API: check secret _before_ handling the request (#231)

* API: check secret _before_ handling the request

* keep async-await in secret check

src/server/api.js

@@ -128,14 +128,14 @@ export const createApiServer = ({ db, games }) => {
   // If API_SECRET is set, then require that requests set an
   // api-secret header that is set to the same value.
   app.use(async (ctx, next) => {
-    await next();
-
     if (
       !!process.env.API_SECRET &&
       ctx.request.headers['api-secret'] !== process.env.API_SECRET
     ) {
       ctx.throw(403, 'Invalid API secret');
     }
+
+    await next();
   });
 
   app.use(router.routes()).use(router.allowedMethods());