JSON Web Token

How to make secure authorization using JWT?

I am creating a REST API on node.js + express + mysql for a vue application. Made authorization using passport with jwt strategy. As always, at first I thought that everything was easy and simple, then I began to study how and where to store the token safely, and realized that everything was complicated)). In general, I'm already a little confused, everywhere they write that the token can be stolen and make requests to the api using the token, the refresh token can also be taken away and generally receive endless tokens. But I thought (maybe wrong): the user entered a name and password, the application (vue) sends this data and receives a token in response, this token is stored in cookies (for example) and is taken from cookies on subsequent requests and added to the request. Therefore, all requests to the API will come from one ip (on which the site itself hangs), and then in api I can (probably) check from which ip the request came from and if the ip is not my server on which the site hangs, then the request is not executed. Or am I wrong? And still do not understand how to make the token not valid forcibly? Let's say the token was taken away, how can I make it not valid? Do I need to store a list of all issued tokens somewhere? As I understand it, in order to use a refresh token, I must generate two tokens with different lifetimes and give both of them to the user, right? What is the best lifetime for an access token, and what for a refresh? In general, there are a lot of questions) help me figure it out please). I would like to make normal authorization so that users do not often have to enter their login and password, as in vk.com, for example, they entered it once and forgot it. how to make a token not valid forcibly? Let's say the token was taken away, how can I make it not valid? Do I need to store a list of all issued tokens somewhere? As I understand it, in order to use a refresh token, I must generate two tokens with different lifetimes and give both of them to the user, right? What is the best lifetime for an access token, and what for a refresh? In general, there are a lot of questions) help me figure it out please). I would like to make normal authorization so that users do not often have to enter their login and password, as in vk.com, for example, they entered it once and forgot it. how to make a token not valid forcibly? Let's say the token was taken away, how can I make it not valid? Do I need to store a list of all issued tokens somewhere? As I understand it, in order to use a refresh token, I must generate two tokens with different lifetimes and give both of them to the user, right? What is the best lifetime for an access token, and what for a refresh? In general, there are a lot of questions) help me figure it out please). I would like to make normal authorization so that users do not often have to enter their login and password, as in vk.com, for example, they entered it once and forgot it. Yes? What is the best lifetime for an access token, and what for a refresh? In general, there are a lot of questions) help me figure it out please). I would like to make normal authorization so that users do not often have to enter their login and password, as in vk.com, for example, they entered it once and forgot it. Yes? What is the best lifetime for an access token, and what for a refresh? In general, there are a lot of questions) help me figure it out please). I would like to make normal authorization so that users do not often have to enter their login and password, as in vk.com, for example, they entered it once and forgot it.