a217902ac06d246cf240f02be103050c8e95e550
max
  Wed Jun 18 06:38:37 2025 -0700
no captcha for IGV, refs #35938

diff --git src/hg/lib/cart.c src/hg/lib/cart.c
index 069c527b963..52dd27dd04b 100644
--- src/hg/lib/cart.c
+++ src/hg/lib/cart.c
@@ -1548,31 +1548,32 @@
     sqlCleanupAll(); // we are wondering about hanging connections, so just in case, close them.
     exit(0);
 }
 
 void forceUserIdOrCaptcha(struct cart* cart, char *userId, boolean userIdFound, boolean fromCommandLine)
 /* print captcha is user did not sent a valid hguid cookie or a valid cloudflare token. Always allow rtracklayer. */
 {
 if (fromCommandLine || isEmpty(cfgOption(CLOUDFLARESITEKEY)))
     return;
 
 // no captcha for our own QA scripts running on a server with our IP address
 if (botException())
     return;
 
 // let rtracklayer user agent pass, but allow us to remove this exception in case the bots discover it one day
-if (!cfgOption("blockRtracklayer") && sameOk(cgiUserAgent(), "rtracklayer"))
+if ( (!cfgOption("blockRtracklayer") && sameOk(cgiUserAgent(), "rtracklayer")) || 
+        (isNotEmpty(cgiUserAgent()) && startsWith("IGV", cgiUserAgent())) )
     return;
 
 // QA can add a user agent after release, in case someone complains that their library is blocked
 char *okUserAgent = cfgOption("okUserAgent");
 if (okUserAgent && sameOk(cgiUserAgent(), okUserAgent))
     return;
 
 // Do not show a captcha if we have a valid cookie 
 // but for debugging, it's nice to be force the captcha to come up
 if (userId && userIdFound && !cgiOptionalString("captcha"))
     return;
 
 // This is a hack to let all AJAX requests pass without cookies, no needed anymore.
 // It's a hack because the header can be set by any curl script to get around
 // the captcha.