Move EnvForceUserspaceFirewall to platform-independent file

Set NB_FORCE_USERSPACE_FIREWALL in ACL manager tests
Use native firewall for peer ACLs in userspace WireGuard mode
2026-03-23 19:11:30 +01:00 · 2026-03-23 18:46:15 +01:00 · 2026-03-23 18:29:53 +01:00
24 changed files with 205 additions and 759 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -170,7 +170,6 @@ jobs:
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu

      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
@@ -310,7 +309,6 @@ jobs:
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64

      - name: Decode GPG signing key
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -171,7 +171,6 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
    id: netbird_deb
    bindir: /usr/bin
    builds:
@@ -185,7 +184,6 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
    id: netbird_rpm
    bindir: /usr/bin
    builds:
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -181,11 +181,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up")
-			time.Sleep(time.Second * 10)
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird up")
+		time.Sleep(time.Second * 10)
 	}

 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -200,10 +199,9 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	}

 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
-	} else {
-		cmd.Println("netbird down")
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird down")

 	time.Sleep(1 * time.Second)

@@ -211,14 +209,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
 	}

 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
-	} else {
-		cmd.Println("netbird up")
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	}
+	cmd.Println("netbird up")

 	time.Sleep(3 * time.Second)

@@ -266,18 +263,16 @@ func runForDuration(cmd *cobra.Command, args []string) error {

 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird down")
+			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 		}
+		cmd.Println("netbird down")
 	}

 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
 		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}

 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"strconv"

 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -35,20 +36,27 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 type FWType int

 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// on the linux system we try to user nftables or iptables
-	// in any case, because we need to allow netbird interface traffic
-	// so we use AllowNetbird traffic from these firewall managers
-	// for the userspace packet filtering firewall
+	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
+	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
+		log.Info("forcing userspace firewall")
+		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
+	}
+
+	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)

+	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}

+	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
+		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
+
+	return fm, nil
 }

 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
@@ -160,3 +168,17 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
+
+func forceUserspaceFirewall() bool {
+	val := os.Getenv(EnvForceUserspaceFirewall)
+	if val == "" {
+		return false
+	}
+
+	force, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
+		return false
+	}
+	return force
+}
--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -7,6 +7,12 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )

+// EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
+// native iptables/nftables is available. This only applies when the WireGuard interface
+// runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
+// kernel netfilter rules.
+const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
+
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -33,7 +33,6 @@ type Manager struct {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
-	IsUserspaceBind() bool
 }

 // Create iptables firewall manager
@@ -64,10 +63,9 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
-			MTU:           m.router.mtu,
+			NameStr:   m.wgIface.Name(),
+			WGAddress: m.wgIface.Address(),
+			MTU:       m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -203,12 +201,10 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }

-// AllowNetbird allows netbird interface traffic
+// AllowNetbird allows netbird interface traffic.
+// This is called when USPFilter wraps the native firewall, adding blanket accept
+// rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
-	if !m.wgIface.IsUserspaceBind() {
-		return nil
-	}
-
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -47,8 +47,6 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

-func (i *iFaceMock) IsUserspaceBind() bool { return false }
-
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -9,10 +9,9 @@ import (
 )

 type InterfaceState struct {
-	NameStr       string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
-	MTU           uint16         `json:"mtu"`
+	NameStr   string         `json:"name"`
+	WGAddress wgaddr.Address `json:"wg_address"`
+	MTU       uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -23,10 +22,6 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

-func (i *InterfaceState) IsUserspaceBind() bool {
-	return i.UserspaceBind
-}
-
 type ShutdownState struct {
 	sync.Mutex

--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -40,7 +40,6 @@ func getTableName() string {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
-	IsUserspaceBind() bool
 }

 // Manager of iptables firewall
@@ -106,10 +105,9 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
-			MTU:           m.router.mtu,
+			NameStr:   m.wgIface.Name(),
+			WGAddress: m.wgIface.Address(),
+			MTU:       m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -205,12 +203,10 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	return m.router.RemoveNatRule(pair)
 }

-// AllowNetbird allows netbird interface traffic
+// AllowNetbird allows netbird interface traffic.
+// This is called when USPFilter wraps the native firewall, adding blanket accept
+// rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
-	if !m.wgIface.IsUserspaceBind() {
-		return nil
-	}
-
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -52,8 +52,6 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }

-func (i *iFaceMock) IsUserspaceBind() bool { return false }
-
 func TestNftablesManager(t *testing.T) {

 	// just check on the local interface
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -8,10 +8,9 @@ import (
 )

 type InterfaceState struct {
-	NameStr       string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
-	MTU           uint16         `json:"mtu"`
+	NameStr   string         `json:"name"`
+	WGAddress wgaddr.Address `json:"wg_address"`
+	MTU       uint16         `json:"mtu"`
 }

 func (i *InterfaceState) Name() string {
@@ -22,10 +21,6 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }

-func (i *InterfaceState) IsUserspaceBind() bool {
-	return i.UserspaceBind
-}
-
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -19,6 +19,9 @@ import (
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()

 func TestDefaultManager(t *testing.T) {
+	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
+
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
@@ -135,6 +138,7 @@ func TestDefaultManager(t *testing.T) {
 func TestDefaultManagerStateless(t *testing.T) {
 	// stateless currently only in userspace, so we have to disable kernel
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	t.Setenv("NB_DISABLE_CONNTRACK", "true")

 	networkMap := &mgmProto.NetworkMap{
@@ -194,6 +198,7 @@ func TestDefaultManagerStateless(t *testing.T) {
 // This tests the full ACL manager -> uspfilter integration.
 func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
@@ -258,6 +263,7 @@ func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 // up when they're removed from the network map in a subsequent update.
 func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -339,6 +345,7 @@ func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 // one added without leaking.
 func TestRuleUpdateChangingAction(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
+	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")

