Token has expired and can no longer be refreshed

I'm using the package PHPOpenSourceSaver (Tymon package fork) and the access token is working perfect. When the time expires I update the access token and the user can continue access but when the refresh token expires I got the error:|

Token has expired and can no longer be refreshed

But I updated the refresh token (I think) in the middleware but it's not working, only update the access token when expires:

class JWTAuthenticate extends Authenticate
{
    public function handle($request, Closure $next)
    {
        $jwt = $request->cookie(JWTValues::ACCESS_TOKEN);
        $bearerToken = null;
     
        if (!is_null($jwt)) {
            $request->headers->set('Authorization', $jwt);
        }

        try {
            JWTAuth::parseToken()->authenticate();
        } catch (TokenExpiredException $e) {

            $refreshedToken =  auth()->refresh(JWTAuth::getToken());
            JWTAuth::setToken($refreshedToken)->toUser();

            $bearerToken = "Bearer {$refreshedToken}";
            $request->headers->set('Authorization', $bearerToken);
        }
     
        $this->authenticate($request);
       
        if (!is_null($bearerToken)) {
            $cookie = cookie()->forever(JWTValues::ACCESS_TOKEN, $bearerToken);
            return  $next($request)->withCookie($cookie);
        }

        return $next($request);
    }
}

I would like to know to thinks:

1. How to update the refresh token when this expires? the code in the middleware refresh the access token but with refresh token is the problem
2. is there a way to update the refresh token when the access token is updated?

The JWT package(s) have many security checks.

One of said checks, strictly forbids expired tokens to be refreshed (except maybe in a certain time-period after expired).

Solutions

• Either refresh the token before it's expired, on each request.

• Or, as mentioned in comments, use JavaScript to refresh the token in the time-period that allows refreshing.

• Or, refresh the token with username and password.

• Or, hack the package, and remove/disable said "one" security check.

>Note that I only recommend first two of above, which is most secure.
>
>The remaining two allow a stolen token to be re-used by attackers, even if it's expired.
>
>But on the other hand, such a middle-man-attacker would steal user's name and password, too, and two-factor authentication with user's phone-number is required.