https://www.ory.sh/ logo
Join Slack
Powered by
When did the max page size for the Identities API ...
# ory-network
j
When did the max page size for the Identities API get set at 500? This is a breaking change that has just taken down a whole load of our production environment.
We're using the @ory/client typescript SDK and we're struggling to implement the Link header method as the response type is an AxiosResponse and the Link header is not exposed to the client. Is there any inbuilt support for pagination within the Ory SDK? Tagging @steep-lamp-91158 as this is currently causing an incident within our production environment.
h
Hello @jolly-zebra-75152, sorry to hear that this is causing an incident on production. The limit actually was 500 for some time, then a regression removed the limit, and now it's back again. We've always been upfront in our docs that (a) there are limits and (b) you need to implement pagination and (c) page tokens can change format and page sizes can also change. OpenAPI does not have pagination thought in, so we don't have a library for that, but the link header is a standard and there are libraries to parse it available for TypeScript
The change was released last week
j
When we call listIdentities from the Ory SDK we can see the 
Link
header appear in network overview tab however the response object does not contain this header. We can see that we don't receive a 
Access-Control-Expose-Headers
header and it looks like the Link header is returned in a CORS request.
Do you know when the 
regression removed the limit
was made? We haven't changed these parts of our code since at least January so we're just surprised by the sudden reintroduction. The issue with the 
Link
header not being exposed via CORS is effectively blocking our ability to patch this issue.
Noting that we're not seeing this come through even with 
ory-tunnel
running.
h
What endpoint are you calling
j
First one we were tackling was listIdentities which should be 
<https://www.ory.sh/admin/identities>
We may be able to work around this one as the pageToken looks like it's just the last id in the array. Identity Session is harder as the pageToken is not of this format, just just looks like a base64 encoded string. 
<https://www.ory.sh/admin/identities/{id}/sessions>
h
I don‘t think that cors has an impact here to be honest. Are you calling admin endpoints with cors? Where do you store your api key?
In the frontend app?
I‘m suprised cors even works for these endpoints 😅
If the header would not be allowed, cors would throw an origin error and not load the request at all, not hide the link header
Make sure you‘re calling the SDK method that gives you the full response not just the response body. In the fetch SDK it‘s listIdentitiesRaw iirc
And lastly, we WILL change the page token format at some point, so if you rely on the behavior it will break!
j
FYI @quiet-holiday-22170
You mean how the token is created? Not the page_token parameter itself? So long as we parse from the Link header we should be ok?
We've run into a similar issue with the Go SDK also, when we try running the following, at least running oryd/keto 0.12.0
Copy code
relationships, resp, err := o.oryKetoClient.RelationshipAPI.GetRelationships(o.oryAuthedContext).
		PageSize(pageSize).
		PageToken(pageTokenValue).
		Execute()
We get no Link header in the resp.Headers either Just seen there's a GetNextPageToken() function in the client-go
h
Yes, we'll update the token format (probably encrypt it so people stop reverse engineering it)
j
Will the relationships API continue to return it in the payload body?
s
Yes, I think for most APIs (because of the problems with the generated clients), payload actually makes more sense than headers.
But we're limited for those that use an array instead of an object as payload, because we can't just add the page token key there.
h
Are you calling the 
/admin/identities
endpoint from an SPA app? If yes, where do you store your ORY_API_KEY? How is your frontend app getting that API key to call our admin APIs? Are you aware that exposing this API key in your frontend code can lead to some very serious security issues?
j
@quiet-holiday-22170 should be able to answer this. I think we proxy our frontend calls though through a node backend.
q
the API key is not exposed in any of our frontends, any calls to the 
/admin
endpoints (i.e. the ones which require a API_KEY) are proxied through a NodeJS backend where the key is attached (as Andrew said)
h
Ok, perfect! But then you should also be able to get the Link header in the response
Open in Slack
PreviousNext
Powered by