Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky | Ruby Meditation 29

with ❤from datarockets
Roman Dubrovsky
2
https://t.me/rdubrovsky
https://github.com/roman-dubrovsky
https://www.instagram.com/romandubrovsky

with ❤from datarockets 5
13:45 pm

13:45 pm
13:30 pm

Minsk
8

Minsk
9
Kiev

Minsk
10
Kiev

datarockets
https://datarockets.com
https://github.com/datarockets/career
https://www.instagram.com/datarockets
https://twitter.com/datarockets
https://www.facebook.com/datarockets

Minsk.rb
13

LIFE WITH GRAPHQL
API
GOOD PRACTICES AND UNRESOLVED ISSUES
with ❤ from datarockets

In this talk
● Our adventure with GraphQL API: from small component on some pages to the
SPA which includes the big part of application functionality
● Real issues we faced during creating and supporting our GraphQL API
● Issues I discussed with people on afterparties 🍻
● Unresolved issues and my ideas and vision on designing the GraphQL API
● Why I love GraphQL ❤
15

Our GraphQL experience
● Almost 3 years of GraphQL API development for our SPA
● Made GraphQL API public for our customers
● Integrated with a number of external GraphQL APIs
● Drunk about 100 bottles of beer discussing GraphQL on afterparties
16

Our GraphQL experience
● Almost 3 years of GraphQL API development for our SPA
● Made GraphQL API public for our customers
● Integrated with a number of external GraphQL APIs
● Drunk about 100 bottles of beer discussing GraphQL on afterparties
17
🍻

Для тех кто в танке?
Шутка про минск?

Type
24

Fields
25

Field to another type
26

Thinking in Graphs
27

Where is logic?
28

Where do we store our logic?
29

Fields
30

Fields Resolvers
31

Query type
32
User
Organization
me
organization(id)
QueryType

Query type
33
QueryType
me
request
query {
me {
// ....
}
}
organization(id)
User
Organization

Mutation type
34
MutationType
CreatePost
PublishPost
createPost(postData)
publishPost(postId)

Typical depression
36
Type

Typical depression
37
Type

GraphQL API
● Schema => Types
● Resolvers
38

GraphQL forces to isolate business logic
41

Queries

Mutations
45

What can be changed?
46

Mutations
47

Mutations
49

Mutations
50
Trailblazer

Mutations
51

What could possibly go wrong?
52

Mutations
53

Expectation
request
query {
me {
items {
id
}
}
}
54
response
{
"data": {
"me": {
"items": [
{
"id": "1"
},
{
"id": "2"
},
// ...
]
}
}

Reality
request
query {
me {
items {
id
}
}
}
55
response
{
"data": {
"me": {
"items": [
{
"id": "MDEwOJlcG9zaXRcvnkzMDAxNzMzQA=="
},
{
"id": "MDEwOJlcG9zaXRcvnkzMDAxNjQ5Mg=="
},
// ...
]
}
}
}
https://facebook.github.io/relay/graphql/objectidentiﬁcation.html

Mutations
57

Mutations
58

Summary
● GraphQL works really great if you follow Rails development best-practice
● You should remember and process GraphQL ID diﬀerently
59

request
query {
me {
items {
id
title
}
}
}
63
response
{
"data": {
"me": {
"items": [
{
"id": "1",
"title": "Hello world!!!"
},
{
"id": "2",
"title": "Hello GraphQL!!!"
},
// and more 100500 items...
]
}
}

What can we do here?
64

request
query {
me {
items(per_page: 2) {
id
title
}
}
}
66
response
{
"data": {
"me": {
"items": [
{
"id": "1",
},
{
"id": "2",
}
]
}
}
}

How many items do we have?
67

Do you like it?
69

request
query {
me {
items(first: 2) {
nodes {
id
title
}
pageInfo {
endCursor
hasNextPage
}
}
}
}
73
response
{
"data": {
"me": {
"items": {
"nodes": [
{
"id": "1",
},
{
"id": "2",
}
],
"pageInfo": {
"endCursor": "Y3Vyc29yOnYyOpHOAnq2TA==",
"hasNextPage": true
}

How we can make authentication?
75

Using mutation
● Create a mutation which generates a token for access to the API
● It’s still may work for login/password authentication
● It would be harder to implement authentication via OAuth since we need to
process redirects
● It’s hard to update all the data after successful authentication
● Maybe, this still makes sense.
77

Choose approaches and solution
according to your business cases and
application reality
78

Delegate authorization logic to the
business logic layer
80

● Authorize the user to perform some mutation
● Create per-ﬁeld “helpers” for verifying access for making changes
● Scope data
● Get access to only some private ﬁelds
81

Mutations authorization
82
somewhere here

Exposing authorization rules in the API
83
request
query {
me {
items(first: 2) {
nodes {
id
canEdit
}
}
}
}
response
{
"data": {
"me": {
"items": {
"nodes": [
{
"id": "1",
"canEdit": true
},
{
"id": "2",
"canEdit": false
}
]
}

Scoping
84

Field authorization
request
query {
items {
edges {
node {
title
description
privateStatistic {
viewerCount
linkClicksCount
}
}
}
}
}
85
response
What is here?

