Reliable payload signature verification #76
Description
We had issues verifying the signature of some payloads here #71 due to the way it is being calculated (JSON.parse + JSON.stringify) and I made a quick and dirty suggestion #71 (comment)
Nevertheless, the long term solution should be to always calculate the signature from the raw, original, payload.
I know that there are some circumstances where that's not possible (e.g. seems like Firebase doesn't expose the raw original body) but the library should always use the raw payload whenever possible and warn the developer if it's not possible.
We haven't seen any new mismatch between the way webhooks.js calculates the signature, but it could happen since the implementation assumes things that shouldn't rely on.