Disallow token refresh after a password change
If a password is compromised and the user changes it, the attacker's session will remain logged in for the session duration (which in our case is 1 year). It would be better to not allow JWT refresh after a password change, hence limiting the atta...