Why do we use accessToken and refreshToken?

[antoniopresto]

The accessToken validation uses ignoreExpiration: true here.

We only check if the session saved in the DB is "valid": true.
Could we just save the session id in the refreshToken and ignore the sessionToken?

[antoniopresto]

One advantage I thought of is that the refreshToken is not saved in the DB, so if someone gains unauthorized access to an independent sessions DB, it would be more difficult to log in on behalf of someone else

Hmm, this can be protected with one single token too