Life with GraphQL

Transcript

1. None

2. with ❤from datarockets Roman Dubrovsky 2 https://t.me/rdubrovsky https://github.com/roman-dubrovsky https://www.instagram.com/romandubrovsky

3. None
4. None

5. datarockets https://datarockets.com https://github.com/datarockets/career https://www.instagram.com/datarockets https://twitter.com/datarockets https://www.facebook.com/datarockets

6. with ❤from datarockets Welcome Minsk.rb 6

7. LIFE WITH GRAPHQL API GOOD PRACTICES AND UNRESOLVED ISSUES with

   ❤ from datarockets

8. with ❤from datarockets In this talk • Our adventure with

   GraphQL API: from small component on some pages to the SPA which includes the big part of application functionality • Real issues we faced during creating and supporting our GraphQL API • Issues I discussed with people on afterparties • Unresolved issues and my ideas and vision on designing the GraphQL API • Why I love GraphQL ❤ 8

9. with ❤from datarockets Our GraphQL experience • Almost 3 years

   of GraphQL API development for our SPA • Made GraphQL API public for our customers • Integrated with a number of external GraphQL APIs • Drunk about 100 bottles of beer discussing GraphQL on afterparties 9

10. with ❤from datarockets Our GraphQL experience • Almost 3 years

    of GraphQL API development for our SPA • Made GraphQL API public for our customers • Integrated with a number of external GraphQL APIs • Drunk about 100 bottles of beer discussing GraphQL on afterparties 10

11. with ❤from datarockets Our GraphQL experience • Almost 3 years

    of GraphQL API development for our SPA • Made GraphQL API public for our customers • Integrated with a number of external GraphQL APIs • Drunk about 100 bottles of beer discussing GraphQL on afterparties • It was almost one year ago 11

12. with ❤from datarockets Our GraphQL experience • Almost 3 years

    of GraphQL API development for our SPA • Made GraphQL API public for our customers • Integrated with a number of external GraphQL APIs • Drunk about 100 bottles of beer discussing GraphQL on afterparties • It was almost one year ago 12

13. LIFE WITH GRAPHQL API GOOD PRACTICES AND UNRESOLVED ISSUES with

    ❤ from datarockets

14. LIFE WITH GRAPHQL API IT WAS SO AWESOME with ❤

    from datarockets

15. with ❤ from datarockets

16. with ❤ from datarockets

17. with ❤ from datarockets

18. LIFE WITH GRAPHQL API GOOD PRACTICES AND UNRESOLVED ISSUES with

    ❤ from datarockets

19. Part 0

20. GraphQL

21. with ❤from datarockets 21

22. None

23. with ❤from datarockets Type 23

24. with ❤from datarockets Fields 24

25. with ❤from datarockets Field to another type 25

26. with ❤from datarockets Thinking in Graphs 26

27. with ❤from datarockets Where is logic? 27

28. with ❤from datarockets Where do we store our logic? 28

29. with ❤from datarockets Where do we store our logic? Fields

    29

30. with ❤from datarockets Where do we store our logic? Fields

    Resolvers 30

31. with ❤from datarockets Query type 31 User Organization me organization(id)

    QueryType

32. with ❤from datarockets Query type 32 QueryType me request query

    { me { // .... } } organization(id) User Organization

33. with ❤from datarockets Mutation type 33 MutationType CreatePost PublishPost createPost(postData)

    publishPost(postId)

34. with ❤from datarockets Typical depression 34 Type

35. with ❤from datarockets Typical depression 35 Type

36. with ❤from datarockets GraphQL API • Schema => Types •

    Resolvers 36

37. Part 1

38. Design of business layer

39. with ❤from datarockets GraphQL forces to isolate business logic 39

40. with ❤from datarockets 40 GraphQL forces to isolate business logic

41. with ❤from datarockets 41 GraphQL forces to isolate business logic

42. with ❤from datarockets 42 Queries

43. with ❤from datarockets Mutations 43

44. with ❤from datarockets What can be changed? 44

45. with ❤from datarockets Mutations 45

46. with ❤from datarockets 46

47. with ❤from datarockets Mutations 47

48. with ❤from datarockets What could possibly go wrong? 48

49. with ❤from datarockets Mutations 49

50. with ❤from datarockets Expectation request query { me { items

    { id } } } 50 response { "data": { "me": { "items": [ { "id": "1" }, { "id": "2" }, // ... ] } }

