What should happen if I detect token theft (i.e. the refresh token would be used twice)? Should all tokens immediately be blacklisted and, thereby, the user be forced to login again?