Skip to content

Commit

Permalink
Formatting and initial editorial
Browse files Browse the repository at this point in the history
  • Loading branch information
bignimbus committed Jun 28, 2024
1 parent eecd795 commit 13b1ed2
Showing 1 changed file with 49 additions and 96 deletions.
145 changes: 49 additions & 96 deletions src/pages/blog/2024-06-28-why-i-like-graphql.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -5,116 +5,81 @@ date: 2024-06-28
byline: Marc-André Giroux, edited by Jeff Auriemma
---

A recent post, [Why, after 6 years, I’m over GraphQL](https://bessey.dev/blog/2024/05/24/why-im-over-graphql/), made the rounds in the tech circle. The author argues that they would not recommend GraphQL anymore due to concerns like security, performance, and maintainability. In this post, I want to go over some interesting points made, and some points I think don't hold up to scrutiny.
This post is edited from its [original publication](https://www.magiroux.com/eight-years-of-graphql/) on Marc-André Giroux's blog. Though originally intended to respond to a specific article, we at the GraphQL Foundation felt that Marc-André's post would stand well on its own with a few light edits. What follows is a well-informed set of practices and principles that engineers should consider when using GraphQL in production.

Always be Persistin'
--------------------
## Use persisted queries

Ok, first of all, let's start with something maybe a little bold: **Persisted Queries are basically essential for building a solid GraphQL API**. If you are not using them, you're doing GraphQL on hard mode. It's not impossible, but it leads to difficult problems, some of them discussed in the post. After 8 years of GraphQL, this has only gotten more and more important to me. Persist all queries, as soon as possible in your GraphQL journey. You'll thank yourself later.
Ok, first of all, let's start with something maybe a little bold: **Persisted Queries are basically essential for building a solid GraphQL API**. If you are not using them, you're doing GraphQL on hard mode. It's not impossible, but it leads to difficult problems that show up in GraphQL debates from time to time. After 8 years of GraphQL, this has only gotten more and more important to me. Persist all queries, as soon as possible in your GraphQL journey. You'll thank yourself later.

It is a little sad that this is basically glossed over and mentionned only in a small note at the bottom:

> Persisted queries are also a mitigation for this and many attacks, but if you actually want to expose a customer facing GraphQL API, persisted queries are not an option.
I assume the author is talking about public APIs here. While I don't think this is necessarily inherently true (One could ask customers to register queries first, figuring out the DX for this would be an interesting task), it's still a valid point. That's why [We Don’t See Many Public GraphQL APIs](https://productionreadygraphql.com/blog/2019-10-21-why-we-dont-see-many-public-graphql-apis) out there, and why I would not pick GraphQL if I were to expose a public API today.
Public APIs are a bit different. To be clear, it's not necessarily true that you can't use Persisted Queries in public APIs; one could ask customers to register queries first. But figuring out the DX for this would be an interesting task. That's why [We Don’t See Many Public GraphQL APIs](https://productionreadygraphql.com/blog/2019-10-21-why-we-dont-see-many-public-graphql-apis) out there, and why I would not pick GraphQL if I were to expose a public API today.

For a public API, a coarser-grained, resource-based API works great, and can be described through OpenAPI. SDKs can be generated through amazing tools like [Kiota](https://learn.microsoft.com/en-us/openapi/kiota/overview). It's hard to beat a well-made SDK for a public API, and in my experience, that's actually what customers expect and want to use. Moving on.

Haxors
------

The author's first point is about GraphQL's allegedly bigger attack surface. Again this focuses more on completely public GraphQL APIs which are relatively rare:

> exposing a query language to untrusted clients increases the attack surface of the application
I think that's right, it's hard to argue about this, hence not exposing a query language to untrusted clients unless you're ready to handle the trade-offs. But let's see what they think is hard to get right here.

Authz is really hard...
-----------------------

Authorization is a challenge with GraphQL. The thing is it's almost always challenging no matter what API style you use. I'd go as far as saying it is a challenge with designing software in general. The example given in the post actually highlights this very well:

query {
user(id: 321) {
handle # ✅ I am allowed to view Users public info
email # 🛑 I shouldn't be able to see their PII just because I can view the User
}
user(id: 123) {
blockedUsers {
# 🛑 And sometimes I shouldn't even be able to see their public info,
# because context matters!
handle
}
}
## Authorization

Authorization is a challenge with GraphQL. The thing is it's almost always challenging no matter what API style you use. I'd go as far as saying it is a challenge with designing software in general. Here's an example from a recent post that actually highlights this very well:

```graphql
query {
user(id: 321) {
handle # ✅ I am allowed to view Users public info
email # 🛑 I shouldn't be able to see their PII just because I can view the User
}
user(id: 123) {
blockedUsers {
# 🛑 And sometimes I shouldn't even be able to see their public info,
# because context matters!
handle
}

}
}
```

`handle` and `email` both have different authorization rules. This is actually quite tricky to handle with a `GET /user/:id` endpoint as well. There's really nothing that makes GraphQL harder here. Yes when fine-grained authorization is needed, you'll need fine-grained authorization checks at that level.

user(id: 123) {
blockedUsers {
# 🛑 And sometimes I shouldn't even be able to see their public info,
# because context matters!
handle
}
}

```graphql
user(id: 123) {
blockedUsers {
# 🛑 And sometimes I shouldn't even be able to see their public info,
# because context matters!
handle
}
}
```

This part is interesting as well and another challenge of authorizing code and models in general. The same "object" accessed through different contexts can actually have different authorization rules. Again, this is common in all API styles as well. That's why I actually usually advise designing this through a different model entirely, since it's likely they'll evolve differently. Here this is even possibly an API design mistake instead. If `handle` should never be seen for `blockedUsers`, then it shouldn't even be part of the schema here. This is a super common mistake where folks try to reuse common models/types instead of being specific.

