Software Architect & consultant (available for consulting), worldwide speaker, published author, workshops teacher and developer in Web/Cloud/Mobile/AR/VR/IoT/AI/Blockchain fields
I am not saying you are not 100% vulnerable, but you are way less vulnerable than in other solutions and without having a centralized token database.
As for cookie automatically applied when sent to malicious script, your cookie is http-only so it will be sent automatically only to the same domain thus reducing the risk of getting stolen. Also, it cannot be accessed through JS.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I am not saying you are not 100% vulnerable, but you are way less vulnerable than in other solutions and without having a centralized token database.
As for cookie automatically applied when sent to malicious script, your cookie is http-only so it will be sent automatically only to the same domain thus reducing the risk of getting stolen. Also, it cannot be accessed through JS.