Account application deauthorized

[cearls]

I have an app with multiple stripe accounts. If a user revokes access to the app, it sends the 'account.application.deauthorized' event. The event retriever no longer has access to verify the event since access was revoked.

I'd rather not bypass event verification. Any ideas?

[invisiblefunnel]

Thanks for posting this issue. I haven't used Stripe in this capacity so I asked Stripe Support about it yesterday:

As far I know the recommended way to authenticate webhook events is the retrieve the event from Stripe (https://support.stripe.com/questions/what-is-the-recommended-way-to-authenticate-a-webhook-callback). In the case of account.application.deauthorized events, the connected account's access token is no longer valid, so the event can't be retrieved. Is HTTP Basic auth the only way to authenticate webhooks of this type?

They quickly replied:

Hi Danny,

Thanks for taking the time to write in. We're actually looking into the deauth application event and seeing what we can do to improve the logic behind it — in the mean time, I think the best validation would be testing to access the event and confirming that you get an unauthorized warning.

Hope this makes sense. Let me know if you have any more questions!

Best,

Brian

If possible I'd like to update StripeEvent to properly handle this scenario. Any idea how best to do that? Thanks again, and sorry for taking so long to respond.

[yogipatel]

Hey Danny, any updates on this?

[invisiblefunnel]

Hi @yogipatel. I don't have an update on this. Hopefully someone can can find solution and send a pull request.

[woodhull]

We're doing this: https://github.com/controlshift/stripe_event/commit/8fc9c3db4c792c95a48efb34fee94af2f795f374

No specs though, so I haven't sent a PR. It's working for us though.