Please improve the token refresh flow in terms of security

Hi, Pal, I read your blog which is really nice one. One thing I'd talk here is that your refresh method is not safe as everyone can renew token by itself. 

Could you please improvement the renewal flow to a production level?

