My testing was with dbm backends which do an automatic commit on the otk database. My tests used a mock for the otk database because I don't now how to get a real db into the test, so they didn't test the rdbms code paths. Once I committed to upstream I updated my sqlite based production tracker and boom. Couldn't log in with csrf_enforce = required. I was missing calls to commit to the db which is required for rdbms backends. Added those and also removed redundant code where I was deleting the otk in a few places. Once it's used and I have retrieved data from it, I don't need it. Nuke it upstream from all the code paths that will exit the routine so I don't have to delete in each code path.

--- a/roundup/cgi/templating.py	Sat Mar 18 16:59:01 2017 -0400
+++ b/roundup/cgi/templating.py	Sat Mar 18 19:16:56 2017 -0400
@@ -83,7 +83,7 @@
     # is unpredicatable (depends on number of previous connections etc.)
     key = '%s%s%s'%(random.random(),id(self),time.time())
     key = hashlib.sha256(key).hexdigest()
-        
+
     while otks.exists(key):
         key = '%s%s%s'%(random.random(),id(self),time.time())
         key = hashlib.sha256(key).hexdigest()
@@ -103,6 +103,7 @@
     otks.set(key, uid=client.db.getuid(),
              sid=client.session_api._sid,
              __timestamp=time.time() + ((lifetime - 10800) * 60) )
+    client.db.commit()
     return key
 
 ### templating