i read one of the blogs posts and there was a section on theft detection. i wanted to know what the platform's plan is regarding theft in cases where the attacker has successfully stolen a refresh token, but the victim is not active for some period of time. for example, let's say the token gets stolen on a friday afternoon right before the victim logs off for the weekend. won't the attacker technically have access to this token, and can use it for a potentially long period of time?