Refresh Token being issued even if the Access Token/Refresh Token is tampered and fails to get verified

[dimple1024]

In index.js at Line 29 of branch - https://github.com/benawad/graphql-express-template/tree/8_refresh_token:
const addUser = async (req, res, next) => {
const token = req.headers['x-token'];
if (token) {
try {
const { user } = jwt.verify(token, SECRET);
req.user = user;
} catch (err) {
const refreshToken = req.headers['x-refresh-token'];

Here , consider a scenario if the tokens were compromised and one of them , lets say access token is now tampered , it will fail the verification and hence will enter the catch block and will generate a pair of new token.
There should be an explicit check if the JWT verification fails and only if it is due to expiration of token then generate new pair of tokens.

[dimple1024]

Pardon me if I am wrong :)