 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
--- a/go.mod
+++ b/go.mod
@@ -30,10 +30,10 @@ require (
 require (
 	fyne.io/fyne/v2 v2.7.0
 	fyne.io/systray v1.12.1-0.20260116214250-81f8e1a496f9
+	github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible
 	github.com/awnumar/memguard v0.23.0
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.14
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.67
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.79.2
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
@@ -144,6 +144,7 @@ require (
 	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/awnumar/memcall v0.4.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
--- a/go.sum
+++ b/go.sum
@@ -34,6 +34,8 @@ github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSC
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
+github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
+github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
--- a/management/internals/modules/reverseproxy/service/service.go
+++ b/management/internals/modules/reverseproxy/service/service.go
@@ -262,9 +262,7 @@ func (s *Service) ToAPIResponse() *api.Service {
 		if opts == nil {
 			opts = &api.ServiceTargetOptions{}
 		}
-		if target.ProxyProtocol {
-			opts.ProxyProtocol = &target.ProxyProtocol
-		}
+		opts.ProxyProtocol = &target.ProxyProtocol
 		st.Options = opts
 		apiTargets = append(apiTargets, st)
 	}
@@ -850,7 +848,7 @@ func IsPortBasedProtocol(mode string) bool {
 }

 const (
-	maxCustomHeaders  = 16
+	maxCustomHeaders = 16
 	maxHeaderKeyLen   = 128
 	maxHeaderValueLen = 4096
 )
@@ -947,6 +945,7 @@ func containsCRLF(s string) bool {
 }

 func validateHeaderAuths(headers []*HeaderAuthConfig) error {
+	seen := make(map[string]struct{})
 	for i, h := range headers {
 		if h == nil || !h.Enabled {
 			continue
@@ -967,6 +966,10 @@ func validateHeaderAuths(headers []*HeaderAuthConfig) error {
 		if canonical == "Host" {
 			return fmt.Errorf("header_auths[%d]: Host header cannot be used for auth", i)
 		}
+		if _, dup := seen[canonical]; dup {
+			return fmt.Errorf("header_auths[%d]: duplicate header %q (same canonical form already configured)", i, h.Header)
+		}
+		seen[canonical] = struct{}{}
 		if len(h.Value) > maxHeaderValueLen {
 			return fmt.Errorf("header_auths[%d]: value exceeds maximum length of %d", i, maxHeaderValueLen)
 		}
--- a/management/internals/modules/reverseproxy/service/service_test.go
+++ b/management/internals/modules/reverseproxy/service/service_test.go
@@ -935,107 +935,3 @@ func TestExposeServiceRequest_Validate_HTTPAllowsAuth(t *testing.T) {
 	req := ExposeServiceRequest{Port: 8080, Mode: "http", Pin: "123456"}
 	require.NoError(t, req.Validate())
 }
-
-func TestValidate_HeaderAuths(t *testing.T) {
-	t.Run("single valid header", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "X-API-Key", Value: "secret"},
-			},
-		}
-		require.NoError(t, rp.Validate())
-	})
-
-	t.Run("multiple headers same canonical name allowed", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "Authorization", Value: "Bearer token-1"},
-				{Enabled: true, Header: "Authorization", Value: "Bearer token-2"},
-			},
-		}
-		require.NoError(t, rp.Validate())
-	})
-
-	t.Run("multiple headers different case same canonical allowed", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "x-api-key", Value: "key-1"},
-				{Enabled: true, Header: "X-Api-Key", Value: "key-2"},
-			},
-		}
-		require.NoError(t, rp.Validate())
-	})
-
-	t.Run("multiple different headers allowed", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "Authorization", Value: "Bearer tok"},
-				{Enabled: true, Header: "X-API-Key", Value: "key"},
-			},
-		}
-		require.NoError(t, rp.Validate())
-	})
-
-	t.Run("empty header name rejected", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "", Value: "val"},
-			},
-		}
-		err := rp.Validate()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "header name is required")
-	})
-
-	t.Run("hop-by-hop header rejected", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "Connection", Value: "val"},
-			},
-		}
-		err := rp.Validate()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "hop-by-hop")
-	})
-
-	t.Run("host header rejected", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "Host", Value: "val"},
-			},
-		}
-		err := rp.Validate()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "Host header cannot be used")
-	})
-
-	t.Run("disabled entries skipped", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: false, Header: "", Value: ""},
-				{Enabled: true, Header: "X-Key", Value: "val"},
-			},
-		}
-		require.NoError(t, rp.Validate())
-	})
-
-	t.Run("value too long rejected", func(t *testing.T) {
-		rp := validProxy()
-		rp.Auth = AuthConfig{
-			HeaderAuths: []*HeaderAuthConfig{
-				{Enabled: true, Header: "X-Key", Value: strings.Repeat("a", maxHeaderValueLen+1)},
-			},
-		}
-		err := rp.Validate()
-		require.Error(t, err)
-		assert.Contains(t, err.Error(), "exceeds maximum length")
-	})
-}
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -197,7 +197,6 @@ func NewManager(ctx context.Context, config Config, appMetrics telemetry.AppMetr
 	case "jumpcloud":
 		return NewJumpCloudManager(JumpCloudClientConfig{
 			APIToken: config.ExtraConfig["ApiToken"],
-			ApiUrl:   config.ExtraConfig["ApiUrl"],
 		}, appMetrics)
 	case "pocketid":
 		return NewPocketIdManager(PocketIdClientConfig{
--- a/management/server/idp/jumpcloud.go
+++ b/management/server/idp/jumpcloud.go
@@ -1,40 +1,24 @@
 package idp

 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
-	"io"
 	"net/http"
 	"strings"

+	v1 "github.com/TheJumpCloud/jcapi-go/v1"
+
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )

 const (
-	jumpCloudDefaultApiUrl  = "https://console.jumpcloud.com"
-	jumpCloudSearchPageSize = 100
+	contentType = "application/json"
+	accept      = "application/json"
 )

