal(t, setupKey.Ephemeral, config.Ephemeral)
-		assert.Equal(t, setupKey.Id, opEvent.InitiatorID)
-		assert.Equal(t, activity.PeerAddedWithSetupKey, opEvent.Activity)
-	})
-
-	t.Run("invalid setup key", func(t *testing.T) {
-		invalidKey := "invalid-key"
-		hashedKey := sha256.Sum256([]byte(invalidKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-		peer := &nbpeer.Peer{}
-
-		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "setup key is invalid")
-	})
-
-	t.Run("expired setup key", func(t *testing.T) {
-		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "expired-key", types.SetupKeyReusable, time.Millisecond, []string{}, 0, adminUser.Id, false, false)
-		require.NoError(t, err)
-
-		// Wait for key to expire
-		time.Sleep(10 * time.Millisecond)
-
-		upperKey := strings.ToUpper(setupKey.Key)
-		hashedKey := sha256.Sum256([]byte(upperKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-		peer := &nbpeer.Peer{}
-
-		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "setup key is invalid")
-	})
-
-	t.Run("extra DNS labels not allowed", func(t *testing.T) {
-		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "no-dns-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, false)
-		require.NoError(t, err)
-
-		upperKey := strings.ToUpper(setupKey.Key)
-		hashedKey := sha256.Sum256([]byte(upperKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-		peer := &nbpeer.Peer{ExtraDNSLabels: []string{"custom.label"}}
-
-		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "doesn't allow extra DNS labels")
-	})
-
-	t.Run("extra DNS labels allowed", func(t *testing.T) {
-		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "dns-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, false, true)
-		require.NoError(t, err)
-
-		upperKey := strings.ToUpper(setupKey.Key)
-		hashedKey := sha256.Sum256([]byte(upperKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{}
-		config := &peerAddAuthConfig{}
-		peer := &nbpeer.Peer{ExtraDNSLabels: []string{"custom.label"}}
-
-		err = manager.handleSetupKeyAddedPeer(context.Background(), encodedHashedKey, peer, opEvent, config)
-		require.NoError(t, err)
-		assert.True(t, config.AllowExtraDNSLabels)
-	})
-}
-
-func TestProcessPeerAddAuth(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err)
-
-	account := newAccountWithId(context.Background(), "test-account", "owner", "", "", "", false)
-	err = manager.Store.SaveAccount(context.Background(), account)
-	require.NoError(t, err)
-
-	adminUser := types.NewAdminUser("admin")
-	adminUser.AccountID = account.Id
-	err = manager.Store.SaveUser(context.Background(), adminUser)
-	require.NoError(t, err)
-
-	t.Run("user authentication flow", func(t *testing.T) {
