The Hard Parts of JWT Security Nobody Talks About