From 2ddbd3cc80e76d9ef873b030413adf5c278176cb Mon Sep 17 00:00:00 2001
From: Conrad Ludgate <conrad@neon.tech>
Date: Thu, 17 Jul 2025 17:14:03 +0100
Subject: [PATCH] allow longer JWTs

---
 proxy/src/stream.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proxy/src/stream.rs b/proxy/src/stream.rs
index d6a43df188..fc95dd0fe2 100644
--- a/proxy/src/stream.rs
+++ b/proxy/src/stream.rs
@@ -86,10 +86,10 @@ impl<S: AsyncRead + Unpin> PqStream<S> {
     /// Read a postgres password message, which will respect the max length requested.
     /// This is not cancel safe.
     pub async fn read_password_message(&mut self) -> io::Result<&mut [u8]> {
-        // passwords are usually pretty short
+        // passwords are usually pretty short, but JWTs are quite long.
         // and SASL SCRAM messages are no longer than 256 bytes in my testing
         // (a few hashes and random bytes, encoded into base64).
-        const MAX_PASSWORD_LENGTH: u32 = 512;
+        const MAX_PASSWORD_LENGTH: u32 = 2048;
         self.read_raw_expect(FE_PASSWORD_MESSAGE, MAX_PASSWORD_LENGTH)
             .await
     }