Fix security

backend/app/api/v1/telegram.py

@@ -5,7 +5,7 @@ from pydantic import BaseModel
 from sqlalchemy import select, func
 from sqlalchemy.orm import selectinload
 
-from app.api.deps import DbSession, CurrentUser
+from app.api.deps import DbSession, CurrentUser, BotSecretDep
 from app.core.config import settings
 from app.core.security import create_telegram_link_token, verify_telegram_link_token
 from app.models import User, Participant, Marathon, Assignment, Challenge, Event, Game
@@ -94,7 +94,7 @@ async def generate_link_token(current_user: CurrentUser):
 
 
 @router.post("/confirm-link", response_model=TelegramLinkResponse)
-async def confirm_telegram_link(data: TelegramConfirmLink, db: DbSession):
+async def confirm_telegram_link(data: TelegramConfirmLink, db: DbSession, _: BotSecretDep):
     """Confirm Telegram account linking (called by bot)."""
     logger.info(f"[TG_CONFIRM] ========== CONFIRM LINK REQUEST ==========")
     logger.info(f"[TG_CONFIRM] telegram_id: {data.telegram_id}")
@@ -145,7 +145,7 @@ async def confirm_telegram_link(data: TelegramConfirmLink, db: DbSession):
 
 
 @router.get("/user/{telegram_id}", response_model=TelegramUserResponse | None)
-async def get_user_by_telegram_id(telegram_id: int, db: DbSession):
+async def get_user_by_telegram_id(telegram_id: int, db: DbSession, _: BotSecretDep):
     """Get user by Telegram ID."""
     logger.info(f"[TG_USER] Looking up user by telegram_id={telegram_id}")
 
@@ -168,7 +168,7 @@ async def get_user_by_telegram_id(telegram_id: int, db: DbSession):
 
 
 @router.post("/unlink/{telegram_id}", response_model=TelegramLinkResponse)
-async def unlink_telegram(telegram_id: int, db: DbSession):
+async def unlink_telegram(telegram_id: int, db: DbSession, _: BotSecretDep):
     """Unlink Telegram account."""
     result = await db.execute(
         select(User).where(User.telegram_id == telegram_id)
@@ -187,7 +187,7 @@ async def unlink_telegram(telegram_id: int, db: DbSession):
 
 
 @router.get("/marathons/{telegram_id}", response_model=list[TelegramMarathonResponse])
-async def get_user_marathons(telegram_id: int, db: DbSession):
+async def get_user_marathons(telegram_id: int, db: DbSession, _: BotSecretDep):
     """Get user's marathons by Telegram ID."""
     # Get user
     result = await db.execute(
@@ -231,7 +231,7 @@ async def get_user_marathons(telegram_id: int, db: DbSession):
 
 
 @router.get("/marathon/{marathon_id}", response_model=TelegramMarathonDetails | None)
-async def get_marathon_details(marathon_id: int, telegram_id: int, db: DbSession):
+async def get_marathon_details(marathon_id: int, telegram_id: int, db: DbSession, _: BotSecretDep):
     """Get marathon details for user by Telegram ID."""
     # Get user
     result = await db.execute(
@@ -341,7 +341,7 @@ async def get_marathon_details(marathon_id: int, telegram_id: int, db: DbSession
 
 
 @router.get("/stats/{telegram_id}", response_model=TelegramStatsResponse | None)
-async def get_user_stats(telegram_id: int, db: DbSession):
+async def get_user_stats(telegram_id: int, db: DbSession, _: BotSecretDep):
     """Get user's overall statistics by Telegram ID."""
     # Get user
     result = await db.execute(