Hash the refresh token with bcrypt before storing in the database. On each refresh, verify the incoming token against the hash, issue a new token pair, invalidate the old refresh token, and store the new hash. Reuse of a rotated token should trigger a full logout of all sessions as a theft signal.
Rotation invalidates the old refresh token on every use — only the latest token is valid.
Detected reuse of a rotated token is a signal of theft — revoke all sessions for that user immediately.
Never store refresh tokens in plain text — always hash with bcrypt before persisting.
Set hashedRefreshToken to null on logout so the token cannot be used after the user signs out.
passReqToCallback: true allows the strategy's validate() to access the raw refresh token from the request body.