rwieruch
commented
5 years ago I think you would have to implement a refresh token mechanism here. I didn't want to go too much into detail here, because this application is also used in a tutorial of mine and I didn't want to scare newcomers away from it. But you are right, to avoid a security breach it would be wise to implement a refresh token mechanism.
I check out the react boilerplate and it appears signout is done by just deleting the token on client side. What happens if someone steals the token? Or the user wants to invalidate all of their sessions?