Webhook plugin marginally insecure

[trigg]

Non-replaceable tokens means if the token used to authenticate POSTs on webhook is figured out/leaked then you need to make a new room

[trigg]

https://github.com/trigg/Rebuttal/blob/a8e0c1b7fd8f2f536198e1d8473dbcdec90ed58d/plugin/webhook.js#L216

hash generated here should be done when setting up a webhook. It should be stored in plugin storage, probably with the hash as the key and the roomid as the value.