Fix security

backend/app/api/deps.py

@@ -1,10 +1,11 @@
 from typing import Annotated
 
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException, status, Header
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.core.config import settings
 from app.core.database import get_db
 from app.core.security import decode_access_token
 from app.models import User, Participant, Marathon, UserRole, ParticipantRole
@@ -145,3 +146,21 @@ async def require_creator(
 # Type aliases for cleaner dependency injection
 CurrentUser = Annotated[User, Depends(get_current_user)]
 DbSession = Annotated[AsyncSession, Depends(get_db)]
+
+
+async def verify_bot_secret(
+    x_bot_secret: str | None = Header(None, alias="X-Bot-Secret")
+) -> None:
+    """Verify that request comes from trusted bot using secret key."""
+    if not settings.BOT_API_SECRET:
+        # If secret is not configured, skip check (for development)
+        return
+
+    if x_bot_secret != settings.BOT_API_SECRET:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Invalid or missing bot secret"
+        )
+
+
+BotSecretDep = Annotated[None, Depends(verify_bot_secret)]