At the moment a number of active/valid access tokens is unlimited which allows opening multiple "sessions" in, let's say, several browsers. The https://www.drupal.org/project/session_limit β module allows preventing this for regular sessions but it won't fit the need for OAuth.
Active
5.0
Code
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.