Is it possible that Strava sends out authorize:false event several days AFTER revoking? Or maybe is repeating that webhook event? I had a case I revoked on my test user, then connected again. All worked as expected and then after a week I am receiving authorize:false again and my user is deauthorized!
Is it possible? That case happened for two users and both events was send in the same batch from Strava and processed together within my 2 minutes interval.
I have checked my security flow and I am sure there is no way for someone else to push such event to my app.