[WIP] Republish Marc-André Giroux's blog post with light edits #1721
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| --- | ||
| title: "Why, after 8 years, I still like GraphQL" | ||
| tags: ["in-production"] | ||
| date: 2024-06-28 | ||
| byline: Marc-André Giroux, edited by Jeff Auriemma | ||
| --- | ||
|
|
||
| _This is a guest post outlining GraphQL TSC emeritus Marc-André Giroux's thoughts on practices and principles engineers should consider when using GraphQL in production. Though the [original publication](https://www.magiroux.com/eight-years-of-graphql/) was intended to respond to a specific article, we at the GraphQL Foundation felt that Marc-André's well-informed opinions would stand well on their own with a little light editing._ | ||
|
|
||
| ## Use Persisted Queries | ||
|
|
||
| Let's start with something maybe a little bold: **Persisted Queries are basically essential for building a solid GraphQL API**. If you are not using them, you're doing GraphQL on hard mode. It's not impossible, but it leads to difficult problems that show up in GraphQL debates from time to time. After 8 years of GraphQL, this has only gotten more and more important to me. Persist all queries, as soon as possible in your GraphQL journey. You'll thank yourself later. | ||
|
|
||
| Public APIs are a bit different. To be clear, it's not necessarily true that you can't use Persisted Queries in public APIs; one could ask customers to register queries first. But figuring out the DX for this would be an interesting task. That's why [We Don’t See Many Public GraphQL APIs](https://productionreadygraphql.com/blog/2019-10-21-why-we-dont-see-many-public-graphql-apis) out there, and why I would not pick GraphQL if I were to expose a public API today. | ||
|
|
||
| For a public API, a coarser-grained, resource-based API works great, and can be described through OpenAPI. SDKs can be generated through amazing tools like [Kiota](https://learn.microsoft.com/en-us/openapi/kiota/overview). It's hard to beat a well-made SDK for a public API, and in my experience, that's actually what customers expect and want to use. | ||
|
|
||
| ## Authorization | ||
|
|
||
| Authorization is a challenge with GraphQL. The thing is it's almost always challenging no matter what API style you use. I'd go as far as saying it is a challenge with designing software in general. Here's an example from a recent post that highlights this very well: | ||
|
|
||
| ```graphql | ||
| query { | ||
| user(id: 321) { | ||
| handle # ✅ I am allowed to view Users public info | ||
| email # 🛑 I shouldn't be able to see their PII just because I can view the User | ||
| } | ||
| user(id: 123) { | ||
| blockedUsers { | ||
| # 🛑 And sometimes I shouldn't even be able to see their public info, | ||
| # because context matters! | ||
| handle | ||
| } | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| `handle` and `email` both have different authorization rules. This is actually quite tricky to handle with a `GET /user/:id` endpoint as well. There's really nothing that makes GraphQL harder here. Yes when fine-grained authorization is needed, you'll need fine-grained authorization checks at that level. | ||
|
|
||
| ```graphql | ||
| user(id: 123) { | ||
| blockedUsers { | ||
| # 🛑 And sometimes I shouldn't even be able to see their public info, | ||
| # because context matters! | ||
| handle | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| This part is interesting as well and another challenge of authorizing code and models in general. The same "object" accessed through different contexts can actually have different authorization rules. Again, this is common in all API styles as well. That's why I actually usually advise designing this through a different model entirely, since it's likely they'll evolve differently. Here this is even possibly an API design mistake instead. If `handle` should never be seen for `blockedUsers`, then it shouldn't even be part of the schema here. This is a super common mistake where folks try to reuse common models/types instead of being specific. | ||
|
|
||
| After 8 years of GraphQL, I realize more and more that authorization is much more than a GraphQL problem. The API layer part is easy, but most code-bases are much more complex and must guard against unauthorized access in much better ways. Companies like [oso](https://www.osohq.com/) and [authzed](https://authzed.com/) and two great examples of how to do this well but also how complex this thing can be in general. | ||
|
There was a problem hiding this comment. I would add here that this is exactly why graphql.org best practices guide has always suggested not to put Authorization as part of your GraphQL layer: |
||
|
|
||
| ## Demand Control | ||
|
|
||
