Ah ok, that's how we expected it to work. We were confused because the pseudocode states that the double hashed refresh token is stored in the session upon creation, and from the

refresh session

logic, it appears that the token hash stored in the session defines the parent refresh token