Question about auth ... isnt refresh_token a security vulnerability? Its usually indefinite even for big companies like google