ory
Ory Tunnel requests are 2x slower than hitting Ory Network directly
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] This issue affects my Ory Network project.
- [X] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
I noticed that making a request through an Ory Tunnel is roughly 2x slower than making a request directly to Ory.
I think the culprit is here: https://github.com/ory/cli/blob/5e5efa77c077225c16416d85984d0a311f02e82e/cmd/cloudx/proxy/proxy.go#L180C1-L181C1
My Go is not great, but if I understand correctly, this will call Ory for every request the tunnel/proxy is receiving, even if that request is /sessions/whoami? This means that the identity of the user is verified first and then the actual request is handled, which makes sense for the Ory Proxy when it proxies requests to a separate backend service, but perhaps doesn't make sense if the proxy or tunnel are actually proxying a request to Ory?
Reproducing the bug
- Get a session token or cookie from an Ory session
- Call Ory directly and time the request duration
- Call Ory through an Ory Tunnel and time the request duration
I can provide a more detailed steps to reproduce, but I think the difficulty here is that it requires the specific Ory session token and Ory domain to try with
Relevant log output
No response
Relevant configuration
No response
Version
v0.1.36
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
No response
Thank you for raising this issue! It's indeed possible that the root cause is that we're wiring everything through the whoami call, which can slow down all requests.
There's probably a bit of work required to make this better/easier such as "this path needs auth, this doesn't". However, the tunnel is really mostly used for local development and while slow requests are poor experience, we also need to balance how complex the tunnel becomes in terms of codebase and configuration.
What would be your ideal solution?
Thanks for getting back to me. I appreciate your approach to balance complexity, I think it makes sense to try to keep a development tool simple.
Perhaps I'm wrong, but my understanding is that the Ory Tunnel doesn't need to check whoami for anything? It's intended to forward the requests to Ory, so if I'm calling <tunnel-url>/sessions/whoami, the tunnel should just forward that to Ory? Or if I make a <tunnel-url>/self-service/login, this also doesn't need the additional whoami call? I'm not sure I see why the tunnel would need to validate the user? So, could it be as simple as just not adding the checkOry middleware if conf.isTunnel (here)?