Webhook authorize false sent several days after revoking

Question

Is it possible that Strava sends out authorize:false event several days AFTER revoking? Or maybe is repeating that webhook event? I had a case I revoked on my test user, then connected again. All worked as expected and then after a week I am receiving authorize:false again and my user is deauthorized!

Is it possible? That case happened for two users and both events was send in the same batch from Strava and processed together within my 2 minutes interval.

I have checked my security flow and I am sure there is no way for someone else to push such event to my app.

mamba · Answer

How can you be sure it wasn't an attacker POSTing to your callback endpoint? If Strava does not have official authentication in their callback requests, what was the security measures you used for validating that it's really Strava that made the calls?

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded