When a user logs in using their email and password, they retrieve an access token and a refresh token. The access token expires in 15 minutes, and is stored in localStorage on the client, whilst the refresh token is long-lived and is stord inside a httpOnly secure cookie.
In the scenario where a malicious user gains access to another users’s access or refresh token, the user should be able to change their password. The payload of the access token is currently the unique users Id number(which comes from a db)
After a user changes their password, I would like to update their user_id, therefore the payload of the access token the malicous user has is invalid, as it would not contain the new unique user ID
My question is does this mean the malicious users token would be invalid when making requests, as the payload contains invalid data? If not, are there any alternative methods of handling the issue of ensuring malicious users cannot use the refresh or access token to make requests once a user changes their password? Thanks.