JWTRefreshTokenBundle generate token for invalid credentials

Question

I'm trying to setup the JWTRefreshTokenBundle for my Symfony API. I was already using the LexikJWTAuthenticationBundle without any problem and I'm using a MongoDB database.

The refresh system isn't working as expected :

• "/login_check" does work and create a token and a refresh_token as a cookie and as a persisted document in my base. But if I try to log with invalid credentials, even if my API return a 401 error, I'm still getting a refresh_token (cookie+database).
• "/token/invalidate" does work when I do have a token to invalidate. But if I call the route with no active token, I don't get an error. I still get the same 200 status "The supplied refresh_token has been invalidated." even if it's not true.
• "/token/refresh" always work even with no token. It will always return a token and a refresh_token.

Here is my security.yaml file :

 providers:
    # used to reload user from session & other features (e.g. switch_user)
    app_user_provider:
        # entity:
        #     class: App\Document\User
        #     property: email
        mongodb: 
            class: App\Document\User
            property: username
firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    api:
        pattern: ^/
        stateless: true
        entry_point: jwt
        jwt: ~
        refresh_jwt:
            check_path: /token/refresh
        json_login:
            check_path: /login_check
            success_handler: lexik_jwt_authentication.handler.authentication_success
            failure_handler: lexik_jwt_authentication.handler.authentication_failure
        logout:
            path: api_token_invalidate
        

access_control:
    - { path: ^/login, roles: PUBLIC_ACCESS }
    - { path: ^/token, roles: PUBLIC_ACCESS }
    - { path: ^/admin, roles: ROLE_ADMIN }
    - { path: ^/, roles: IS_AUTHENTICATED_FULLY }

Here is my "routes.yaml" file :

controllers:
resource:
    path: ../src/Controller/
    namespace: App\Controller
type: attribute

api_login_check:
    path: /login_check
api_refresh_token:
    path: /token/refresh
api_token_invalidate:
    path: /token/invalidate

And here is my "config/packages/gesdinet_jwt_refresh_token.yaml" :

gesdinet_jwt_refresh_token:
manager_type: mongodb
refresh_token_class: App\Document\RefreshToken
single_use: true
cookie:
  enabled: true
  same_site: lax               # default value
  path: /                      # default value
  domain: null                 # default value
  http_only: true              # default value
  secure: true                 # default value
  remove_token_from_body: true # default value

My RefreshToken.php class is just the same as in the documentation :

<?php
namespace App\Document;

use Doctrine\ODM\MongoDB\Mapping\Annotations as MongoDB;
use Gesdinet\JWTRefreshTokenBundle\Document\RefreshToken as BaseRefreshToken;

#[MongoDB\Document(collection:"refresh_tokens")]
class RefreshToken extends BaseRefreshToken {}

I tried several things like removing the line "refresh_token_class: App\Document\RefreshToken" from "gesdinet_jwt_refresh_token.yaml". That make my refresh and logout routes returning error when called without a valid cookie. The login route also stop generating token with bad credentials, but with valid credentials I get an error

"Cannot persist object of class "Gesdinet\JWTRefreshTokenBundle\Document\RefreshToken" as it is not a persistable document."

I tried everything and I can't find any relevant help on the github page or issues. As anybody any clue on how to make this work ?