Don't retrieve event from Stripe for a deauthorisation

app/helpers/admin/stripe_helper.rb

@@ -51,8 +51,14 @@ module Admin
 
     def fetch_event_from_stripe(request)
       event_json = JSON.parse(request.body.read)
-      acct_param = event_json["user_id"] ? {"Stripe-Account" => event_json["user_id"]} : nil
-      Stripe::Event.retrieve(event_json["id"],acct_param)
+      # If the application has been deauthorised, we are no longer authorised to retrieve events for that account
+      # Left here in case it's useful for other webhooks
+      unless event_json["type"] == "account.application.deauthorized"
+        acct_param = event_json["user_id"] ? {"Stripe-Account" => event_json["user_id"]} : nil
+        Stripe::Event.retrieve(event_json["id"],acct_param)
+      else
+        Stripe::Event.construct_from(event_json)
+      end
     end
 
     def deauthorize_request_for_stripe_id(id)

spec/controllers/admin/stripe_account_controller_spec.rb

@@ -20,6 +20,7 @@ describe Admin::StripeAccountsController, type: :controller do
                    "type"=>"account.application.deauthorized",
                    "user_id"=>"webhook_id"}))
     account = create(:stripe_account, stripe_user_id: "webhook_id")
+    expect(Stripe::Event).not_to receive(:retrieve) # should not retrieve direct for a deauth event
     post 'destroy_from_webhook', {"id"=>"evt_wrfwg4323fw",
                                    "object"=>"event",
                                    "api_version"=>nil,