I recently came across a source code where they save a user's refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.
My question is, isn't this insecure? This is like storing the passwords plaintext in the database. If the database gets hacked, then anyone can use those credentials to wreak havoc using the Google API. By the way, those users will have permission to add and edit users in a Google Workspace.
