c9f42961046e744998bbaf939cfd3e7a37fd117f
max
  Tue Oct 14 02:58:59 2025 -0700
changing how hgcentral connection is treated when an API key is supplied, open a connection and close it right afterwards, to make sure that no sleeping CGIs clog mysql connections, refs #36498

diff --git src/hg/lib/botDelay.c src/hg/lib/botDelay.c
index c9320597d8d..f67a499ddd8 100644
--- src/hg/lib/botDelay.c
+++ src/hg/lib/botDelay.c
@@ -122,34 +122,37 @@
 char *getBotCheckString(char *ip, double fraction)
 /* compose "user.ip fraction" string for bot check */
 {
 char *cookieUserId = getCookieUser();
 char *botCheckString = needMem(256);
 boolean useNew = cfgOptionBooleanDefault("newBotDelay", FALSE);
 if (useNew)
     {
         // the new strategy is: bottleneck on apiKey, then cookie-userId, then
         // hgsid, and only if none of these is available, on IP address. Also, check
         // apiKey and cookieId if they are valid, check hgsid if the string looks OK.
         char *apiKey = cgiOptionalString("apiKey");
         if (apiKey)
             {
             // Here we do a mysql query before the bottleneck is complete. 
-            // In theory, this can overload the MariaDB server.
-            // But there is no way around it, we must check that the apiKey is valid
             // And this is better than handling the request without bottleneck
-            char *userName = userNameForApiKey(apiKey);
+            // The connection is closed right away, so if the bottleneck leads to a long sleep, it won't tie up
+            // the MariaDB server. The cost of opening a connection is less than 1msec.
+            struct sqlConnection *conn = hConnectCentralNoCache();
+            char *userName = userNameForApiKey(conn, apiKey);
+            sqlDisconnect(&conn);
+
             if (userName)
                 safef(botCheckString, 256, "apiKey%s %f", apiKey, fraction);
             else 
                 hUserAbort("Invalid apiKey provided on URL. Make sure that the apiKey is valid. Or contact us.");
             }
         else
             if (cookieUserId)
                 safef(botCheckString, 256, "uid%s %f", cookieUserId, fraction);
             else
                 {
                 // The following happens very rarely on sites like our RR that use the cloudflare captcha,
                 // as all requests (except hgLogin, hgRenderTracks) should come in with a cookie user ID
                 char *hgsid = cgiOptionalString("hgsid");
                 // For now, we do not check the hgsid against the MariaDb table, only check if the string looks OK
                 if (hgsid && isValidHgsidForEarlyBotCheck(hgsid))
@@ -207,31 +210,30 @@
 {
 return hgBotDelayTimeFrac(defaultDelayFrac);
 }
 
 int hgBotDelayTimeFrac(double fraction)
 /* Get suggested delay time from cgi using the standard penalty. */
 {
 char *ip = getenv("REMOTE_ADDR");
 char *host = cfgOption("bottleneck.host");
 char *port = cfgOption("bottleneck.port");
 
 int delay = 0;
 if (host != NULL && port != NULL && ip != NULL)
     {
     char *botCheckString = getBotCheckString(ip, fraction);
-    hFreeAllCentral();
     delay = botDelayTime(host, atoi(port), botCheckString);
     freeMem(botCheckString);
     }
 return delay;
 }
 
 #define err429  429
 #define err429Msg       "Too Many Requests"
 int botDelayMillis = 0;
 
 static void jsonHogExit(char *cgiExitName, long enteredMainTime, char *hogHost,
     int retryAfterSeconds)
 /* err429 Too Many Requests to be returned as JSON data */
 {
 puts("Content-Type:application/json");