validate(); // We're unable to invalidate access tokens because they aren't stored in our database // We don't give an error about invalid credentials to eliminate a point through which attackers can brut force passwords. return true; } }