-// jumpCloudUser represents a JumpCloud V1 API system user.
-type jumpCloudUser struct {
-	ID         string `json:"_id"`
-	Email      string `json:"email"`
-	Firstname  string `json:"firstname"`
-	Middlename string `json:"middlename"`
-	Lastname   string `json:"lastname"`
-}
-
-// jumpCloudUserList represents the response from the JumpCloud search endpoint.
-type jumpCloudUserList struct {
-	Results    []jumpCloudUser `json:"results"`
-	TotalCount int             `json:"totalCount"`
-}
-
 // JumpCloudManager JumpCloud manager client instance.
 type JumpCloudManager struct {
-	apiBase     string
+	client      *v1.APIClient
 	apiToken    string
 	httpClient  ManagerHTTPClient
 	credentials ManagerCredentials
@@ -45,7 +29,6 @@ type JumpCloudManager struct {
 // JumpCloudClientConfig JumpCloud manager client configurations.
 type JumpCloudClientConfig struct {
 	APIToken string
-	ApiUrl   string
 }

 // JumpCloudCredentials JumpCloud authentication information.
@@ -72,15 +55,7 @@ func NewJumpCloudManager(config JumpCloudClientConfig, appMetrics telemetry.AppM
 		return nil, fmt.Errorf("jumpCloud IdP configuration is incomplete, ApiToken is missing")
 	}

-	apiBase := config.ApiUrl
-	if apiBase == "" {
-		apiBase = jumpCloudDefaultApiUrl
-	}
-	apiBase = strings.TrimSuffix(apiBase, "/")
-	if !strings.HasSuffix(apiBase, "/api") {
-		apiBase += "/api"
-	}
-
+	client := v1.NewAPIClient(v1.NewConfiguration())
 	credentials := &JumpCloudCredentials{
 		clientConfig: config,
 		httpClient:   httpClient,
@@ -89,7 +64,7 @@ func NewJumpCloudManager(config JumpCloudClientConfig, appMetrics telemetry.AppM
 	}

 	return &JumpCloudManager{
-		apiBase:     apiBase,
+		client:      client,
 		apiToken:    config.APIToken,
 		httpClient:  httpClient,
 		credentials: credentials,
@@ -103,35 +78,10 @@ func (jc *JumpCloudCredentials) Authenticate(_ context.Context) (JWTToken, error
 	return JWTToken{}, nil
 }

-// doRequest executes an HTTP request against the JumpCloud V1 API.
-func (jm *JumpCloudManager) doRequest(ctx context.Context, method, path string, body io.Reader) ([]byte, error) {
-	reqURL := jm.apiBase + path
-	req, err := http.NewRequestWithContext(ctx, method, reqURL, body)
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("x-api-key", jm.apiToken)
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-
-	resp, err := jm.httpClient.Do(req)
-	if err != nil {
-		if jm.appMetrics != nil {
-			jm.appMetrics.IDPMetrics().CountRequestError()
-		}
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		if jm.appMetrics != nil {
-			jm.appMetrics.IDPMetrics().CountRequestStatusError()
-		}
-		return nil, fmt.Errorf("JumpCloud API request %s %s failed with status %d", method, path, resp.StatusCode)
-	}
-
-	return io.ReadAll(resp.Body)
+func (jm *JumpCloudManager) authenticationContext() context.Context {
+	return context.WithValue(context.Background(), v1.ContextAPIKey, v1.APIKey{
+		Key: jm.apiToken,
+	})
 }

 // UpdateUserAppMetadata updates user app metadata based on userID and metadata map.
@@ -140,21 +90,25 @@ func (jm *JumpCloudManager) UpdateUserAppMetadata(_ context.Context, _ string, _
 }

 // GetUserDataByID requests user data from JumpCloud via ID.
-func (jm *JumpCloudManager) GetUserDataByID(ctx context.Context, userID string, appMetadata AppMetadata) (*UserData, error) {
-	body, err := jm.doRequest(ctx, http.MethodGet, "/systemusers/"+userID, nil)
+func (jm *JumpCloudManager) GetUserDataByID(_ context.Context, userID string, appMetadata AppMetadata) (*UserData, error) {
+	authCtx := jm.authenticationContext()
+	user, resp, err := jm.client.SystemusersApi.SystemusersGet(authCtx, userID, contentType, accept, nil)
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		if jm.appMetrics != nil {
+			jm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return nil, fmt.Errorf("unable to get user %s, statusCode %d", userID, resp.StatusCode)
+	}

 	if jm.appMetrics != nil {
 		jm.appMetrics.IDPMetrics().CountGetUserDataByID()
 	}

-	var user jumpCloudUser
-	if err = jm.helper.Unmarshal(body, &user); err != nil {
-		return nil, err
-	}
-
 	userData := parseJumpCloudUser(user)
 	userData.AppMetadata = appMetadata

@@ -162,20 +116,30 @@ func (jm *JumpCloudManager) GetUserDataByID(ctx context.Context, userID string,
 }

 // GetAccount returns all the users for a given profile.
-func (jm *JumpCloudManager) GetAccount(ctx context.Context, accountID string) ([]*UserData, error) {
-	allUsers, err := jm.searchAllUsers(ctx)
+func (jm *JumpCloudManager) GetAccount(_ context.Context, accountID string) ([]*UserData, error) {
+	authCtx := jm.authenticationContext()
+	userList, resp, err := jm.client.SearchApi.SearchSystemusersPost(authCtx, contentType, accept, nil)
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		if jm.appMetrics != nil {
+			jm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return nil, fmt.Errorf("unable to get account %s users, statusCode %d", accountID, resp.StatusCode)
+	}

 	if jm.appMetrics != nil {
 		jm.appMetrics.IDPMetrics().CountGetAccount()
 	}

-	users := make([]*UserData, 0, len(allUsers))
-	for _, user := range allUsers {
+	users := make([]*UserData, 0)
+	for _, user := range userList.Results {
 		userData := parseJumpCloudUser(user)
 		userData.AppMetadata.WTAccountID = accountID
+
 		users = append(users, userData)
 	}

