Protect route for incoming Bitbucket webhooks

[swissspidy]

Issue Overview

In #70 we discussed how we can better protected the incoming webhook route for Bitbucket requests.

Bitbucket.org doesn't support secrets, so it's not really possible to verify these requests.

Right now we simply let all requests pass, which is not ideal.

What we could do:

• Check request headers to verify that the requests come from Bitbucket
  Error prone, doesn't help that much.
• Disallow these incoming webhooks by default and have users filter the responses to make them work.
  Poor UX because they don't work out of the box.

Additional context

70

[grappler]

Could we adapt API Endpoint to include the secret in the URL?

So instead of https://<url-to-your-glotpress-site>.com/wp-json/traduttore/v1/incoming-webhook have https://<url-to-your-glotpress-site>.com/wp-json/traduttore/v1/incoming-webhook/secret

[swissspidy]

Hmm... Something like that is certainly doable, but I don't particularly like it. Especially since I would not want to support this for non-Bitbucket-requests