Having the webhook implementation on the package does not make much sense because each application has its nuances regarding routes and redirects, so the client is responsable for implementing the webhook logic.
We're maitaining the Webhook Authentication middleware that validates the X-Hub-Signature from Optimizely