Verify api calls with Twitch JWT

[cpadilla]

From the twitch developer documentation (https://dev.twitch.tv/docs/extensions#json-web-tokens-jwts):

When an extension is loaded in a broadcaster’s or viewer’s browser, a JWT is signed by Twitch and provided to the Extension Helper’s onAuthorized callback. Whenever your extension communicates with your EBS, it is best practice to send the JWT and verify it using your extension’s shared secret. This allows your EBS to verify that the request was made on behalf of the viewer or broadcaster represented by the token, and it prevents malicious users from directly calling your EBS. For details about the callback, see the Extensions Reference.

More research needs to be done on how to do this exactly, but we need to verify requests sent with a JWT to prevent malicious interception.

[cpadilla]

There is a node library for handling JWTs: npm install jsonwebtoken