[management] pass config to controller (#4807)

pascal-fischer · web-flow · commit 3351b38434c5 · 2025-11-19T11:52:18.000+01:00
diff --git a/client/cmd/testutil_test.go b/client/cmd/testutil_test.go
@@ -116,7 +116,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), config)
 
 	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
diff --git a/client/internal/engine.go b/client/internal/engine.go
@@ -1192,6 +1192,7 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 }
 
 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
+	//nolint
 	forwarderPort := uint16(protoDNSConfig.GetForwarderPort())
 	if forwarderPort == 0 {
 		forwarderPort = nbdns.ForwarderClientPort
diff --git a/client/internal/engine_test.go b/client/internal/engine_test.go
@@ -1624,7 +1624,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
-	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), config)
 	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
diff --git a/client/server/server_test.go b/client/server/server_test.go
@@ -316,7 +316,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	peersUpdateManager := update_channel.NewPeersUpdateManager(metrics)
-	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(context.Background(), store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), config)
 	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
diff --git a/management/internals/controllers/network_map/controller/controller.go b/management/internals/controllers/network_map/controller/controller.go
@@ -19,6 +19,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
+	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
@@ -47,6 +48,7 @@ type Controller struct {
 	updateAccountPeersBufferInterval atomic.Int64
 	// dnsDomain is used for peer resolution. This is appended to the peer's name
 	dnsDomain string
+	config    *config.Config
 
 	requestBuffer account.RequestBuffer
 
@@ -68,7 +70,7 @@ type bufferUpdate struct {
 
 var _ network_map.Controller = (*Controller)(nil)
 
-func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller) *Controller {
+func NewController(ctx context.Context, store store.Store, metrics telemetry.AppMetrics, peersUpdateManager network_map.PeersUpdateManager, requestBuffer account.RequestBuffer, integratedPeerValidator integrated_validator.IntegratedValidator, settingsManager settings.Manager, dnsDomain string, proxyController port_forwarding.Controller, config *config.Config) *Controller {
 	nMetrics, err := newMetrics(metrics.UpdateChannelMetrics())
 	if err != nil {
 		log.Fatal(fmt.Errorf("error creating metrics: %w", err))
@@ -95,6 +97,7 @@ func NewController(ctx context.Context, store store.Store, metrics telemetry.App
 		integratedPeerValidator: integratedPeerValidator,
 		settingsManager:         settingsManager,
 		dnsDomain:               dnsDomain,
+		config:                  config,
 
 		proxyController: proxyController,
 
@@ -205,7 +208,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
 
 			peerGroups := account.GetPeerGroups(p.ID)
 			start = time.Now()
-			update := grpc.ToSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
+			update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
 			c.metrics.CountToSyncResponseDuration(time.Since(start))
 
 			c.peersUpdateManager.SendUpdate(ctx, p.ID, &network_map.UpdateMessage{Update: update})
@@ -323,7 +326,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
 	peerGroups := account.GetPeerGroups(peerId)
 	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), network_map.DnsForwarderPortMinVersion)
 
-	update := grpc.ToSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
+	update := grpc.ToSyncResponse(ctx, nil, c.config.HttpConfig, c.config.DeviceAuthorizationFlow, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
 	c.peersUpdateManager.SendUpdate(ctx, peer.ID, &network_map.UpdateMessage{Update: update})
 
 	return nil
diff --git a/management/internals/server/controllers.go b/management/internals/server/controllers.go
@@ -70,7 +70,7 @@ func (s *BaseServer) EphemeralManager() ephemeral.Manager {
 
 func (s *BaseServer) NetworkMapController() network_map.Controller {
 	return Create(s, func() *nmapcontroller.Controller {
-		return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.dnsDomain, s.ProxyController())
+		return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.dnsDomain, s.ProxyController(), s.config)
 	})
 }
 
diff --git a/management/internals/shared/grpc/conversion.go b/management/internals/shared/grpc/conversion.go
@@ -83,7 +83,7 @@ func toNetbirdConfig(config *nbconfig.Config, turnCredentials *Token, relayToken
 	return nbConfig
 }
 
-func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, settings *types.Settings, config *nbconfig.Config) *proto.PeerConfig {
+func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, settings *types.Settings, httpConfig *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow) *proto.PeerConfig {
 	netmask, _ := network.Net.Mask.Size()
 	fqdn := peer.FQDN(dnsName)
 
@@ -92,7 +92,7 @@ func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, set
 	}
 
 	if peer.SSHEnabled {
-		sshConfig.JwtConfig = buildJWTConfig(config)
+		sshConfig.JwtConfig = buildJWTConfig(httpConfig, deviceFlowConfig)
 	}
 
 	return &proto.PeerConfig{
@@ -104,9 +104,9 @@ func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, set
 	}
 }
 
