Refactor RDP proxy handling and update related tests

backend/internal/modules/cluster/postgres_store_test.go

@@ -137,7 +137,7 @@ func TestEnrichVPNClientFabricRouteUsesActiveLeaseWhenNoPolicyExit(t *testing.T)
 	}
 }
 
-func TestEnrichVPNClientEntryEndpointCandidatesAddsReportedEntryAPI(t *testing.T) {
+func TestEnrichVPNClientEntryEndpointCandidatesAddsReportedQUICEndpoint(t *testing.T) {
 	item := VPNClientConnection{
 		EntryNodeIDs: []string{"entry-1"},
 		ClientConfig: json.RawMessage(`{
@@ -150,16 +150,16 @@ func TestEnrichVPNClientEntryEndpointCandidatesAddsReportedEntryAPI(t *testing.T
 	}
 	heartbeatMetadata := json.RawMessage(`{
 		"mesh_endpoint_report": {
-			"transport": "direct_http",
+			"transport": "direct_quic",
 			"connectivity_mode": "direct",
 			"nat_type": "none",
 			"region": "test",
-			"peer_endpoint": "http://entry.example.test:19131",
+			"peer_endpoint": "quic://entry.example.test:19131",
 			"endpoint_candidates": [{
-				"endpoint_id": "public-http",
+				"endpoint_id": "public-quic",
 				"node_id": "entry-1",
-				"transport": "direct_http",
-				"address": "http://entry.example.test:19131",
+				"transport": "direct_quic",
+				"address": "quic://entry.example.test:19131",
 				"reachability": "public",
 				"priority": 0
 			}]
@@ -178,9 +178,12 @@ func TestEnrichVPNClientEntryEndpointCandidatesAddsReportedEntryAPI(t *testing.T
 	}
 	candidates := cfg["vpn_entry_endpoint_candidates"].([]any)
 	candidate := candidates[0].(map[string]any)
-	if candidate["node_id"] != "entry-1" || candidate["api_base_url"] != "http://entry.example.test:19131/api/v1" {
+	if candidate["node_id"] != "entry-1" || candidate["address"] != "quic://entry.example.test:19131" {
 		t.Fatalf("unexpected endpoint candidate: %#v", candidate)
 	}
+	if _, ok := candidate["api_base_url"]; ok {
+		t.Fatalf("QUIC dataplane candidate must not expose an API base URL: %#v", candidate)
+	}
 	if _, ok := candidate["local_gateway_shortcut"]; ok {
 		t.Fatalf("local gateway shortcut must not be advertised in farm-owned VPN mode: %#v", candidate)
 	}
@@ -188,3 +191,29 @@ func TestEnrichVPNClientEntryEndpointCandidatesAddsReportedEntryAPI(t *testing.T
 		t.Fatalf("unexpected endpoint metadata: %#v", candidate)
 	}
 }
+
+func TestVPNEntryEndpointCandidatesKeepsQUICEndpointsAndRejectsLegacyHTTP(t *testing.T) {
+	heartbeatMetadata := json.RawMessage(`{
+		"mesh_endpoint_report": {
+			"transport": "direct_quic",
+			"connectivity_mode": "direct",
+			"peer_endpoint": "quic://192.168.200.85:18080",
+			"endpoint_candidates": [
+				{"endpoint_id":"admin-web","node_id":"entry-1","transport":"direct_quic","address":"quic://192.168.200.85:18080","reachability":"private","priority":0},
+				{"endpoint_id":"http-old","node_id":"entry-1","transport":"direct_http","address":"http://192.168.200.85:19131","reachability":"private","priority":1},
+				{"endpoint_id":"mesh-quic","node_id":"entry-1","transport":"direct_quic","address":"quic://192.168.200.85:19131","reachability":"private","priority":2}
+			]
+		}
+	}`)
+	candidates := vpnEntryEndpointCandidatesFromHeartbeat("entry-1", nil, heartbeatMetadata)
+	if len(candidates) != 2 {
+		t.Fatalf("candidate count = %d, want two QUIC dataplane endpoints: %#v", len(candidates), candidates)
+	}
+	got := map[string]string{}
+	for _, candidate := range candidates {
+		got[candidate["endpoint_id"].(string)] = candidate["address"].(string)
+	}
+	if got["admin-web"] != "quic://192.168.200.85:18080" || got["mesh-quic"] != "quic://192.168.200.85:19131" {
+		t.Fatalf("unexpected candidates: %#v", candidates)
+	}
+}