How to Prevent an Access Token Error

The attacker can do all of this stuff. Because guess what, the refresh token and the access token are stored as cookies. So you get that and get that temporary one, maybe 30 minutes on one hour. And that access token will be stored locally. And then will be sent and will be used with every single request. If if it's coming from a completely different IP address, which it's an easy thing to go to circumvent by the attacker,. Just use a VPN to simulate that you are in Canada or something like that. You might say, why don't you send more information about the device that is using this access token? But think about it. It's like a catch 22