Is there a way to remove a user from the app. I can delete all the user data from my side, but I can't remove their subscription from strava (from what I can see this isn't possible).
I am geting events for users that have been removed and I dont need to have those events.
Maybe I am missing something, I would appreciate any help/advice.
+24You are not missing anything. At the moment it is not possible to remove/revoke access for an athlete. The only option you have is to ignore any events which come in for users that do not exist in your database.
Thank you for replying @ActivityFix.
Its a shame this isn't available. I have already written the code to ignore these incoming events, but its just unnecessary noise.
I just got an email stating you can DeAuthorize an athlete. Link here
However, the challenge I have is that I have removed the Athlete data already, so I dont have the token. However whent he sub call happens I do get the AthleteID so I was hoping I could deauthorize using this? As my thought is that DeAuthorizing shouldnt be a security issue or any other issue from user/strava point of view?
Agreed - I think it makes a lot of sense to be able to deauth users. It’s not hard to drop events but it doesn’t feel proper.
Deauthorization is totally possible (you just make a POST request to https://www.strava.com/oauth/deauthorize), but you obviously need a valid access token. Otherwise anybody could deauthorize your app for any given athlete.
Since you already deleted the athlete from your database, your only choice is to have the user log into your app again so that you can re-obtain the access token. Until then, just keep ignoring the webhook events.
So I managed to find out who the user was using the ID and the url to find the actual athlete. As my app is mainly cycling friends it was easy for them to remove themselves.
However, I agree, we as the app owners should be able to remove users if needed. This isnt a security issue, as you still need to provide your key to access strava api to carry out this removal.
+5Strava should stop sending events if a user deauthorized!
So the question is why strava is sending webhook events if a user deauthorized???
It is strava responsibility to make sure they stop sending events in such case.
There is something off on the Strava side I belive.
Deauthorization is totally possible (you just make a POST request to https://www.strava.com/oauth/deauthorize), but you obviously need a valid access token. Otherwise anybody could deauthorize your app for any given athlete.
Since you already deleted the athlete from your database, your only choice is to have the user log into your app again so that you can re-obtain the access token. Until then, just keep ignoring the webhook events.
The way I’ve seen it implemented with other fitness apis is that the deauthorization endpoint requires your client secret or something that only you as the application owner would have access to. That way you can remove an athlete even if you no longer have access to their access token.
Ahh ok I found another thread that was made for this exact issue:
Strava should stop sending events if a user deauthorized!
So the question is why strava is sending webhook events if a user deauthorized???
It is strava responsibility to make sure they stop sending events in such case.
There is something off on the Strava side I belive.
afaik Strava does stop sending webhook events if the user is deauthorized. The issue I face is that sometimes you can’t deauthorize a user because the access token you have for them is invalid. That means you have to try to reach out to the user to have them perform the deauthorization from their end, but they are not always responsive.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
