Add HMAC signature verification in webhooks #343
Description
This seems to be supported by all of our providers:
- https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks#validating-payloads-from-github
- https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#validate-payloads-by-using-a-secret-token
- Add signatures to webhooks go-gitea/gitea#6428
The rationale behind this is that currently, anybody who knows the webhook URL can send a payload and BitBot will display it in every channel that is watching the hook; this is other-than-ideal for obvious reasons. I'm thinking we need to have some way to have a unique secret generated for each webhook for each channel and that each payload needs to be signed with said secret. The tricky part is accomplishing this without screwing up old webhooks that don't have the secret configured.