From c4ee12cc19d1ea014ada9fb1989490c6721f0e3c Mon Sep 17 00:00:00 2001
From: extreme4all <>
Date: Fri, 22 May 2026 00:02:50 +0200
Subject: [PATCH] add middleware

---
 .../src/core/fastapi/middleware/__init__.py   |  3 +-
 .../src/core/fastapi/middleware/security.py   | 22 +++++++++++++++
 .../api_public/src/core/server.py             | 28 +++++++++++--------
 3 files changed, 40 insertions(+), 13 deletions(-)
 create mode 100644 bases/bot_detector/api_public/src/core/fastapi/middleware/security.py

diff --git a/bases/bot_detector/api_public/src/core/fastapi/middleware/__init__.py b/bases/bot_detector/api_public/src/core/fastapi/middleware/__init__.py
index f9f7f5e8..3dc83112 100644
--- a/bases/bot_detector/api_public/src/core/fastapi/middleware/__init__.py
+++ b/bases/bot_detector/api_public/src/core/fastapi/middleware/__init__.py
@@ -1,4 +1,5 @@
 from .logging import LoggingMiddleware
 from .metrics import PrometheusMiddleware
+from .security import SecurityMiddleware
 
-__all__ = ["LoggingMiddleware", "PrometheusMiddleware"]
+__all__ = ["LoggingMiddleware", "PrometheusMiddleware", "SecurityMiddleware"]
diff --git a/bases/bot_detector/api_public/src/core/fastapi/middleware/security.py b/bases/bot_detector/api_public/src/core/fastapi/middleware/security.py
new file mode 100644
index 00000000..2dd389c9
--- /dev/null
+++ b/bases/bot_detector/api_public/src/core/fastapi/middleware/security.py
@@ -0,0 +1,22 @@
+import re
+
+from bot_detector.api_public.src.core.fastapi.dependencies import wide_event
+from fastapi import HTTPException, Request
+from starlette.middleware.base import BaseHTTPMiddleware
+
+UA_PATTERN = r"^RuneLite/\d+\.\d+\.\d+.*"
+ua_re = re.compile(UA_PATTERN)
+
+
+class SecurityMiddleware(BaseHTTPMiddleware):
+    async def dispatch(self, request: Request, call_next):
+        ua = request.headers.get("user-agent", "")
+        path = request.url.path
+
+        # only enforce on report endpoint
+        if path == "/v2/report":
+            if not ua_re.match(ua):
+                wide_event.add_context({"security": "Invalid UserAgent"})
+                raise HTTPException(status_code=403, detail="Forbidden")
+
+        return await call_next(request)
diff --git a/bases/bot_detector/api_public/src/core/server.py b/bases/bot_detector/api_public/src/core/server.py
index 63d5f07b..db12e6c8 100644
--- a/bases/bot_detector/api_public/src/core/server.py
+++ b/bases/bot_detector/api_public/src/core/server.py
@@ -5,6 +5,7 @@
 from bot_detector.api_public.src.core.fastapi.middleware import (
     LoggingMiddleware,
     PrometheusMiddleware,
+    SecurityMiddleware,
 )
 from bot_detector.event_queue.adapters.kafka import (
     KafkaConfig,
@@ -27,22 +28,25 @@ def init_routers(_app: FastAPI) -> None:
 
 
 def make_middleware() -> list[Middleware]:
+    cors_config = {
+        "allow_origins": [
+            "http://osrsbotdetector.com",
+            "https://osrsbotdetector.com",
+            "http://localhost",
+            "http://localhost:8080",
+        ],
+        "allow_credentials": True,
+        "allow_methods": ["*"],
+        "allow_headers": ["*"],
+    }
+
     middleware = [
-        Middleware(
-            CORSMiddleware,
-            allow_origins=[
-                "http://osrsbotdetector.com",
-                "https://osrsbotdetector.com",
-                "http://localhost",
-                "http://localhost:8080",
-            ],
-            allow_credentials=True,
-            allow_methods=["*"],
-            allow_headers=["*"],
-        ),
+        Middleware(SecurityMiddleware),
+        Middleware(CORSMiddleware, **cors_config),
         Middleware(LoggingMiddleware),
         Middleware(PrometheusMiddleware),
     ]
+
     return middleware