1.4 KiB
1.4 KiB
Agent Install ID Parsing Issue
Problem Statement
The generateInstallScript function in downloads.go is not properly extracting the agent_id query parameter, causing the install script to always generate new agent IDs instead of using existing registered agent IDs for upgrades.
Current State
The install script downloads always generate new UUIDs:
# BEFORE (broken)
curl -sfL "http://localhost:3000/api/v1/install/linux?agent_id=6fdba4c92c4d4d33a4010e98db0df72d8bbe3d62c6b7e0a33cef3325e29bdd6d"
# Result: AGENT_ID="cf865204-125a-491d-976f-5829b6c081e6" (NEW UUID)
Expected Behavior
For upgrade scenarios, the install script should preserve the existing agent ID:
# AFTER (fixed)
curl -sfL "http://localhost:3000/api/v1/install/linux?agent_id=6fdba4c92c4d4d33a4010e98db0df72d8bbe3d62c6b7e0a33cef3325e29bdd6d"
# Result: AGENT_ID="6fdba4c92c4d4d33a4010e98db0df72d8bbe3d62c6b7e0a33cef3325e29bdd6d" (PASSED UUID)
Root Cause
The generateInstallScript function only looks at query parameters but doesn't properly validate/extract the UUID format.
Fix Required
Implement proper agent ID parsing following security priority:
- Header:
X-Agent-ID(secure) - Path:
/api/v1/install/:platform/:agent_id(legacy) - Query:
?agent_id=uuid(fallback)
All paths must validate UUID format and enforce rate limiting/signature validation.