-func ToSyncResponse(ctx context.Context, config *nbconfig.Config, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *cache.DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string, dnsFwdPort int64) *proto.SyncResponse {
+func ToSyncResponse(ctx context.Context, config *nbconfig.Config, httpConfig *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *cache.DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string, dnsFwdPort int64) *proto.SyncResponse {
 	response := &proto.SyncResponse{
-		PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, config),
+		PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, httpConfig, deviceFlowConfig),
 		NetworkMap: &proto.NetworkMap{
 			Serial:    networkMap.Network.CurrentSerial(),
 			Routes:    toProtocolRoutes(networkMap.Routes),
@@ -363,35 +363,29 @@ func convertToProtoNameServerGroup(nsGroup *nbdns.NameServerGroup) *proto.NameSe
 }
 
 // buildJWTConfig constructs JWT configuration for SSH servers from management server config
-func buildJWTConfig(config *nbconfig.Config) *proto.JWTConfig {
-	if config == nil {
-		return nil
-	}
-
-	if config.HttpConfig == nil || config.HttpConfig.AuthAudience == "" {
+func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfig.DeviceAuthorizationFlow) *proto.JWTConfig {
+	if config == nil || config.AuthAudience == "" {
 		return nil
 	}
 
-	issuer := strings.TrimSpace(config.HttpConfig.AuthIssuer)
-	if issuer == "" {
-		if config.DeviceAuthorizationFlow != nil {
-			if d := deriveIssuerFromTokenEndpoint(config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint); d != "" {
-				issuer = d
-			}
+	issuer := strings.TrimSpace(config.AuthIssuer)
+	if issuer == "" || deviceFlowConfig != nil {
+		if d := deriveIssuerFromTokenEndpoint(deviceFlowConfig.ProviderConfig.TokenEndpoint); d != "" {
+			issuer = d
 		}
 	}
 	if issuer == "" {
 		return nil
 	}
 
-	keysLocation := strings.TrimSpace(config.HttpConfig.AuthKeysLocation)
+	keysLocation := strings.TrimSpace(config.AuthKeysLocation)
 	if keysLocation == "" {
 		keysLocation = strings.TrimSuffix(issuer, "/") + "/.well-known/jwks.json"
 	}
 
 	return &proto.JWTConfig{
 		Issuer:       issuer,
-		Audience:     config.HttpConfig.AuthAudience,
+		Audience:     config.AuthAudience,
 		KeysLocation: keysLocation,
 	}
 }
diff --git a/management/internals/shared/grpc/server.go b/management/internals/shared/grpc/server.go
@@ -646,7 +646,7 @@ func (s *Server) prepareLoginResponse(ctx context.Context, peer *nbpeer.Peer, ne
 	// if peer has reached this point then it has logged in
 	loginResp := &proto.LoginResponse{
 		NetbirdConfig: toNetbirdConfig(s.config, nil, relayToken, nil),
-		PeerConfig:    toPeerConfig(peer, netMap.Network, s.networkMapController.GetDNSDomain(settings), settings, s.config),
+		PeerConfig:    toPeerConfig(peer, netMap.Network, s.networkMapController.GetDNSDomain(settings), settings, s.config.HttpConfig, s.config.DeviceAuthorizationFlow),
 		Checks:        toProtocolChecks(ctx, postureChecks),
 	}
 
@@ -713,7 +713,7 @@ func (s *Server) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, peer
 		return status.Errorf(codes.Internal, "failed to get peer groups %s", err)
 	}
 
-	plainResp := ToSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
+	plainResp := ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
 
 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {
diff --git a/management/server/account_test.go b/management/server/account_test.go
@@ -25,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	"github.com/netbirdio/netbird/management/internals/server/config"
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/cache"
@@ -2958,7 +2959,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, *update_channel.PeersU
 
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), &config.Config{})
 	manager, err := BuildManager(ctx, nil, store, networkMapController, nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, nil, err
diff --git a/management/server/dns_test.go b/management/server/dns_test.go
@@ -12,6 +12,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -222,7 +223,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.test", port_forwarding.NewControllerMock(), &config.Config{})
 
 	return BuildManager(context.Background(), nil, store, networkMapController, nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 }
diff --git a/management/server/http/testing/testing_tools/channel/channel.go b/management/server/http/testing/testing_tools/channel/channel.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/server/config"
 
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
@@ -71,7 +72,7 @@ func BuildApiBlackBoxWithDBState(t testing_tools.TB, sqlFile string, expectedPee
 
 	ctx := context.Background()
 	requestBuffer := server.NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, peersUpdateManager, requestBuffer, server.MockIntegratedValidator{}, settingsManager, "", port_forwarding.NewControllerMock(), &config.Config{})
 	am, err := server.BuildManager(ctx, nil, store, networkMapController, nil, "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager, false)
 	if err != nil {
 		t.Fatalf("Failed to create manager: %v", err)
diff --git a/management/server/management_proto_test.go b/management/server/management_proto_test.go
@@ -363,7 +363,7 @@ func startManagementForTest(t *testing.T, testFile string, config *config.Config
 
