I use the CredentialsProvider with next-auth (wish I was using a better option), I have an issue where if I delete a user or the accessToken from my separate backend is not valid anymore, users can have a token and an empty session and still access protected routes, but obviously all data is absent, how can I invalidate them?