Secure GitHub Webhooks

[dotCore-off]

To prevent kids from accessing someone's relay site & spamming Discord server through webhooks, we must implement some sort of verification by securing GitHub webhooks in two ways:

• verify request headers & compare with GitHub expected ones (implemented, must test)
• use GitHub webhook token & implement them in our configuration

See https://docs.github.com/fr/webhooks-and-events/webhooks/securing-your-webhooks

[dotCore-off]

Request headers seems to work fine, however prevents Ping webhook from reaching the relay.
Must be fixed as it shows that webhook failed.

[justinkluever]

Wouldn't it make more sense to verify/secure the webhook with the X-Hub-Signature-256 header instead of just checking if they are defined?

More here: https://docs.github.com/de/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers

php already has a nice hmac function that could be used:
hash_hmac('sha256', <the webhook body>, <the defined secret>);

and file_get_contents('php://input') should be able to get the request body in raw (if i have time i will create an PR to add this)

Edit: Should be added with #3