Comment by Lihai Ben-Haim on "React, NodeJS and JWT Authentication - the right way!"

Glad you like it! Let me answer your questions:

You are right, it is still not bulletproof, however, it makes it much difficult to still the token from the memory, as the attack should be tailored to your exact app. Combining that with a short-living tokens makes the risk low, but still exists.
The limit come from the refresh token expiration. When the user is active and logged in, we don't want revoke his access. If we want to limit the time for an active user, we can add a logic on the client side or the backend to force logout after a certain period. I didn’t took care of it here, but it is completely possible.
encrypting the token is a good practice as it contains the identifier of the user inside it, and if stolen can give the hacker data that might be used in future attacks.

Search Hashnode