@@ -184,18 +148,27 @@ func (jm *JumpCloudManager) GetAccount(ctx context.Context, accountID string) ([

 // GetAllAccounts gets all registered accounts with corresponding user data.
 // It returns a list of users indexed by accountID.
-func (jm *JumpCloudManager) GetAllAccounts(ctx context.Context) (map[string][]*UserData, error) {
-	allUsers, err := jm.searchAllUsers(ctx)
+func (jm *JumpCloudManager) GetAllAccounts(_ context.Context) (map[string][]*UserData, error) {
+	authCtx := jm.authenticationContext()
+	userList, resp, err := jm.client.SearchApi.SearchSystemusersPost(authCtx, contentType, accept, nil)
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		if jm.appMetrics != nil {
+			jm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return nil, fmt.Errorf("unable to get all accounts, statusCode %d", resp.StatusCode)
+	}

 	if jm.appMetrics != nil {
 		jm.appMetrics.IDPMetrics().CountGetAllAccounts()
 	}

 	indexedUsers := make(map[string][]*UserData)
-	for _, user := range allUsers {
+	for _, user := range userList.Results {
 		userData := parseJumpCloudUser(user)
 		indexedUsers[UnsetAccountID] = append(indexedUsers[UnsetAccountID], userData)
 	}
@@ -203,41 +176,6 @@ func (jm *JumpCloudManager) GetAllAccounts(ctx context.Context) (map[string][]*U
 	return indexedUsers, nil
 }

-// searchAllUsers paginates through all system users using limit/skip.
-func (jm *JumpCloudManager) searchAllUsers(ctx context.Context) ([]jumpCloudUser, error) {
-	var allUsers []jumpCloudUser
-
-	for skip := 0; ; skip += jumpCloudSearchPageSize {
-		searchReq := map[string]int{
-			"limit": jumpCloudSearchPageSize,
-			"skip":  skip,
-		}
-
-		payload, err := json.Marshal(searchReq)
-		if err != nil {
-			return nil, err
-		}
-
-		body, err := jm.doRequest(ctx, http.MethodPost, "/search/systemusers", bytes.NewReader(payload))
-		if err != nil {
-			return nil, err
-		}
-
-		var userList jumpCloudUserList
-		if err = jm.helper.Unmarshal(body, &userList); err != nil {
-			return nil, err
-		}
-
-		allUsers = append(allUsers, userList.Results...)
-
-		if skip+len(userList.Results) >= userList.TotalCount {
-			break
-		}
-	}
-
-	return allUsers, nil
-}
-
 // CreateUser creates a new user in JumpCloud Idp and sends an invitation.
 func (jm *JumpCloudManager) CreateUser(_ context.Context, _, _, _, _ string) (*UserData, error) {
 	return nil, fmt.Errorf("method CreateUser not implemented")
@@ -245,7 +183,7 @@ func (jm *JumpCloudManager) CreateUser(_ context.Context, _, _, _, _ string) (*U

 // GetUserByEmail searches users with a given email.
 // If no users have been found, this function returns an empty list.
-func (jm *JumpCloudManager) GetUserByEmail(ctx context.Context, email string) ([]*UserData, error) {
+func (jm *JumpCloudManager) GetUserByEmail(_ context.Context, email string) ([]*UserData, error) {
 	searchFilter := map[string]interface{}{
 		"searchFilter": map[string]interface{}{
 			"filter": []string{email},
@@ -253,26 +191,25 @@ func (jm *JumpCloudManager) GetUserByEmail(ctx context.Context, email string) ([
 		},
 	}

-	payload, err := json.Marshal(searchFilter)
+	authCtx := jm.authenticationContext()
+	userList, resp, err := jm.client.SearchApi.SearchSystemusersPost(authCtx, contentType, accept, searchFilter)
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()

-	body, err := jm.doRequest(ctx, http.MethodPost, "/search/systemusers", bytes.NewReader(payload))
-	if err != nil {
-		return nil, err
+	if resp.StatusCode != http.StatusOK {
+		if jm.appMetrics != nil {
+			jm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return nil, fmt.Errorf("unable to get user %s, statusCode %d", email, resp.StatusCode)
 	}

 	if jm.appMetrics != nil {
 		jm.appMetrics.IDPMetrics().CountGetUserByEmail()
 	}

-	var userList jumpCloudUserList
-	if err = jm.helper.Unmarshal(body, &userList); err != nil {
-		return nil, err
-	}
-
-	usersData := make([]*UserData, 0, len(userList.Results))
+	usersData := make([]*UserData, 0)
 	for _, user := range userList.Results {
 		usersData = append(usersData, parseJumpCloudUser(user))
 	}
@@ -287,11 +224,20 @@ func (jm *JumpCloudManager) InviteUserByID(_ context.Context, _ string) error {
 }

 // DeleteUser from jumpCloud directory
-func (jm *JumpCloudManager) DeleteUser(ctx context.Context, userID string) error {
-	_, err := jm.doRequest(ctx, http.MethodDelete, "/systemusers/"+userID, nil)
+func (jm *JumpCloudManager) DeleteUser(_ context.Context, userID string) error {
+	authCtx := jm.authenticationContext()
+	_, resp, err := jm.client.SystemusersApi.SystemusersDelete(authCtx, userID, contentType, accept, nil)
 	if err != nil {
 		return err
 	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		if jm.appMetrics != nil {
+			jm.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return fmt.Errorf("unable to delete user, statusCode %d", resp.StatusCode)
+	}

 	if jm.appMetrics != nil {
 		jm.appMetrics.IDPMetrics().CountDeleteUser()
@@ -301,11 +247,11 @@ func (jm *JumpCloudManager) DeleteUser(ctx context.Context, userID string) error
 }