-		regularUser := types.NewRegularUser("user-auth-test", "", "")
-		regularUser.AccountID = account.Id
-		regularUser.AutoGroups = []string{"group1"}
-		err = manager.Store.SaveUser(context.Background(), regularUser)
-		require.NoError(t, err)
-
-		opEvent := &activity.Event{Timestamp: time.Now()}
-		peer := &nbpeer.Peer{Ephemeral: false}
-
-		config, err := manager.processPeerAddAuth(context.Background(), account.Id, regularUser.Id, "", peer, false, true, false, opEvent)
-		require.NoError(t, err)
-		assert.Equal(t, account.Id, config.AccountID)
-		assert.False(t, config.Ephemeral)
-		assert.Equal(t, regularUser.AutoGroups, config.GroupsToAdd)
-		assert.Equal(t, account.Id, opEvent.AccountID)
-	})
-
-	t.Run("setup key authentication flow", func(t *testing.T) {
-		setupKey, err := manager.CreateSetupKey(context.Background(), account.Id, "auth-test-key", types.SetupKeyReusable, time.Hour, []string{}, 0, adminUser.Id, true, false)
-		require.NoError(t, err)
-
-		upperKey := strings.ToUpper(setupKey.Key)
-		hashedKey := sha256.Sum256([]byte(upperKey))
-		encodedHashedKey := b64.StdEncoding.EncodeToString(hashedKey[:])
-
-		opEvent := &activity.Event{Timestamp: time.Now()}
-		peer := &nbpeer.Peer{Ephemeral: false}
-
-		config, err := manager.processPeerAddAuth(context.Background(), account.Id, "", encodedHashedKey, peer, false, false, true, opEvent)
-		require.NoError(t, err)
-		assert.Equal(t, account.Id, config.AccountID)
-		assert.True(t, config.Ephemeral) // setupKey.Ephemeral is true
-		assert.Equal(t, setupKey.AutoGroups, config.GroupsToAdd)
-		assert.Equal(t, account.Id, opEvent.AccountID)
-	})
-
-	t.Run("temporary flag overrides ephemeral", func(t *testing.T) {
-		regularUser := types.NewRegularUser("temp-user", "", "")
-		regularUser.AccountID = account.Id
-		err = manager.Store.SaveUser(context.Background(), regularUser)
-		require.NoError(t, err)
-
-		opEvent := &activity.Event{Timestamp: time.Now()}
-		peer := &nbpeer.Peer{Ephemeral: false}
-
-		config, err := manager.processPeerAddAuth(context.Background(), account.Id, regularUser.Id, "", peer, true, true, false, opEvent)
-		require.Error(t, err) // Will fail permission check but that's expected
-		_ = config            // avoid unused warning
-	})
-
-	t.Run("proxy embedded peer (no auth)", func(t *testing.T) {
-		opEvent := &activity.Event{Timestamp: time.Now()}
-		peer := &nbpeer.Peer{
-			Ephemeral: false,
-			ProxyMeta: nbpeer.ProxyMeta{Embedded: true},
-		}
-
-		config, err := manager.processPeerAddAuth(context.Background(), account.Id, "", "", peer, false, false, false, opEvent)
-		require.NoError(t, err)
-		assert.Equal(t, account.Id, config.AccountID)
-		assert.False(t, config.Ephemeral)
-		assert.Empty(t, config.GroupsToAdd)
-	})
-}

