Something small we're probably missing, from the pseudocode, it seems that when a session is initially created, a refresh_token is returned, but since this the hash of this is stored in the session at this point, isn't it a parent_refresh_token and therefore unable to extend the session when refresh endpoint is called?