'account.application.deauthorized' unauthorised API key

[MikeRogers0]

When upgrading to 2.0.0, I ran into an unauthorised API key exception when testing the account.application.deauthorized event.

In the README.md configuration I think the connect example should include how to handle the 'account.application.deauthorized' event. For example:

StripeEvent.event_filter = lambda do |event|
  if event.type != 'account.application.deauthorized' && event.account.present?
    api_key = Account.find_by!(stripe_account_id: event.account).api_key
    Stripe::Event.retrieve(event.id, api_key)
  end
  event
end

What do you think? Or is there a better way to handle this event type?

[rmm5t]

We used to have special handling for account.application.deauthorized prior to v2.0.0, because Stripe::Event.retrieve no longer had access to the account (i.e. the API Key is no longer valid once the event arrives).

You shouldn't need to "retrieve" any events in your event_filter in v2.0.0. The events are already verified and validated from the StripeSignature header. i.e. We don't make any requests that could even throw an API key exception anymore.

In other words, are you still having trouble with this event if you avoid an event_filter override?

[rmm5t]

Because this sounds like a Connect application that you're managing, you just need to specify the signing secret for your Connect webhook. If you need to verify both your Connect webhook and your main Account webhook, you can configure stripe_event to try multiple signing secrets:

https://github.com/integrallis/stripe_event#support-for-multiple-signing-secrets

[MikeRogers0]

Oh my mistake completely, I misinterpreted what the event argument was (I didn't realise it was a Stripe::Event that had been verified already 🙄).

Thank you for your help! Am I ok to close this issue?