feat: Enforce OAuth email verification and update user verification status during login.

api/api.go

@@ -278,15 +278,17 @@ func RegisterRoutes(r *gin.Engine, opts ...Option) {
 	authProtected.POST("/admin/users/:userId/role", h.updateUserRole)
 	authProtected.DELETE("/admin/users/:userId/role", h.resetUserRole)
 
-	// Agent User routes - /api/agent/nodes
-	agentUser := r.Group("/api/agent")
+	// Public /api routes for admin/management (expected by frontend at /api/admin/...)
+	apiGroup := r.Group("/api")
 	if h.tokenService != nil {
-		agentUser.Use(h.tokenService.AuthMiddleware())
-		agentUser.Use(auth.RequireActiveUser(h.store))
+		apiGroup.Use(h.tokenService.AuthMiddleware())
+		apiGroup.Use(auth.RequireActiveUser(h.store))
 	}
-	agentUser.GET("/nodes", h.listAgentNodes)
+	registerAdminRoutes(apiGroup, h)
 
-	registerAdminRoutes(authProtected, h)
+	// User agent routes - /api/agent/nodes
+	agentGroup := apiGroup.Group("/agent")
+	agentGroup.GET("/nodes", h.listAgentNodes)
 }
 
 type registerRequest struct {

api/user_agents.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"errors"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -9,6 +10,7 @@ import (
 	"github.com/gin-gonic/gin"
 
 	"account/internal/auth"
+	"account/internal/store"
 )
 
 type vlessNode struct {
@@ -37,6 +39,10 @@ func (h *handler) listAgentNodes(c *gin.Context) {
 
 	user, err := h.store.GetUserByID(c.Request.Context(), userID)
 	if err != nil {
+		if errors.Is(err, store.ErrUserNotFound) {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "user_not_found"})
+			return
+		}
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to fetch user"})
 		return
 	}