Use hash_equals when validating webhook signature (#42)

* Use `hash_equals` when validating webhook signature

* Update VerifyWebhookSignature.php

---------

Co-authored-by: Dries Vints <[email protected]>

Author: thinkverse

src/Http/Middleware/VerifyWebhookSignature.php

@@ -32,6 +32,6 @@ protected function isInvalidSignature(string $payload, string $signature): bool
     {
         $hash = hash_hmac('sha256', $payload, config('lemon-squeezy.signing_secret'));
 
-        return $hash !== $signature;
+        return ! hash_equals($hash, $signature);
     }
 }