Currently, the unsubscribe callback doesn't verify the athlete has actually unsubscribed, If an attacker knew the callback url, they could send fake unsubscribe requests and Equipper would treat them as legitimate. Instead, Equipper should verify the athlete has actually unsubscribed rather than trusting the callback request. It could do this by attempting to refresh the athlete's token, which will fail if they have de-authorized equipper and succeed if Equipper is still authorized.
Currently, the unsubscribe callback doesn't verify the athlete has actually unsubscribed, If an attacker knew the callback url, they could send fake unsubscribe requests and Equipper would treat them as legitimate. Instead, Equipper should verify the athlete has actually unsubscribed rather than trusting the callback request. It could do this by attempting to refresh the athlete's token, which will fail if they have de-authorized equipper and succeed if Equipper is still authorized.