[Security Issue] Invalidating tokens on logout

[areebbeigh]

The server doesn't have any way of invalidating a user's JWT once he/she has logged out. I was able to get the JWT from the request header, logout and still access protected APIs from postman using the old JWT.

• The above was done on the deployed web app

[areebbeigh]

Since it is possible to steal a logged in user's JWT as well, an implementation of a combination of solutions discussed here should work fine?