[lynndylanhurley]

I'm the creator / maintainer of a widely used authentication library, and I also don't know the answer to this.

There have been several issues reported around this, but no one seems to have a good proposal for a solution.

I've also discussed this with security auditors from Cobalt (because they flagged it as an issue), but they also did not propose any solutions (other than using httpOnly cookies instead of tokens, which doesn't really address the issue).