51. with ❤from datarockets Reality request query { me { items

    { id } } } 51 response { "data": { "me": { "items": [ { "id": "MDEwOJlcG9zaXRcvnkzMDAxNzMzQA==" }, { "id": "MDEwOJlcG9zaXRcvnkzMDAxNjQ5Mg==" }, // ... ] } } } https://facebook.github.io/relay/graphql/objectidentification.html

52. Global Object Identification

53. with ❤from datarockets Mutations 53

54. with ❤from datarockets Mutations 54

55. with ❤from datarockets Summary • GraphQL works really great if

    you follow Rails development best-practice • You should remember and process GraphQL ID differently 55

56. Part 2

57. Common API issues

58. Pagination

59. with ❤from datarockets request query { me { items {

    id title } } } 59 response { "data": { "me": { "items": [ { "id": "1", "title": "Hello world!!!" }, { "id": "2", "title": "Hello GraphQL!!!" }, // and more 100500 items... ] } }

60. with ❤from datarockets What can we do here? 60

61. with ❤from datarockets 61

62. with ❤from datarockets request query { me { items(per_page: 2)

    { id title } } } 62 response { "data": { "me": { "items": [ { "id": "1", "title": "Hello world!!!" }, { "id": "2", "title": "Hello GraphQL!!!" } ] } } }

63. with ❤from datarockets How many items do we have? 63

64. with ❤from datarockets 64

65. with ❤from datarockets Do you like it? 65

66. with ❤from datarockets 66

67. with ❤from datarockets 67

68. with ❤from datarockets 68

69. with ❤from datarockets request query { me { items(first: 2)

    { nodes { id title } pageInfo { endCursor hasNextPage } } } } 69 response { "data": { "me": { "items": { "nodes": [ { "id": "1", "title": "Hello world!!!" }, { "id": "2", "title": "Hello GraphQL!!!" } ], "pageInfo": { "endCursor": "Y3Vyc29yOnYyOpHOAnq2TA==", "hasNextPage": true }

70. Authentication

71. with ❤from datarockets How we can make authentication? 71

72. with ❤from datarockets 72

73. with ❤from datarockets Using mutation • Create a mutation which

    generates a token for access to the API • It’s still may work for login/password authentication • It would be harder to implement authentication via OAuth since we need to process redirects • It’s hard to update all the data after successful authentication • Maybe, this still makes sense. 73

74. with ❤from datarockets Choose approaches and solution according to your

    business cases and application reality 74

75. Authorization

76. with ❤from datarockets Delegate authorization logic to the business logic

    layer 76

77. with ❤from datarockets • Authorize the user to perform some

    mutation • Create per-field “helpers” for verifying access for making changes • Scope data • Get access to only some private fields 77

78. with ❤from datarockets Mutations authorization 78 somewhere here

79. with ❤from datarockets Exposing authorization rules in the API 79

    request query { me { items(first: 2) { nodes { id canEdit } } } } response { "data": { "me": { "items": { "nodes": [ { "id": "1", "canEdit": true }, { "id": "2", "canEdit": false } ] }

80. with ❤from datarockets Scoping 80

81. with ❤from datarockets Field authorization request query { items {

    edges { node { title description privateStatistic { viewerCount linkClicksCount } } } } } 81 response What is here?

82. with ❤from datarockets Field authorization request query { items {

    edges { node { title description privateStatistic { viewerCount linkClicksCount } } } } } 82 response { "error": { "message": "Not Authorized" } }

83. with ❤from datarockets Field authorization request query { items {

    edges { node { title description privateStatistic { viewerCount linkClicksCount } } } } } 83 response "data": { "items": { "edges": [ { "node": { "title": "Hello world", "description": "C++ in 21 days", "privateStatistic": null, } }, { "node": { "title": "Hello GraphQL", "description": "GraphQL in 35 minut "privateStatistic": { "viewerCount": 100500, "linkClicksCount": 0 },

84. with ❤from datarockets Field authorization request query { item(id: $id)

    { title description } } 84 response { "data": { "item": null } }

85. with ❤from datarockets Field authorization • Nullable fields for controlling

    access to some fields • The same result for not found and access denied errors • No error messages on why we can’t get access to a field • For collections we use null when user doesn’t have access and empty list [] if there are no items • This is more about API design not about the implementation 85

86. with ❤from datarockets Field authorization • Nullable fields for controlling

    access to some fields • The same result for not found and access denied errors • No error messages on why we can’t get access to a field • For collections we use null when user doesn’t have access and empty list [] if there are no items • This is more about API design not about the implementation • GraphQL spec knows how to resolve this issue but Ruby implementation does not. 86
87. None

