eventsub server does not actually enforce webhook_secret verification

[kamalmostafa]

Use the twitch-cli test tool ( https://github.com/twitchdev/twitch-cli ) to generate and send dummy eventsub messages to the TwitchIO eventsub client... but specify a bogus webhook_secret instead of the correct secret, e.g.: $ twitch -F "$CALLBACK_URL" -s "bogussecret" event trigger follow

TwitchIO recognizes the mismatch and logs in BaseEvent.verify(): Recieved a message with an invalid signature, discarding. but the client then proceeds to run_event() the notification event anyway!

TwitchIO eventsub should (actually) reject messages which don't pass webhook_secret verification.

[github-actions[bot]]

Hello! Thanks for the issue. If this is a general help question, for a faster response consider joining the official Discord Server

Else if you have an issue with the library please wait for someone to help you here.