I'm trying to implement refresh token rotation in my project. From my understanding, I'm supposed to create a refresh token and a short-lived access token. When the access token expires, I validate the refresh token before returning a new access and refresh token.
What I'm confused about is what I'm supposed to do on logout. I have to remove the JWT from the cookie on the client-side but what do I do on the server-side? The refresh token will be gone from the client but it won't be expired yet, so someone could theoretically steal it and request a refresh and then have infinite access and refresh tokens.