My knowledge of the issue isn’t too in depth, but it seems the cause of the issue is how escaping special characters is encoded. A lot of what I know about the issue is thanks to @BarryCarlyon on the TwitchDev webhooks channel.
I was lucky enough that my way to handle it has worked fine before I even know about the issue, regardless of special characters used, it just happened to be the way I learned how to deal with verification when I started trying out webhooks. If anyone has a better way feel free to share but this is how I do it with Express and bodyParser.
const verify = (req, res, buf, encoding) => {
const expected = req.headers['x-hub-signature'];
const calculated = 'sha256=' + crypto.createHmac('sha256', YOUR_SECRET).update(buf).digest('hex');
req.verified = expected === calculated;
};
app.use(bodyParser.json({ verify: verify }));