88. N + 1 queries

89. with ❤from datarockets request query { items(first: 50) { nodes

    { id user { name } } } } 89 response { "data": { "items": { "nodes": [ { "id": "1", "user": { "name": "Vasya Pupkin" } }, { "id": "2", "user": { "name": "Ivan Ivanov" } }, // ... ]

90. with ❤from datarockets 90

91. with ❤from datarockets GraphQL::Batch 91 https://github.com/Shopify/graphql-batch

92. Cache

93. None

94. with ❤from datarockets Cache is hard? 94

95. with ❤from datarockets Cache is pain? 95

96. with ❤from datarockets field :user, Types::UserType, cache: {key: :user_id}, null:

    false 96 https://github.com/stackshareio/graphql-cache

97. Part 3

98. Powerful tips

99. Documentation

100. with ❤from datarockets GraphQL schema is the best documentation 100

101. with ❤from datarockets 101

102. with ❤from datarockets GraphiQL 102

103. with ❤from datarockets GraphiQL 103

104. with ❤from datarockets GraphiQL 104

105. with ❤from datarockets GraphiQL 105

106. with ❤from datarockets GraphQL Doc https://github.com/gjtorikian/graphql-docs 106

107. Field is a function

108. with ❤from datarockets Query type 108 QueryType me request query

     { me { // .... } } organization(id) User Organization

109. Field is a function resolver

110. with ❤from datarockets Field : GraphQL Type 110

111. with ❤from datarockets 111 request query { items(first: 50) {

     nodes { id user { name } } } item(id: "MDEwOJlcG9zaXRcvnkzMDAxNzMzQA==") { title } }

112. with ❤from datarockets Field : GraphQL Type Field : (arguments)

     => GraphQL Type 112

113. with ❤from datarockets 113 request query { items(first: 50) {

     nodes { id rawContent: content(format: RAW) content(format: MARKUP) } } }

114. with ❤from datarockets Field : (keyword arguments) => GraphQL Type

     114

115. Custom types

116. with ❤from datarockets Enums Types 116

117. with ❤from datarockets Scalar Types 117

118. Security

119. with ❤from datarockets 6 months ago 119

120. with ❤from datarockets 4 months ago 120

121. with ❤from datarockets What is wrong here? 121

122. with ❤from datarockets 122

123. with ❤from datarockets 123

124. with ❤from datarockets 124

125. with ❤from datarockets What about something unexpected ??? 125

126. with ❤from datarockets What about sql injection? 126 https://rails-sqli.org/

127. with ❤from datarockets 127 request query { items(first: 50, order:

     TITLE) { nodes { id title } } }

128. with ❤from datarockets Validate data and don’t trust users 128

129. with ❤from datarockets What about huge requests? 129

130. with ❤from datarockets Timeout https://graphql-ruby.org/queries/timeout.html 130

131. with ❤from datarockets Prevent deeply-nested queries https://graphql-ruby.org/queries/complexity_and_depth.html 131

132. with ❤from datarockets Prevent complex queries https://graphql-ruby.org/queries/complexity_and_depth.html 132

133. with ❤from datarockets Required pagination and limits 133

134. Part 4

135. Epilogue

136. with ❤from datarockets Summary • GraphQL is a great process

     and care about all members of the team • Graphql is a great convention for communication between developers • It does not affect you business logic • It resolver some issues and makes a new one • No worries about formats and versioning • Fun !!!! 136

137. with ❤from datarockets • Subscription Types • Input Types •

     Working with IDs • Visibility • Supporting deprecated types and fields • Converting GraphQL schema from AR schema • Other approaches using GraphQL • Using GraphQL queries with REST endpoint (e.g. Facebook API) • Monitoring GraphQL schema • Tests for GraphQL schema • etc... 137

138. with ❤from datarockets • Subscription Types • Input Types •

     Working with IDs • Visibility • Supporting deprecated types and fields • Converting GraphQL schema from AR schema • Other approaches using GraphQL • Using GraphQL queries with REST endpoint (e.g. Graph API) • Monitoring GraphQL schema • Tests for GraphQL schema • etc... 138

139. Thank you! https://t.me/rdubrovsky https://github.com/roman-dubrovsky https://www.instagram.com/romandubrovsky https://git.io/Je457 with ❤ from datarockets

140. Enjoy what are you doing with ❤ from datarockets