From 3b8195fd0838610a2a6690d16dbb95ee99564a8b Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sat, 31 Jan 2026 17:42:05 +0800
Subject: [PATCH] feat: support internal agent auth token and update agent
 server API path

---
 api/api.go             |  9 +++++++--
 cmd/accountsvc/main.go | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/api/api.go b/api/api.go
index aefb50a..cf07319 100644
--- a/api/api.go
+++ b/api/api.go
@@ -261,8 +261,6 @@ func RegisterRoutes(r *gin.Engine, opts ...Option) {
 	authProtected.POST("/mfa/disable", h.disableMFA)
 	authProtected.GET("/mfa/status", h.mfaStatus)
 
-	authProtected.GET("/agent/nodes", h.listAgentNodes)
-
 	authProtected.POST("/password/reset", h.requestPasswordReset)
 	authProtected.POST("/password/reset/confirm", h.confirmPasswordReset)
 
@@ -279,6 +277,13 @@ func RegisterRoutes(r *gin.Engine, opts ...Option) {
 	authProtected.POST("/admin/users/:userId/role", h.updateUserRole)
 	authProtected.DELETE("/admin/users/:userId/role", h.resetUserRole)
 
+	// Agent User routes - /api/agent/nodes
+	agentUser := r.Group("/api/agent")
+	if h.tokenService != nil {
+		agentUser.Use(h.tokenService.AuthMiddleware())
+	}
+	agentUser.GET("/nodes", h.listAgentNodes)
+
 	registerAdminRoutes(authProtected, h)
 }
 
diff --git a/cmd/accountsvc/main.go b/cmd/accountsvc/main.go
index 279cfd4..d28b5ca 100644
--- a/cmd/accountsvc/main.go
+++ b/cmd/accountsvc/main.go
@@ -191,6 +191,20 @@ func runServer(ctx context.Context, cfg *config.Config, logger *slog.Logger) err
 		if err != nil {
 			return err
 		}
+	} else if token := os.Getenv("INTERNAL_SERVICE_TOKEN"); token != "" {
+		// Fallback: if no credentials configured but we have an internal token,
+		// register a default internal agent.
+		agentRegistry, err = agentserver.NewRegistry(agentserver.Config{
+			Credentials: []agentserver.Credential{{
+				ID:     "internal-agent",
+				Name:   "Internal Agent",
+				Token:  token,
+				Groups: []string{"internal"},
+			}},
+		})
+		if err != nil {
+			return err
+		}
 	}
 
 	var stopXraySync func(context.Context) error
@@ -510,7 +524,8 @@ func registerAgentAPIRoutes(r *gin.Engine, registry *agentserver.Registry, sourc
 	if registry == nil {
 		return
 	}
-	group := r.Group("/api/agent/v1")
+	// Use /api/agent-server/v1 to avoid conflict with /api/agent prefix used by admin/user API
+	group := r.Group("/api/agent-server/v1")
 	group.Use(agentAuthMiddleware(registry))
 	group.GET("/users", agentListUsersHandler(source))
 	group.POST("/status", agentReportStatusHandler(registry, logger))