 // parseJumpCloudUser parse JumpCloud system user returned from API V1 to UserData.
-func parseJumpCloudUser(user jumpCloudUser) *UserData {
+func parseJumpCloudUser(user v1.Systemuserreturn) *UserData {
 	names := []string{user.Firstname, user.Middlename, user.Lastname}
 	return &UserData{
 		Email: user.Email,
 		Name:  strings.Join(names, " "),
-		ID:    user.ID,
+		ID:    user.Id,
 	}
 }
--- a/management/server/idp/jumpcloud_test.go
+++ b/management/server/idp/jumpcloud_test.go
@@ -1,15 +1,8 @@
 package idp

 import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"net/http/httptest"
 	"testing"

-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -51,212 +44,3 @@ func TestNewJumpCloudManager(t *testing.T) {
 		})
 	}
 }
-
-func TestJumpCloudGetUserDataByID(t *testing.T) {
-	userResponse := jumpCloudUser{
-		ID:         "user123",
-		Email:      "test@example.com",
-		Firstname:  "John",
-		Middlename: "",
-		Lastname:   "Doe",
-	}
-
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/systemusers/user123", r.URL.Path)
-		assert.Equal(t, http.MethodGet, r.Method)
-		assert.Equal(t, "test-api-key", r.Header.Get("x-api-key"))
-
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(userResponse)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	userData, err := manager.GetUserDataByID(context.Background(), "user123", AppMetadata{WTAccountID: "acc1"})
-	require.NoError(t, err)
-
-	assert.Equal(t, "user123", userData.ID)
-	assert.Equal(t, "test@example.com", userData.Email)
-	assert.Equal(t, "John  Doe", userData.Name)
-	assert.Equal(t, "acc1", userData.AppMetadata.WTAccountID)
-}
-
-func TestJumpCloudGetAccount(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/search/systemusers", r.URL.Path)
-		assert.Equal(t, http.MethodPost, r.Method)
-
-		var reqBody map[string]any
-		assert.NoError(t, json.NewDecoder(r.Body).Decode(&reqBody))
-		assert.Contains(t, reqBody, "limit")
-		assert.Contains(t, reqBody, "skip")
-
-		resp := jumpCloudUserList{
-			Results: []jumpCloudUser{
-				{ID: "u1", Email: "a@test.com", Firstname: "Alice", Lastname: "Smith"},
-				{ID: "u2", Email: "b@test.com", Firstname: "Bob", Lastname: "Jones"},
-			},
-			TotalCount: 2,
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(resp)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	users, err := manager.GetAccount(context.Background(), "testAccount")
-	require.NoError(t, err)
-	assert.Len(t, users, 2)
-	assert.Equal(t, "testAccount", users[0].AppMetadata.WTAccountID)
-	assert.Equal(t, "testAccount", users[1].AppMetadata.WTAccountID)
-}
-
-func TestJumpCloudGetAllAccounts(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		resp := jumpCloudUserList{
-			Results: []jumpCloudUser{
-				{ID: "u1", Email: "a@test.com", Firstname: "Alice"},
-				{ID: "u2", Email: "b@test.com", Firstname: "Bob"},
-			},
-			TotalCount: 2,
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(resp)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	indexedUsers, err := manager.GetAllAccounts(context.Background())
-	require.NoError(t, err)
-	assert.Len(t, indexedUsers[UnsetAccountID], 2)
-}
-
-func TestJumpCloudGetAllAccountsPagination(t *testing.T) {
-	totalUsers := 250
-	allUsers := make([]jumpCloudUser, totalUsers)
-	for i := range allUsers {
-		allUsers[i] = jumpCloudUser{
-			ID:        fmt.Sprintf("u%d", i),
-			Email:     fmt.Sprintf("user%d@test.com", i),
-			Firstname: fmt.Sprintf("User%d", i),
-		}
-	}
-
-	requestCount := 0
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var reqBody map[string]int
-		assert.NoError(t, json.NewDecoder(r.Body).Decode(&reqBody))
-
-		limit := reqBody["limit"]
-		skip := reqBody["skip"]
-		requestCount++
-
-		end := skip + limit
-		if end > totalUsers {
-			end = totalUsers
-		}
-
-		resp := jumpCloudUserList{
-			Results:    allUsers[skip:end],
-			TotalCount: totalUsers,
-		}
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(resp)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	indexedUsers, err := manager.GetAllAccounts(context.Background())
-	require.NoError(t, err)
-	assert.Len(t, indexedUsers[UnsetAccountID], totalUsers)
-	assert.Equal(t, 3, requestCount, "should require 3 pages for 250 users at page size 100")
-}
-
-func TestJumpCloudGetUserByEmail(t *testing.T) {
-	searchResponse := jumpCloudUserList{
-		Results: []jumpCloudUser{
-			{ID: "u1", Email: "alice@test.com", Firstname: "Alice", Lastname: "Smith"},
-		},
-		TotalCount: 1,
-	}
-
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/search/systemusers", r.URL.Path)
-		assert.Equal(t, http.MethodPost, r.Method)
-
-		body, err := io.ReadAll(r.Body)
-		assert.NoError(t, err)
-		assert.Contains(t, string(body), "alice@test.com")
-
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(searchResponse)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	users, err := manager.GetUserByEmail(context.Background(), "alice@test.com")
-	require.NoError(t, err)
-	assert.Len(t, users, 1)
-	assert.Equal(t, "alice@test.com", users[0].Email)
-}
-
-func TestJumpCloudDeleteUser(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		assert.Equal(t, "/systemusers/user123", r.URL.Path)
-		assert.Equal(t, http.MethodDelete, r.Method)
-		assert.Equal(t, "test-api-key", r.Header.Get("x-api-key"))
-
-		w.Header().Set("Content-Type", "application/json")
-		_ = json.NewEncoder(w).Encode(map[string]string{"_id": "user123"})
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	err := manager.DeleteUser(context.Background(), "user123")
-	require.NoError(t, err)
-}
-
-func TestJumpCloudAPIError(t *testing.T) {
-	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusUnauthorized)
-	}))
-	defer server.Close()
-
-	manager := newTestJumpCloudManager(t, server.URL)
-
-	_, err := manager.GetUserDataByID(context.Background(), "user123", AppMetadata{})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "401")
-}
-
-func TestParseJumpCloudUser(t *testing.T) {
-	user := jumpCloudUser{
-		ID:         "abc123",
-		Email:      "test@example.com",
-		Firstname:  "John",
-		Middlename: "M",
-		Lastname:   "Doe",
-	}
-
-	userData := parseJumpCloudUser(user)
-	assert.Equal(t, "abc123", userData.ID)
-	assert.Equal(t, "test@example.com", userData.Email)
-	assert.Equal(t, "John M Doe", userData.Name)
-}
-
-func newTestJumpCloudManager(t *testing.T, apiBase string) *JumpCloudManager {
-	t.Helper()
-	return &JumpCloudManager{
-		apiBase:    apiBase,
-		apiToken:   "test-api-key",
-		httpClient: http.DefaultClient,
-		helper:     JsonParser{},
-		appMetrics: nil,
-	}
-}
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -249,7 +249,7 @@ func (am *DefaultAccountManager) UpdatePeer(ctx context.Context, accountID, user
 			if err != nil {
 				newLabel = ""
 			} else {
-				_, err := transaction.GetPeerIdByLabel(ctx, store.LockingStrengthNone, accountID, newLabel)
+				_, err := transaction.GetPeerIdByLabel(ctx, store.LockingStrengthNone, accountID, update.Name)
 				if err == nil {
 					newLabel = ""
 				}
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -37,7 +37,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/management/status"

