all-hearts-2025-mcp-server

1. Critical API Authentication Bypass: The MCP server directly calls the external All Hearts API endpoints without implementing any user authentication or authorization. The frontend application suggests an OTP-based authentication (`x-user-email`, `x-otp-code` headers), which the MCP server bypasses. This allows any entity capable of making requests to the MCP server to submit scores, query private data, or manipulate game sessions for *any* player by simply providing the `playerEmail` and `playerName` arguments to the tools. This is a severe vulnerability. 2. Hardcoded Encryption Key: The `ENCRYPTION_KEY` for Sudoku submissions (and historically Memory game submissions) is hardcoded in `src/api-client.ts`. This key is publicly available within the codebase, compromising the confidentiality of encrypted data if the server's source is known. 3. Potential for Data Manipulation: Due to the authentication bypass, an attacker could artificially inflate scores, create fake participants, or alter historical game data for any player. 4. No Server-Side Input Validation: While basic type checking is done via MCP input schemas, the server-side code lacks robust validation for game-specific parameters (e.g., `wpm` ranges, `accuracy` limits), relying entirely on the external API for data integrity.