Token problems with Node.js SDK and concurrent sessions

So there's a similar discussion on this topic on the Windows-SDK Github from 2014, but the response was not particularly satisfying, so I'm hoping to get some current direction.

I have a Node.js application that serves anonymous web requests for public Box documents without requiring the user to log in (or have any awareness of Box).  As such, my application (using three-legged OAuth2 with the initial access/refresh token already generated manually) can receive multiple requests from different clients at the same time.  As a result, I'm occasionally getting "Refresh token has expired" errors and all future sessions end up getting invalidated, requiring manual intervention to generate a new access/refresh token pair.

So here's a working scenario:

Client "A" submits a request.  That request reads in the access token ("AT1") and refresh token ("RT1") stored in a server-side JSON file.  I then call boxSDK.getTokensRefreshGrant with the refresh token ("RT1").  I get a new access token ("AT2") and refresh token ("RT2") that I store back to the JSON file, then I call boxSDK.getPersistentClient() with "AT2" and "RT2" and continue the rest of my process.

If it's one request at a time, no problem.  But then I run into this non-working scenario:

Client "A" submits a request.  It reads "AT1" and "RT1" from the JSON file.  It calls boxSDK.getTokensRefreshGrant with "RT1" and gets a new "AT2" and "RT2" in response.

Before Client "A" can write out the new "AT2" and "RT2" tokens to the JSON file, Client "B" submits a request and reads the original "AT1" and "RT1" tokens from the JSON file.  It calls boxSDK.getTokensRefreshGrant with "RT1" (now invalid, thanks to Client "A") and Box barfs with a "Refresh token has expired" error with no opportunity to recover.

Here's a code snippet:

tokensFile = jsonfile.readFileSync(file);
sdk = new boxSDK({
    clientID: 'blahblahblah',
    clientSecret: 'blahblahblahblah'
});

sdk.getTokensRefreshGrant(tokensFile.refreshToken, function(err, tokenInfo) {
    if(err) {
        console.error('. Error stack: ', err.stack);
    }

    jsonfile.writeFileSync(file, tokenInfo);
    boxClient = sdk.getPersistentClient(tokenInfo);

With the Python SDK, it doesn't appear that this is an issue because it tries to retrieve the current token from the store to make sure it's working with the latest.  I don't see any such logic in the Node.js SDK.

I wrote this application before the "Service Account" option came out, but this client only has Box Business--are Service Accounts available for that level or does the client need to have Box Enterprise?

If I can't use Service Accounts, it looks like I have to incorporate a file-locking mechanism in my Node.js applications so that Client "B" can't get a token until Client "A" has validated its session and written the updated tokens to the file.

Am I missing something or is this what I need to do with concurrent requests in Node.js?