 	"github.com/netbirdio/netbird/management/server/util"
@@ -2739,70 +2738,3 @@ func TestProcessPeerAddAuth(t *testing.T) {
 		assert.Empty(t, config.GroupsToAdd)
 	})
 }
-
-func TestUpdatePeer_DnsLabelCollisionWithFQDN(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to create an account")
-
-	// Add first peer with hostname that produces DNS label "netbird1"
-	key1, err := wgtypes.GenerateKey()
-	require.NoError(t, err)
-	peer1, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  key1.PublicKey().String(),
-		Meta: nbpeer.PeerSystemMeta{Hostname: "netbird1.netbird.cloud"},
-	}, false)
-	require.NoError(t, err, "unable to add first peer")
-	assert.Equal(t, "netbird1", peer1.DNSLabel)
-
-	// Add second peer with a different hostname
-	key2, err := wgtypes.GenerateKey()
-	require.NoError(t, err)
-	peer2, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  key2.PublicKey().String(),
-		Meta: nbpeer.PeerSystemMeta{Hostname: "ip-10-29-5-130"},
-	}, false)
-	require.NoError(t, err)
-
-	update := peer2.Copy()
-	update.Name = "netbird1.demo.netbird.cloud"
-	updated, err := manager.UpdatePeer(context.Background(), accountID, userID, update)
-	require.NoError(t, err, "renaming peer should not fail with duplicate DNS label error")
-	assert.Equal(t, "netbird1.demo.netbird.cloud", updated.Name)
-	assert.NotEqual(t, "netbird1", updated.DNSLabel, "DNS label should not collide with existing peer")
-	assert.Contains(t, updated.DNSLabel, "netbird1-", "DNS label should be IP-based fallback")
-}
-
-func TestUpdatePeer_DnsLabelUniqueName(t *testing.T) {
-	manager, _, err := createManager(t)
-	require.NoError(t, err, "unable to create account manager")
-
-	accountID, err := manager.GetAccountIDByUserID(context.Background(), auth.UserAuth{UserId: userID})
-	require.NoError(t, err, "unable to create an account")
-
-	key1, err := wgtypes.GenerateKey()
-	require.NoError(t, err)
-	peer1, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  key1.PublicKey().String(),
-		Meta: nbpeer.PeerSystemMeta{Hostname: "web-server"},
-	}, false)
-	require.NoError(t, err)
-	assert.Equal(t, "web-server", peer1.DNSLabel)
-
-	// Add second peer and rename it to a unique FQDN whose first label doesn't collide
-	key2, err := wgtypes.GenerateKey()
-	require.NoError(t, err)
-	peer2, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
-		Key:  key2.PublicKey().String(),
-		Meta: nbpeer.PeerSystemMeta{Hostname: "old-name"},
-	}, false)
-	require.NoError(t, err)
-
-	update := peer2.Copy()
-	update.Name = "api-server.example.com"
-	updated, err := manager.UpdatePeer(context.Background(), accountID, userID, update)
-	require.NoError(t, err, "renaming to unique FQDN should succeed")
-	assert.Equal(t, "api-server", updated.DNSLabel, "DNS label should be first label of FQDN")
-}
--- a/proxy/internal/auth/middleware_test.go
+++ b/proxy/internal/auth/middleware_test.go
@@ -932,71 +932,3 @@ func TestProtect_HeaderAuth_SubsequentRequestUsesSessionCookie(t *testing.T) {
 	assert.Equal(t, "header-user", capturedData2.GetUserID())
 	assert.Equal(t, "header", capturedData2.GetAuthMethod())
 }
-
-// TestProtect_HeaderAuth_MultipleValuesSameHeader verifies that the proxy
-// correctly handles multiple valid credentials for the same header name.
-// In production, the mgmt gRPC authenticateHeader iterates all configured
-// header auths and accepts if any hash matches (OR semantics). The proxy
-// creates one Header scheme per entry, but a single gRPC call checks all.
-func TestProtect_HeaderAuth_MultipleValuesSameHeader(t *testing.T) {
-	mw := NewMiddleware(log.StandardLogger(), nil, nil)
-	kp := generateTestKeyPair(t)
-
-	// Mock simulates mgmt behavior: accepts either token-a or token-b.
-	accepted := map[string]bool{"Bearer token-a": true, "Bearer token-b": true}
-	mock := &mockAuthenticator{fn: func(_ context.Context, req *proto.AuthenticateRequest) (*proto.AuthenticateResponse, error) {
-		ha := req.GetHeaderAuth()
-		if ha != nil && accepted[ha.GetHeaderValue()] {
-			token, err := sessionkey.SignToken(kp.PrivateKey, "header-user", "example.com", auth.MethodHeader, time.Hour)
-			require.NoError(t, err)
-			return &proto.AuthenticateResponse{Success: true, SessionToken: token}, nil
-		}
-		return &proto.AuthenticateResponse{Success: false}, nil
-	}}
-
-	// Single Header scheme (as if one entry existed), but the mock checks both values.
-	hdr := NewHeader(mock, "svc1", "acc1", "Authorization")
-	require.NoError(t, mw.AddDomain("example.com", []Scheme{hdr}, kp.PublicKey, time.Hour, "acc1", "svc1", nil))
-
-	var backendCalled bool
-	handler := mw.Protect(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		backendCalled = true
-		w.WriteHeader(http.StatusOK)
-	}))
-
-	t.Run("first value accepted", func(t *testing.T) {
-		backendCalled = false
-		req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
-		req.Header.Set("Authorization", "Bearer token-a")
-		req = req.WithContext(proxy.WithCapturedData(req.Context(), proxy.NewCapturedData("")))
-		rec := httptest.NewRecorder()
-		handler.ServeHTTP(rec, req)
-
-		assert.Equal(t, http.StatusOK, rec.Code)
-		assert.True(t, backendCalled, "first token should be accepted")
