After a user logins successfully, he/she gets an access token for later requests. My problem is that as long as I have the valid token of a user, I can make a request on behalf of that user. I would like to ask how to check if the access token in a request comes from its correct user?
I am using Laravel Passport for the authentication.
The token is the way to claim requests come from a certain user.
If the token gets compromised, there only way to understand if requests are legit is to check ip addresses / user-agent but basically you have to consider that the token itself represents the user.