Compete with friends online in an engaging multiplayer format. Math race auto generates math questions at various difficulty levels. Practice your skills in single player. Create an account to save your latest game results and stats.
I was poking around with your API requests that are very nicely laid out and remembered the ability to use Postman for the creation of accounts. Since your REST API allows for no special keys or anything in the body, it means that I am able to simply just fire off a post request to do really anything.
Example post request:
In this example, I created a user named sudo with admin privilege level. Since there's no checks in the REST API if the user that it's creating is special or not, the user is simply created.
The Fix
From a cybersecurity standpoint, you need to have a private key that you day that you store privately (and not have it trackable to get to) and simply do sanity checks. I personally would say to do a sanity check to make sure someone isn't trying to make an account with admin privileges in general. The biggest issue right now is that you've open-sourced the code so it makes it very difficult to hide any key system without it being replaceable by the attacker.