-	})
-
-	t.Run("second value accepted", func(t *testing.T) {
-		backendCalled = false
-		req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
-		req.Header.Set("Authorization", "Bearer token-b")
-		req = req.WithContext(proxy.WithCapturedData(req.Context(), proxy.NewCapturedData("")))
-		rec := httptest.NewRecorder()
-		handler.ServeHTTP(rec, req)
-
-		assert.Equal(t, http.StatusOK, rec.Code)
-		assert.True(t, backendCalled, "second token should be accepted")
-	})
-
-	t.Run("unknown value rejected", func(t *testing.T) {
-		backendCalled = false
-		req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
-		req.Header.Set("Authorization", "Bearer token-c")
-		req = req.WithContext(proxy.WithCapturedData(req.Context(), proxy.NewCapturedData("")))
-		rec := httptest.NewRecorder()
-		handler.ServeHTTP(rec, req)
-
-		assert.Equal(t, http.StatusUnauthorized, rec.Code)
-		assert.False(t, backendCalled, "unknown token should be rejected")
-	})
-}
--- a/proxy/web/package-lock.json
+++ b/proxy/web/package-lock.json
@@ -63,6 +63,7 @@
      "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@babel/code-frame": "^7.29.0",
        "@babel/generator": "^7.29.0",
@@ -1595,66 +1596,6 @@
        "node": ">=14.0.0"
      }
    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/core": {
-      "version": "1.7.1",
-      "dev": true,
-      "inBundle": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "@emnapi/wasi-threads": "1.1.0",
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/runtime": {
-      "version": "1.7.1",
-      "dev": true,
-      "inBundle": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/wasi-threads": {
-      "version": "1.1.0",
-      "dev": true,
-      "inBundle": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": {
-      "version": "1.1.0",
-      "dev": true,
-      "inBundle": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "@emnapi/core": "^1.7.1",
-        "@emnapi/runtime": "^1.7.1",
-        "@tybys/wasm-util": "^0.10.1"
-      }
-    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@tybys/wasm-util": {
-      "version": "0.10.1",
-      "dev": true,
-      "inBundle": true,
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "tslib": "^2.4.0"
-      }
-    },
-    "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/tslib": {
-      "version": "2.8.1",
-      "dev": true,
-      "inBundle": true,
-      "license": "0BSD",
-      "optional": true
-    },
    "node_modules/@tailwindcss/oxide-win32-arm64-msvc": {
      "version": "4.1.18",
      "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.1.18.tgz",
@@ -1769,6 +1710,7 @@
      "integrity": "sha512-+0/4J266CBGPUq/ELg7QUHhN25WYjE0wYTPSQJn1xeu8DOlIOPxXxrNGiLmfAWl7HMMgWFWXpt9IDjMWrF5Iow==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "undici-types": "~7.16.0"
      }
@@ -1779,6 +1721,7 @@
      "integrity": "sha512-WPigyYuGhgZ/cTPRXB2EwUw+XvsRA3GqHlsP4qteqrnnjDrApbS7MxcGr/hke5iUoeB7E/gQtrs9I37zAJ0Vjw==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "csstype": "^3.2.2"
      }
@@ -1838,6 +1781,7 @@
      "integrity": "sha512-BtE0k6cjwjLZoZixN0t5AKP0kSzlGu7FctRXYuPAm//aaiZhmfq1JwdYpYr1brzEspYyFeF+8XF5j2VK6oalrA==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@typescript-eslint/scope-manager": "8.54.0",
        "@typescript-eslint/types": "8.54.0",
@@ -2089,6 +2033,7 @@
      "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "bin": {
        "acorn": "bin/acorn"
      },
@@ -2194,6 +2139,7 @@
        }
      ],
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "baseline-browser-mapping": "^2.9.0",
        "caniuse-lite": "^1.0.30001759",
@@ -2448,6 +2394,7 @@
      "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.8.0",
        "@eslint-community/regexpp": "^4.12.1",
@@ -3439,11 +3386,12 @@
      "license": "ISC"
    },
    "node_modules/picomatch": {
-      "version": "4.0.4",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
-      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
+      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "engines": {
        "node": ">=12"
      },
@@ -3505,6 +3453,7 @@
      "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
      "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
      "license": "MIT",
+      "peer": true,
      "engines": {
        "node": ">=0.10.0"
      }
@@ -3738,6 +3687,7 @@
      "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "esbuild": "~0.27.0",
        "get-tsconfig": "^4.7.5"
@@ -3771,6 +3721,7 @@
      "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
      "dev": true,
      "license": "Apache-2.0",
+      "peer": true,
      "bin": {
        "tsc": "bin/tsc",
        "tsserver": "bin/tsserver"
@@ -3857,6 +3808,7 @@
      "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "esbuild": "^0.27.0",
        "fdir": "^6.5.0",
@@ -3978,6 +3930,7 @@
      "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "funding": {
        "url": "https://github.com/sponsors/colinhacks"
      }
--- a/upload-server/server/s3_test.go
+++ b/upload-server/server/s3_test.go
@@ -5,12 +5,13 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"runtime"
 	"testing"

