Fix security

bot/config.py

@@ -5,6 +5,7 @@ class Settings(BaseSettings):
     TELEGRAM_BOT_TOKEN: str
     API_URL: str = "http://backend:8000"
     BOT_USERNAME: str = ""  # Will be set dynamically on startup
+    BOT_API_SECRET: str = ""  # Secret for backend API communication
 
     class Config:
         env_file = ".env"

bot/services/api_client.py

@@ -32,6 +32,11 @@ class APIClient:
         session = await self._get_session()
         url = f"{self.base_url}/api/v1{endpoint}"
 
+        # Add bot secret header for authentication
+        headers = kwargs.pop("headers", {})
+        if settings.BOT_API_SECRET:
+            headers["X-Bot-Secret"] = settings.BOT_API_SECRET
+
         logger.info(f"[APIClient] {method} {url}")
         if 'json' in kwargs:
             logger.info(f"[APIClient] Request body: {kwargs['json']}")
@@ -39,7 +44,7 @@ class APIClient:
             logger.info(f"[APIClient] Request params: {kwargs['params']}")
 
         try:
-            async with session.request(method, url, **kwargs) as response:
+            async with session.request(method, url, headers=headers, **kwargs) as response:
                 logger.info(f"[APIClient] Response status: {response.status}")
                 response_text = await response.text()
                 logger.info(f"[APIClient] Response body: {response_text[:500]}")