If a user can always see my refresh token, whether saved in localhost or cookie or ... well httpOnly cookie, since they can get it from dev console. What\'s the point of hav