 	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/credentials"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
@@ -19,55 +20,45 @@ import (
 )

 func Test_S3HandlerGetUploadURL(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("Skipping test on non-Linux due to docker dependency")
+	if runtime.GOOS != "linux" && os.Getenv("CI") == "true" {
+		t.Skip("Skipping test on non-Linux and CI environment due to docker dependency")
+	}
+	if runtime.GOOS == "windows" {
+		t.Skip("Skipping test on Windows due to potential docker dependency")
 	}

+	awsEndpoint := "http://127.0.0.1:4566"
 	awsRegion := "us-east-1"

 	ctx := context.Background()
+	containerRequest := testcontainers.ContainerRequest{
+		Image:        "localstack/localstack:s3-latest",
+		ExposedPorts: []string{"4566:4566/tcp"},
+		WaitingFor:   wait.ForLog("Ready"),
+	}
+
 	c, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
-		ContainerRequest: testcontainers.ContainerRequest{
-			Image:        "minio/minio:RELEASE.2025-04-22T22-12-26Z",
-			ExposedPorts: []string{"9000/tcp"},
-			Env: map[string]string{
-				"MINIO_ROOT_USER":     "minioadmin",
-				"MINIO_ROOT_PASSWORD": "minioadmin",
-			},
-			Cmd:        []string{"server", "/data"},
-			WaitingFor: wait.ForHTTP("/minio/health/ready").WithPort("9000"),
-		},
-		Started: true,
+		ContainerRequest: containerRequest,
+		Started:          true,
 	})
-	require.NoError(t, err)
-	t.Cleanup(func() {
+	if err != nil {
+		t.Error(err)
+	}
+	defer func(c testcontainers.Container, ctx context.Context) {
 		if err := c.Terminate(ctx); err != nil {
 			t.Log(err)
 		}
-	})
-
-	mappedPort, err := c.MappedPort(ctx, "9000")
-	require.NoError(t, err)
-
-	hostIP, err := c.Host(ctx)
-	require.NoError(t, err)
-
-	awsEndpoint := "http://" + hostIP + ":" + mappedPort.Port()
+	}(c, ctx)

 	t.Setenv("AWS_REGION", awsRegion)
 	t.Setenv("AWS_ENDPOINT_URL", awsEndpoint)
-	t.Setenv("AWS_ACCESS_KEY_ID", "minioadmin")
-	t.Setenv("AWS_SECRET_ACCESS_KEY", "minioadmin")
-	t.Setenv("AWS_CONFIG_FILE", "")
-	t.Setenv("AWS_SHARED_CREDENTIALS_FILE", "")
-	t.Setenv("AWS_PROFILE", "")
+	t.Setenv("AWS_ACCESS_KEY_ID", "test")
+	t.Setenv("AWS_SECRET_ACCESS_KEY", "test")

-	cfg, err := config.LoadDefaultConfig(ctx,
-		config.WithRegion(awsRegion),
-		config.WithBaseEndpoint(awsEndpoint),
-		config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider("minioadmin", "minioadmin", "")),
-	)
-	require.NoError(t, err)
+	cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(awsRegion), config.WithBaseEndpoint(awsEndpoint))
+	if err != nil {
+		t.Error(err)
+	}

 	client := s3.NewFromConfig(cfg, func(o *s3.Options) {
 		o.UsePathStyle = true
@@ -75,16 +66,19 @@ func Test_S3HandlerGetUploadURL(t *testing.T) {
 	})

 	bucketName := "test"
-	_, err = client.CreateBucket(ctx, &s3.CreateBucketInput{
+	if _, err := client.CreateBucket(ctx, &s3.CreateBucketInput{
 		Bucket: &bucketName,
-	})
-	require.NoError(t, err)
+	}); err != nil {
+		t.Error(err)
+	}

 	list, err := client.ListBuckets(ctx, &s3.ListBucketsInput{})
-	require.NoError(t, err)
+	if err != nil {
+		t.Error(err)
+	}

-	require.Len(t, list.Buckets, 1)
-	require.Equal(t, bucketName, *list.Buckets[0].Name)
+	assert.Equal(t, len(list.Buckets), 1)
+	assert.Equal(t, *list.Buckets[0].Name, bucketName)

 	t.Setenv(bucketVar, bucketName)
Author	SHA1	Message	Date
Viktor Liu	0adec637fc	Move EnvForceUserspaceFirewall to platform-independent file	2026-03-23 19:11:30 +01:00
Viktor Liu	9f41367f5d	Set NB_FORCE_USERSPACE_FIREWALL in ACL manager tests	2026-03-23 18:46:15 +01:00
Viktor Liu	25a5b3ea1a	Use native firewall for peer ACLs in userspace WireGuard mode	2026-03-23 18:29:53 +01:00