management/server/store/sql_store.go

@@ -1100,7 +1100,7 @@ func (s *SqlStore) getAccountGorm(ctx context.Context, accountID string) (*types
 		Preload("NetworkRouters").
 		Preload("NetworkResources").
 		Preload("Onboarding").
-		Preload("Services.Targets").
+		Preload("ReverseProxies").
 		Take(&account, idQueryCondition, accountID)
 	if result.Error != nil {
 		log.WithContext(ctx).Errorf("error when getting account %s from the store: %s", accountID, result.Error)
@@ -2792,7 +2792,7 @@ func getGormConfig() *gorm.Config {
 
 // newPostgresStore initializes a new Postgres store.
 func newPostgresStore(ctx context.Context, metrics telemetry.AppMetrics, skipMigration bool) (Store, error) {
-	dsn, ok := lookupDSNEnv(postgresDsnEnv, postgresDsnEnvLegacy)
+	dsn, ok := os.LookupEnv(postgresDsnEnv)
 	if !ok {
 		return nil, fmt.Errorf("%s is not set", postgresDsnEnv)
 	}
@@ -2801,7 +2801,7 @@ func newPostgresStore(ctx context.Context, metrics telemetry.AppMetrics, skipMig
 
 // newMysqlStore initializes a new MySQL store.
 func newMysqlStore(ctx context.Context, metrics telemetry.AppMetrics, skipMigration bool) (Store, error) {
-	dsn, ok := lookupDSNEnv(mysqlDsnEnv, mysqlDsnEnvLegacy)
+	dsn, ok := os.LookupEnv(mysqlDsnEnv)
 	if !ok {
 		return nil, fmt.Errorf("%s is not set", mysqlDsnEnv)
 	}
@@ -5132,10 +5132,9 @@ func (s *SqlStore) applyAccessLogFilters(query *gorm.DB, filter accesslogs.Acces
 	}
 
 	if filter.Status != nil {
-		switch *filter.Status {
-		case "success":
+		if *filter.Status == "success" {
 			query = query.Where("status_code >= ? AND status_code < ?", 200, 400)
-		case "failed":
+		} else if *filter.Status == "failed" {
 			query = query.Where("status_code < ? OR status_code >= ?", 200, 400)
 		}
 	}

management/server/store/sqlstore_bench_test.go

@@ -20,7 +20,6 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/internals/modules/reverseproxy"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
@@ -264,7 +263,7 @@ func setupBenchmarkDB(b testing.TB) (*SqlStore, func(), string) {
 		&types.Policy{}, &types.PolicyRule{}, &route.Route{},
 		&nbdns.NameServerGroup{}, &posture.Checks{}, &networkTypes.Network{},
 		&routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{},
-		&types.AccountOnboarding{}, &reverseproxy.Service{}, &reverseproxy.Target{},
+		&types.AccountOnboarding{},
 	}
 
 	for i := len(models) - 1; i >= 0; i-- {

management/server/store/store.go

@@ -1,7 +1,5 @@
 package store
 
-//go:generate go run github.com/golang/mock/mockgen -package store -destination=store_mock.go -source=./store.go -build_flags=-mod=mod
-
 import (
 	"context"
 	"errors"
@@ -273,20 +271,10 @@ type Store interface {
 }
 
 const (
-	postgresDsnEnv       = "NB_STORE_ENGINE_POSTGRES_DSN"
-	postgresDsnEnvLegacy = "NETBIRD_STORE_ENGINE_POSTGRES_DSN"
-	mysqlDsnEnv          = "NB_STORE_ENGINE_MYSQL_DSN"
-	mysqlDsnEnvLegacy    = "NETBIRD_STORE_ENGINE_MYSQL_DSN"
+	postgresDsnEnv = "NETBIRD_STORE_ENGINE_POSTGRES_DSN"
+	mysqlDsnEnv    = "NETBIRD_STORE_ENGINE_MYSQL_DSN"
 )
 
-// lookupDSNEnv checks the NB_ env var first, then falls back to the legacy NETBIRD_ env var.
-func lookupDSNEnv(nbKey, legacyKey string) (string, bool) {
-	if v, ok := os.LookupEnv(nbKey); ok {
-		return v, true
-	}
-	return os.LookupEnv(legacyKey)
-}
-
 var supportedEngines = []types.Engine{types.SqliteStoreEngine, types.PostgresStoreEngine, types.MysqlStoreEngine}
 
 func getStoreEngineFromEnv() types.Engine {
@@ -571,7 +559,7 @@ func getSqlStoreEngine(ctx context.Context, store *SqlStore, kind types.Engine)
 }
 
 func newReusedPostgresStore(ctx context.Context, store *SqlStore, kind types.Engine) (*SqlStore, func(), error) {
-	dsn, ok := lookupDSNEnv(postgresDsnEnv, postgresDsnEnvLegacy)
+	dsn, ok := os.LookupEnv(postgresDsnEnv)
 	if !ok || dsn == "" {
 		var err error
 		_, dsn, err = testutil.CreatePostgresTestContainer()
@@ -609,7 +597,7 @@ func newReusedPostgresStore(ctx context.Context, store *SqlStore, kind types.Eng
 }
 
 func newReusedMysqlStore(ctx context.Context, store *SqlStore, kind types.Engine) (*SqlStore, func(), error) {
-	dsn, ok := lookupDSNEnv(mysqlDsnEnv, mysqlDsnEnvLegacy)
+	dsn, ok := os.LookupEnv(mysqlDsnEnv)
 	if !ok || dsn == "" {
 		var err error
 		_, dsn, err = testutil.CreateMysqlTestContainer()