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), config)
 	accountManager, err := BuildManager(ctx, nil, store, networkMapController, nil, "",
 		eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 
diff --git a/management/server/management_test.go b/management/server/management_test.go
@@ -205,7 +205,7 @@ func startServer(
 	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(ctx, str)
-	networkMapController := controller.NewController(ctx, str, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, str, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), config)
 
 	accountManager, err := server.BuildManager(
 		context.Background(),
diff --git a/management/server/nameserver_test.go b/management/server/nameserver_test.go
@@ -13,6 +13,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
+	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
@@ -791,7 +792,7 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := NewAccountRequestBuffer(ctx, store)
-	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock())
+	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), &config.Config{})
 
 	return BuildManager(context.Background(), nil, store, networkMapController, nil, "", eventStore, nil, false, MockIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 }
diff --git a/management/server/peer_test.go b/management/server/peer_test.go
diff --git a/management/server/route_test.go b/management/server/route_test.go
diff --git a/shared/management/client/client_test.go b/shared/management/client/client_test.go
diff --git a/shared/management/proto/management.pb.go b/shared/management/proto/management.pb.go
diff --git a/shared/management/proto/management.proto b/shared/management/proto/management.proto

Original file line number	Diff line number	Diff line change
`@@ -1192,6 +1192,7 @@ func toRouteDomains(myPubKey string, routes []route.Route) []dnsfwd.ForwarderE`
`1192`	`1192`	`}`
`1193`	`1193`
`1194`	`1194`	`func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {`
	`1195`	`+ //nolint`
`1195`	`1196`	`forwarderPort := uint16(protoDNSConfig.GetForwarderPort())`
`1196`	`1197`	`if forwarderPort == 0 {`
`1197`	`1198`	`forwarderPort = nbdns.ForwarderClientPort`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func (s *BaseServer) EphemeralManager() ephemeral.Manager {`
`70`	`70`
`71`	`71`	`func (s *BaseServer) NetworkMapController() network_map.Controller {`
`72`	`72`	`return Create(s, func() *nmapcontroller.Controller {`
`73`		`- return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.dnsDomain, s.ProxyController())`
	`73`	`+ return nmapcontroller.NewController(context.Background(), s.Store(), s.Metrics(), s.PeersUpdateManager(), s.AccountRequestBuffer(), s.IntegratedValidator(), s.SettingsManager(), s.dnsDomain, s.ProxyController(), s.config)`
`74`	`74`	`})`
`75`	`75`	`}`
`76`	`76`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func toNetbirdConfig(config nbconfig.Config, turnCredentials Token, relayToken`
`83`	`83`	`return nbConfig`
`84`	`84`	`}`
`85`	`85`
`86`		`-func toPeerConfig(peer nbpeer.Peer, network types.Network, dnsName string, settings types.Settings, config nbconfig.Config) *proto.PeerConfig {`
	`86`	`+func toPeerConfig(peer nbpeer.Peer, network types.Network, dnsName string, settings types.Settings, httpConfig nbconfig.HttpServerConfig, deviceFlowConfig nbconfig.DeviceAuthorizationFlow) proto.PeerConfig {`
`87`	`87`	`netmask, _ := network.Net.Mask.Size()`
`88`	`88`	`fqdn := peer.FQDN(dnsName)`
`89`	`89`
`@@ -92,7 +92,7 @@ func toPeerConfig(peer nbpeer.Peer, network types.Network, dnsName string, set`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`if peer.SSHEnabled {`
`95`		`- sshConfig.JwtConfig = buildJWTConfig(config)`
	`95`	`+ sshConfig.JwtConfig = buildJWTConfig(httpConfig, deviceFlowConfig)`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`return &proto.PeerConfig{`
`@@ -104,9 +104,9 @@ func toPeerConfig(peer nbpeer.Peer, network types.Network, dnsName string, set`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`
`107`		`-func ToSyncResponse(ctx context.Context, config nbconfig.Config, peer nbpeer.Peer, turnCredentials Token, relayCredentials Token, networkMap types.NetworkMap, dnsName string, checks []posture.Checks, dnsCache cache.DNSConfigCache, settings types.Settings, extraSettings types.ExtraSettings, peerGroups []string, dnsFwdPort int64) proto.SyncResponse {`
