Todd Wolfson

As a workaround for now, we're going to update the `nil` lines to the following: ```ruby def set_request_start @request_started_at = Time.now @used_auth_by_token = true # initialize instance variables @client_id ||=...

Sure thing! Opening a PR now 👍

We aren't using batch mode so it's irrelevant to us =/

Oh, you mean try out #1161 since #703 is landed. I'm quite cramped this week so I don't have time to try out the other fixes. Sorry =/

Feel free to close #1166 if you feel #1161 would resolve this issue

I am realizing that we can make the API cleaner by passing `session_interface` to the `session` constructor itself. This would allow for`session.destroy()` calls which under the hood has `session` invoke...

On the Flask thread, we concluded that it's a pretty bad idea to store anything as an attribute on `session` as it could get picked up by a serializer (e.g....

Is there anything blocking this PR outside of merge conflicts?

Could you provide a more detailed example of what using that code would look like?

While that works, I would be opposed to everyone rewriting/reimplementing the same SHA256 signer. As with anything related to security, the algorithm can be great but someone can mess up...