refactor(api): switch to header-based auth for GET requests

- Replace body parsing with header validation for GET endpoints
- Update router to properly handle GET vs POST requests
- Add new ValidateRequestWithHeader function
- Update README to document header requirements

router.go

@@ -21,16 +21,24 @@ func setupRoutes() {
 
 		remainingPath := path[len("/frpcAct/instanceMgr/"):]
 
-		if r.Method == http.MethodPost {
-			if remainingPath == "create" {
-				CreateInstanceHandler(w, r)
+		if r.Method == http.MethodGet {
+			if remainingPath == "list" {
+				ListInstancesHandler(w, r)
 				return
 			}
 
-			if remainingPath == "list" {
+			instanceName := strings.Trim(remainingPath, "/")
+			if instanceName != "" {
 				ListInstancesHandler(w, r)
 				return
 			}
+		}
+
+		if r.Method == http.MethodPost {
+			if remainingPath == "create" {
+				CreateInstanceHandler(w, r)
+				return
+			}
 
 			if strings.HasSuffix(remainingPath, "/delete") {
 				instanceName := strings.TrimSuffix(remainingPath, "/delete")
@@ -47,12 +55,6 @@ func setupRoutes() {
 					return
 				}
 			}
-
-			instanceName := strings.Trim(remainingPath, "/")
-			if instanceName != "" {
-				ListInstancesHandler(w, r)
-				return
-			}
 		}
 
 		SendErrorResponse(w, http.StatusNotFound, "endpoint not found")