Hi all,
I have recently set up my application with a subscription to receive events from Strava. Now I can update activities with the gear that was most likely used on the activity - hurrah!
But, how do I know that my callback endpoint is actually being called by Strava, and not some malicious party? If I trust every request, then my subscription callback endpoint could be abused to unsubscribe athletes from my application or exhaust my app's request limits.
I know for the initial subscription setup, subscribers can pass in a verification token which is then delivered by Strava in the subscription verification request.
See the docs. But, that verification token is not sent in subsequent requests, as best I can tell. If it were, perhaps it could be used as a shared secret to validate the caller is actually Strava.
I don't think using the subscription ID as a secret to establish trust is viable - its just an integer and probably incremented at that.
So - how do I protect my application from malicious calls to its subscription endpoint?
Thanks!