...
When the session token is expired, the client can send a reauth token via the reauth API. We retrieve the N most recent records for that user by their creation date (probably N=2 but could be N=3 if this is more robust), hash the token by the algorithm in each record, and compare to the hashed records looking for a match. (Do this intelligently: cache the hash by algorithm and reuse it since the algorithm is unlikely to change between reauthentications.) If there's a match, we treat this like a sign in: we generate and persist a new session token/reauth token pair, and return a new session with these new tokens. If this failsWe should invalidate existing session tokens, if any (the client in theory doesn't reauthenticate when they have a valid session token but even if they do, we should cover this case). If the reauthentication fails, even on return, the previous token continues to work, because we're comparing against older records as well.
...