If a password is compromised and the user changes it, the attacker's session will remain logged in for the session duration (which in our case is 1 year).
It would be better to not allow JWT refresh after a password change, hence limiting the attacker's use of the account to at most 15 minutes.
Rob W
Thank you Rob for the Idea! We're looking into the work required to do this since this would be a good change for better security. Once we have a LoE and timing for release we will let you know.