src/hg/lib/cart.c c9f42961046e744998bbaf939cfd3e7a37fd117f

c9f42961046e744998bbaf939cfd3e7a37fd117f
max
  Tue Oct 14 02:58:59 2025 -0700
changing how hgcentral connection is treated when an API key is supplied, open a connection and close it right afterwards, to make sure that no sleeping CGIs clog mysql connections, refs #36498

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index e2defe2e184..34db3cad8a6 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1554,34 +1554,39 @@
 
 captchaCheckDone = TRUE;
 
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // certain user agents are allowed to use the website without a captcha
 if (isUserAgentException())
     return;
 
 // a valid apiKey can always be used to get around the captcha. Note that bottlenecking is then done on the level
-// of the apiKey, if a valid apiKey has been supplied, see botDelay.c
+// of the apiKey, if a valid apiKey has been supplied, see botDelay.c, so the check if the apiKey is valid is assumed 
+// to have been done at the bottleneck step
 char *apiKey = cgiOptionalString("apiKey");
-if (apiKey && userNameForApiKey(apiKey))
+if (apiKey) 
+    {
+        // This assumes that we've checked the API key already in botdelay.c. All our CGIs 
+        // call botDelay, we assume that botDelay has been called.
         return;
+    }
 
 // hgRenderTracks should not show the captcha - it was made to be used from other websites
 // For hgSession, we redirect from euro and asia to the RR - avoid showing the captcha there
 // hgLogin is the redirect target for hgSession, so avoid it there as well
 char *cgi = cgiScriptName();
 if ( sameWord(cgi, "/cgi-bin/hgRenderTracks") || sameWord(cgi, "/cgi-bin/hgSession") || sameWord(cgi, "/cgi-bin/hgLogin") )
     return;
 
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be able to force the captcha
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // when the captcha is solved, our JS code does a full page-reload, no AJAX. That saves us one round-trip.
 // After the reload, the new page URL has the captcha token in the URL argument list, so now we need to validate it