| We cannot assume that all requests are equally hard on the server, whether we're using GraphQL or not. The truth is that no matter what API style you use, whether that's a binary protocol over UDP or GraphQL, it is extremely rare, especially as the API surface grows, that all use-cases and "requests" will be equally expensive for a server to process. | ||
|
|
||
| A very easy example to show this is simply a paginated endpoint: | ||
|
|
||
| ``` | ||
| GET /users?first=100 | ||
|
|
||
| GET /users?first=1 | ||
| ``` | ||
|
|
||
| Or super expensive mutations: | ||
|
|
||
| ``` | ||
| POST /expensive-creation | ||
| ``` | ||
|
|
||
| To be 100% fair, of course GraphQL exposes this problem a bit more, earlier on, especially when not using persisted queries (Which should not happen!). And while folks building a small RPC API may not need to implement variable rate limiting or some sort of cost categories, they almost always end up having to. | ||
|
|
||
| And again: this focuses on public, unauthenticated public APIs. I think we can agree this is not [GraphQL's Sweet Spot](https://productionreadygraphql.com/blog/2020-05-14-sweetspot). | ||
|
There was a problem hiding this comment. I would also add that unlike other APIs, with GraphQL, because of its static nature, you can and do have tools that help you with these calculations instead of only creating ad-hoc solutions per endpoint |
||
|
|
||
| ## Performance | ||
|
|
||
| Many GraphQL critics talk about the N+1 problem and DataLoader. It's true that a GraphQL API must be ready for many query shapes and use cases. It is wise to implement efficient data loader for most fields through dataloaders. In fact, that's why I don't recommend using datafetching techniques that are overly coupled to the query shape, things like AST analysis, lookaheads, and things using context from sibling or parent fields. But an honest observer should acknowledge that this is a problem with REST as well. As the complexity of an endpoint or operation increases, an engineer should expect to have to make more trade-offs in the name of performance. | ||
|
|
||
| Overall I think dataloader is a requirement for GraphQL, and I agree with critics that it's part of the slight complexity add for a GraphQL API, even simple ones. Authorization N+1s are also an issue, though, again, REST has these issues as well. | ||
|
There was a problem hiding this comment. I would say that its a complexity that everyone will get to eventually, but when you do get there, GraphQL offers more automated tools to handle these complexities instead of ad-hoc endpoint based solutions |
||
|
|
||
| ## Breaking Changes vs. Continuous Evolution | ||
|
|
||
| One of the biggest "culture shocks" of adopting GraphQL is the concept of continuous evolution. Because GraphQL has primitives for deprecating and aliasing fields, the notion of backwards compatibility becomes gray instead of black-and-white. Want to add a field? Great, do it. Want to remove a field? Add `@deprecated` and gradually stop querying them, eventually removing the field altogether. | ||
|
|
||
| Arguably one of GraphQL's most powerful tool is around continuous evolution. The fact the client declaratively selects the API surface it is interested in means we can track with very high precision how our API is used. This allows us to actually **avoid** breaking changes, and make removals safely on fine grained parts of the schema. | ||
|
|
||
| Breaking changes and deprecations suck. We all try to avoid them, and yes it's annoying for clients. But if anything GraphQL makes this easier, not harder. | ||
|
There was a problem hiding this comment. I would make that argument even stronger - in a case where you have a system, a service that runs for years and years. |
||
|
|
||
| ## Conclusion | ||
|
|
||
| After 8 years of GraphQL, I still enjoy the decoupling a GraphQL schema offers between server-side capabilities and client-side requirements, but am aware of the trade-offs when picking it as a technology. Definitely persist your queries. Definitely build a public GraphQL API only if you really know what you're doing. Many critiques of GraphQL apply to any sufficiently complex API, there are no silver bullets in software engineering. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though I very much agree with the "you probably need persisted queries" call, I have heard a couple of people that created public GraphQL APIs and when you have to go public, mentioned in their talks that GraphQL was a better choice for several reasons.
It is much much harder then private GraphQL APIs but it does have benefits over public REST APIs.
I'm not sure I feel comfortable with that specific suggestion on the community blog
I wonder what others who built public GraphQL APIs and continued to invest in them for years thing (CommerceTools, Shopify, GitLab, Saleor)