PAUSE login relies on local disk cache

[haarg]

When attempting add link a PAUSE account to a metacpan account, an email is sent to the user's @cpan.org address which includes a randomly generated token. To link that token to the appropriate metacpan account, a CHI cache is used. This CHI cache is currently only configured to use local on disk storage. This means if the initial login request is directed to a different backend server than the email link, the login will fail.

This needs to be updated to work correctly with multiple servers. One option would be configuring CHI to use postgresql for its storage. Another option would be switching from a random token to an encrypted token, which would contain the metacpan account information.

For the time being, this has been mitigated by configuring fastly to direct all PAUSE login requests to a single server.

[jberger]

Wow, is this this source of the phantom login problems metacpan has been having all these years?

[oalders]

Yes! metacpan/metacpan-web#2500 There's still a problem with people getting JSON rather than getting redirected in some cases, but this one went undetected for years.