If a password is compromised and the user changes it, the attacker's session will remain logged in for the session duration (which in our case is 1 year).
It would be better to not allow JWT refresh after a password change, hence limiting the attacker's use of the account to at most 15 minutes.
Thank you Rob for the Idea! We're looking into the work required to do this since this would be a good change for better security. Once we have a LoE and timing for release we will let you know.