Large Headers

[jsmueller7]

With the implementation of the new implicit Auth Flow, the cookie has grown further. This can cause problems. At the moment, I see these mainly with SAML authentication, but I think that keycloak logins will also be affected.

I am aware of this issue and the solution: supabase/realtime#761. However, there are problems that go beyond this: Specifically, it concerns the connection to the realtime web socket as well as IIIF requests (at least in the self-hosted IIIF setup); these connections fail due to the header beeing too large.

I have found a workaround by having Kong remove the cookie from these paths, since the cookie isn't usesd anyways. Would it be worth considering not sending the cookie at all when requests are sent to Supabase? As far as I know, Apikey and Authorization are the headers that are relevant here.

[rsimon]

Hm, I'm not sure how difficult that would be. In general: the cookie is managed automatically by the Supabase client, so I doubt we could interfere - without risking unwanted consequences.

Once a Cookie is set, I believe it will also go along with each request (to the same domain). So, likewise, trying to toggle it on and off would probably be a risky (and significant) intervention.

[jsmueller7]

Allright. It seems to be more a Subabase issue then. There is an open issue on this: supabase/realtime#1244