Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ory Tunnel requests are 2x slower than hitting Ory Network directly #315

Open
5 of 6 tasks
mt-krainski opened this issue Jul 31, 2023 · 3 comments
Open
5 of 6 tasks

Ory Tunnel requests are 2x slower than hitting Ory Network directly #315

mt-krainski opened this issue Jul 31, 2023 · 3 comments
Labels
bug Something is not working.

Comments

@mt-krainski
Copy link

Preflight checklist

Describe the bug

I noticed that making a request through an Ory Tunnel is roughly 2x slower than making a request directly to Ory.

I think the culprit is here: https://github.com/ory/cli/blob/5e5efa77c077225c16416d85984d0a311f02e82e/cmd/cloudx/proxy/proxy.go#L180C1-L181C1

My Go is not great, but if I understand correctly, this will call Ory for every request the tunnel/proxy is receiving, even if that request is /sessions/whoami? This means that the identity of the user is verified first and then the actual request is handled, which makes sense for the Ory Proxy when it proxies requests to a separate backend service, but perhaps doesn't make sense if the proxy or tunnel are actually proxying a request to Ory?

Reproducing the bug

  1. Get a session token or cookie from an Ory session
  2. Call Ory directly and time the request duration
  3. Call Ory through an Ory Tunnel and time the request duration

I can provide a more detailed steps to reproduce, but I think the difficulty here is that it requires the specific Ory session token and Ory domain to try with

Relevant log output

No response

Relevant configuration

No response

Version

v0.1.36

On which operating system are you observing this issue?

Ory Network

In which environment are you deploying?

Ory Network

Additional Context

No response
@mt-krainski mt-krainski added the bug Something is not working. label Jul 31, 2023
@aeneasr
Copy link
Member

aeneasr commented Aug 2, 2023

Thank you for raising this issue! It's indeed possible that the root cause is that we're wiring everything through the whoami call, which can slow down all requests.

There's probably a bit of work required to make this better/easier such as "this path needs auth, this doesn't". However, the tunnel is really mostly used for local development and while slow requests are poor experience, we also need to balance how complex the tunnel becomes in terms of codebase and configuration.

What would be your ideal solution?

@mt-krainski
Copy link
Author

Thanks for getting back to me. I appreciate your approach to balance complexity, I think it makes sense to try to keep a development tool simple.

Perhaps I'm wrong, but my understanding is that the Ory Tunnel doesn't need to check whoami for anything? It's intended to forward the requests to Ory, so if I'm calling <tunnel-url>/sessions/whoami, the tunnel should just forward that to Ory? Or if I make a <tunnel-url>/self-service/login, this also doesn't need the additional whoami call? I'm not sure I see why the tunnel would need to validate the user? So, could it be as simple as just not adding the checkOry middleware if conf.isTunnel (here)?

@aeneasr
Copy link
Member

aeneasr commented Aug 3, 2023

Yeah, you're totally right :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @mt-krainski