Field authorization
request
query {
items {
edges {
node {
title
description
privateStatistic {
viewerCount
linkClicksCount
}
}
}
}
}
86
response
{
"error": {
"message": "Not Authorized"
}
}

Field authorization
request
query {
items {
edges {
node {
title
description
privateStatistic {
viewerCount
linkClicksCount
}
}
}
}
}
87
response
"data": {
"items": {
"edges": [
{
"node": {
"title": "Hello world",
"description": "C++ in 21 days",
"privateStatistic": null,
}
},
{
"node": {
"title": "Hello GraphQL",
"description": "GraphQL in 35 minut
"privateStatistic": {
"viewerCount": 100500,
"linkClicksCount": 0
},

Field authorization
request
query {
item(id: $id) {
title
description
}
}
88
response
{
"data": {
"item": null
}
}

Field authorization
● Nullable fields for controlling access to some fields
● The same result for not found and access denied errors
● No error messages on why we can’t get access to a field
● For collections we use null when user doesn’t have access and empty list []
if there are no items
● This is more about API design not about the implementation
89

request
query {
items(first: 50) {
nodes {
id
user {
name
}
}
}
}
91
response
{
"data": {
"items": {
"nodes": [
{
"id": "1",
"user": {
"name": "Vasya Pupkin"
}
},
{
"id": "2",
"user": {
"name": "Ivan Ivanov"
}
},
// ...
]

GraphQL::Batch
93
https://github.com/Shopify/graphql-batch

Cache is hard?
96

Cache is pain?
97

field :user, Types::UserType, cache: {key: :user_id}, null: false
98
https://github.com/stackshareio/graphql-cache

GraphQL schema is the best
documentation
102

GraphiQL
104

GraphiQL
105

GraphiQL
106

GraphiQL
107

GraphQL Doc
https://github.com/gjtorikian/graphql-docs
108

Field : GraphQL Type
112

request
query {
items(first: 50) {
nodes {
id
user {
name
}
}
}
item(id: "MDEwOJlcG9zaXRcvnkzMDAxNzMzQA==") {
title
}
}

Field : GraphQL Type
Field : (arguments) => GraphQL Type
114

request
query {
items(first: 50) {
nodes {
id
rawContent: content(format: RAW)
content(format: MARKUP)
}
}
}

Enums Types
117

Scalar Types
118

6 months ago
120

4 months ago
121

What is wrong here?
122

What about something unexpected ???
126

What about sql injection?
127
https://rails-sqli.org/

request
query {
items(first: 50, order: TITLE) {
nodes {
id
title
}
}
}

Validate data and don’t trust users
129

What about huge requests?
130

Timeout
https://graphql-ruby.org/queries/timeout.html
131

Prevent deeply-nested queries
https://graphql-ruby.org/queries/complexity_and_depth.html
132

Prevent complex queries
https://graphql-ruby.org/queries/complexity_and_depth.html
133

Required pagination and limits
134

Summary
● GraphQL is a great process and care about all members of the team
● Graphql is a great convention for communication between developers
● It does not aﬀect you business logic
● It resolver some issues and makes a new one
● Fun !!!!
137

● Subscription Types
● Input Types
● Working with IDs
● Visibility
● Supporting deprecated types and ﬁelds
● Converting GraphQL schema from AR schema
● Other approaches using GraphQL
● Using GraphQL queries with REST endpoint (e.g. Facebook API)
● Monitoring GraphQL schema
● Tests for GraphQL schema
● etc...
138

● Subscription Types
● Input Types
● Working with IDs
● Visibility
● Supporting deprecated types and ﬁelds
● Converting GraphQL schema from AR schema
● Other approaches using GraphQL
● Using GraphQL queries with REST endpoint (e.g. Graph API)
● Monitoring GraphQL schema
● Tests for GraphQL schema
● etc...
139🍻

Thank you!
https://t.me/rdubrovsky
https://github.com/roman-dubrovsky
https://www.instagram.com/romandubrovsky
https://git.io/Je457

Enjoy what are you doing

Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky | Ruby Meditation 29

More Related Content

Similar to Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky | Ruby Meditation 29

More from Ruby Meditation

Recently uploaded

Life with GraphQL API: good practices and unresolved issues - Roman Dubrovsky | Ruby Meditation 29