So a question:
Let’s assume you implement Single-Page Applications (SPA) with API.
- Since this is an SPA we are storing the access token in local storage
- So a user who digs around can locate these access tokens and store it
- Then the user logs out.
- However they can still make any call to backend APIs until the token expires
Isn’t this a fundamental problem? from a high level the user has logged out yet he/she is able to make API calls.
Thank you