	`107`	`+func ToSyncResponse(ctx context.Context, config nbconfig.Config, httpConfig nbconfig.HttpServerConfig, deviceFlowConfig nbconfig.DeviceAuthorizationFlow, peer nbpeer.Peer, turnCredentials Token, relayCredentials Token, networkMap types.NetworkMap, dnsName string, checks []posture.Checks, dnsCache cache.DNSConfigCache, settings types.Settings, extraSettings types.ExtraSettings, peerGroups []string, dnsFwdPort int64) proto.SyncResponse {`
`108`	`108`	`response := &proto.SyncResponse{`
`109`		`- PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, config),`
	`109`	`+ PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings, httpConfig, deviceFlowConfig),`
`110`	`110`	`NetworkMap: &proto.NetworkMap{`
`111`	`111`	`Serial: networkMap.Network.CurrentSerial(),`
`112`	`112`	`Routes: toProtocolRoutes(networkMap.Routes),`
`@@ -363,35 +363,29 @@ func convertToProtoNameServerGroup(nsGroup nbdns.NameServerGroup) proto.NameSe`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`// buildJWTConfig constructs JWT configuration for SSH servers from management server config`
`366`		`-func buildJWTConfig(config nbconfig.Config) proto.JWTConfig {`
`367`		`- if config == nil {`
`368`		`- return nil`
`369`		`- }`
`370`		`-`
`371`		`- if config.HttpConfig == nil \|\| config.HttpConfig.AuthAudience == "" {`
	`366`	`+func buildJWTConfig(config nbconfig.HttpServerConfig, deviceFlowConfig nbconfig.DeviceAuthorizationFlow) *proto.JWTConfig {`
	`367`	`+ if config == nil \|\| config.AuthAudience == "" {`
`372`	`368`	`return nil`
`373`	`369`	`}`
`374`	`370`
`375`		`- issuer := strings.TrimSpace(config.HttpConfig.AuthIssuer)`
`376`		`- if issuer == "" {`
`377`		`- if config.DeviceAuthorizationFlow != nil {`
`378`		`- if d := deriveIssuerFromTokenEndpoint(config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint); d != "" {`
`379`		`- issuer = d`
`380`		`- }`
	`371`	`+ issuer := strings.TrimSpace(config.AuthIssuer)`
	`372`	`+ if issuer == "" \|\| deviceFlowConfig != nil {`
	`373`	`+ if d := deriveIssuerFromTokenEndpoint(deviceFlowConfig.ProviderConfig.TokenEndpoint); d != "" {`
	`374`	`+ issuer = d`
`381`	`375`	`}`
`382`	`376`	`}`
`383`	`377`	`if issuer == "" {`
`384`	`378`	`return nil`
`385`	`379`	`}`
`386`	`380`
`387`		`- keysLocation := strings.TrimSpace(config.HttpConfig.AuthKeysLocation)`
	`381`	`+ keysLocation := strings.TrimSpace(config.AuthKeysLocation)`
`388`	`382`	`if keysLocation == "" {`
`389`	`383`	`keysLocation = strings.TrimSuffix(issuer, "/") + "/.well-known/jwks.json"`
`390`	`384`	`}`
`391`	`385`
`392`	`386`	`return &proto.JWTConfig{`
`393`	`387`	`Issuer: issuer,`
`394`		`- Audience: config.HttpConfig.AuthAudience,`
	`388`	`+ Audience: config.AuthAudience,`
`395`	`389`	`KeysLocation: keysLocation,`
`396`	`390`	`}`
`397`	`391`	`}`
Original file line number	Diff line number	Diff line change
`@@ -646,7 +646,7 @@ func (s Server) prepareLoginResponse(ctx context.Context, peer nbpeer.Peer, ne`
`646`	`646`	`// if peer has reached this point then it has logged in`
`647`	`647`	`loginResp := &proto.LoginResponse{`
`648`	`648`	`NetbirdConfig: toNetbirdConfig(s.config, nil, relayToken, nil),`
`649`		`- PeerConfig: toPeerConfig(peer, netMap.Network, s.networkMapController.GetDNSDomain(settings), settings, s.config),`
	`649`	`+ PeerConfig: toPeerConfig(peer, netMap.Network, s.networkMapController.GetDNSDomain(settings), settings, s.config.HttpConfig, s.config.DeviceAuthorizationFlow),`
`650`	`650`	`Checks: toProtocolChecks(ctx, postureChecks),`
`651`	`651`	`}`
`652`	`652`
`@@ -713,7 +713,7 @@ func (s *Server) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, peer`
`713`	`713`	`return status.Errorf(codes.Internal, "failed to get peer groups %s", err)`
`714`	`714`	`}`
`715`	`715`
`716`		`- plainResp := ToSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)`
	`716`	`+ plainResp := ToSyncResponse(ctx, s.config, s.config.HttpConfig, s.config.DeviceAuthorizationFlow, peer, turnToken, relayToken, networkMap, s.networkMapController.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)`
`717`	`717`
`718`	`718`	`encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)`
`719`	`719`	`if err != nil {`