diff --git a/app/models/user/bot.rb b/app/models/user/bot.rb
index 5c554a9..2ec0037 100644
--- a/app/models/user/bot.rb
+++ b/app/models/user/bot.rb
@@ -19,7 +19,7 @@ module User::Bot
 
     def authenticate_bot(bot_key)
       bot_id, bot_token = bot_key.split("-")
-      active.find_by(id: bot_id, bot_token: bot_token)
+      active_bots.find_by(id: bot_id, bot_token: bot_token)
     end
 
     def generate_bot_token
diff --git a/test/controllers/messages/by_bots_controller_test.rb b/test/controllers/messages/by_bots_controller_test.rb
index 074f9f8..89f81da 100644
--- a/test/controllers/messages/by_bots_controller_test.rb
+++ b/test/controllers/messages/by_bots_controller_test.rb
@@ -40,6 +40,17 @@ class Messages::ByBotsControlleTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test "create can't be abused to post messages as any user" do
+    user = users(:kevin)
+    bot_key = "#{user.id}-"
+
+    assert_no_difference -> { Message.count } do
+      post room_bot_messages_url(rooms(:bender_and_kevin), bot_key), params: "Hello 👋!"
+    end
+
+    assert_response :redirect
+  end
+
   test "denied index" do
     get room_messages_url(@room, bot_key: users(:bender).bot_key, format: :json)
     assert_response :forbidden