After 8 years of GraphQL, I realize more and more that authorization is much more than a GraphQL problem. The API layer part is easy, but most code-bases are much more complex and must guard against unauthorized access in much better ways. Companies like [oso](https://www.osohq.com/) and [authzed](https://authzed.com/) and two great examples of how to do this well but also how complex this thing can be in general.

Demand Control
==============

The section on rate limiting starts with this:

> With GraphQL we cannot assume that all requests are equally hard on the server.

Let me fix this to something I think is more accurate:

> We cannot assume that all requests are equally hard on the server.
## Demand Control

There, much better. The truth is that no matter what API style you use, whether that's a binary protocol over UDP or GraphQL, it is extremelly rare, especially as the API surface grows, that all use-cases and "requests" will be equally expensive for a server to process.
We cannot assume that all requests are equally hard on the server, whether we're using GraphQL or not. The truth is that no matter what API style you use, whether that's a binary protocol over UDP or GraphQL, it is extremely rare, especially as the API surface grows, that all use-cases and "requests" will be equally expensive for a server to process.

A very easy example to show this is simply a paginated endpoint:

GET /users?first=100
```
GET /users?first=100
GET /users?first=1
GET /users?first=1
```

Or super expensive mutations:

POST /expensive-creation

```
POST /expensive-creation
```

To be 100% fair, of course GraphQL exposes this problem a bit more, earlier on, especially when not using persisted queries (Which should not happen!!). And while folks building a small RPC API may not need to implement variable rate limiting or some sort of cost categories, they almost always end up having to.
To be 100% fair, of course GraphQL exposes this problem a bit more, earlier on, especially when not using persisted queries (Which should not happen!). And while folks building a small RPC API may not need to implement variable rate limiting or some sort of cost categories, they almost always end up having to.

And again: this focuses on public, unauthenticated public APIs. I think we can agree this is not [GraphQL's Sweet Spot](https://productionreadygraphql.com/blog/2020-05-14-sweetspot).

The rest of the section shows how simple it is to rate limit a simple rest API. Sure? I have never had the chance to work on an API that was that easy to implement demand control for.
## Performance

Performance
-----------
Many GraphQL critics talk about the N+1 problem and DataLoader. It's true that a GraphQL API must be ready for many query shapes and use cases. It is wise to implement efficient data loader for most fields through dataloaders. In fact, that's why I don't recommend using datafetching techniques that are overly coupled to the query shape, things like AST analysis, lookaheads, and things using context from sibling or parent fields. But an honest observer should acknowledge that this is a problem with REST as well. As the complexity of an endpoint or operation increases, an engineer should expect to have to make more trade-offs in the name of performance.

The performance section focuses mainly on dataloader and n+1s. I think the author makes some good points here. It's true that a GraphQL API must be ready for many query shapes and use cases. It is wise to implement efficient data loader for most fields through dataloaders. In fact, that's why I don't recommend using datafetching techniques that are overly coupled to the query shape, things like AST analysis, lookaheads, and things using context from sibling or parent fields.
Overall I think dataloader is a requirement for GraphQL, and I agree with critics that it's part of the slight complexity add for a GraphQL API, even simple ones. Authorization N+1s are also an issue, though, again, REST has these issues as well.

The author acknowledges that this is a problem with REST as well, but still makes this statement:

> Meanwhile, in REST, we can generally hoist nested N+1 queries up to the controller, which I think is a pattern much easier to wrap your head around.

Again this is an extremelly simple example, which has a trivial solution. But it's true, an endpoint based API that is simple can usually be kept simple, rather than being part of multiple other use-cases that could affect its performance long term.

Overall I think dataloader is a requirement for GraphQL, and I agree that it's part of the slight complexity add for a GraphQL API, even simple ones. Authorization n+1s are also an issue.

> Again, this problem simply does not exist in the REST world.

But that's simply not true. Authz n+1s exist everywhere including in REST given a sufficiently complex API. Performant authz is a problem of its own.

Coupling
--------
## Coupling

> In my experience, in a mature GraphQL codebase, your business logic is forced into the transport layer. This happens through a number of mechanisms, some of which we’ve already talked about:
Expand All @@ -136,26 +101,14 @@ I actually agree with this one. Data-loading in a performant way can be in tensi
True, similar to the point above.

Breaking Changes??
------------------
## Breaking Changes vs. Continuous Evolution

Probably the strangest sentence in the post is this one:

> GraphQL discourages breaking changes and provides no tools to deal with them. This adds needless complexity for those who control all their clients, who will have to find workarounds.

What? What API style encourages breaking changes? That's probably not a good idea. I think there's some confusion here. GraphQL encourages continuous evolution of your API. This usually relates to versioning rather than avoiding breaking changes. Instead of breaking changes, with GraphQL you deprecate schema members, and only remove them once they are not used anymore (or are ok with breaking).
One of the biggest "culture shocks" of adopting GraphQL is the concept of continuous evolution. Because GraphQL has primitives for deprecating and aliasing fields, the notion of backwards compatibility becomes gray instead of black-and-white. Want to add a field? Great, do it. Want to remove a field? Add `@deprecated` and gradually stop querying them, eventually removing the field altogether.

Arguably one of GraphQL's most powerful tool is around continuous evolution. The fact the client declaratively selects the API surface it is interested in means we can track with very high precision how our API is used. This allows us to actually **avoid** breaking changes, and make removals safely on fine grained parts of the schema.

Breaking changes and deprecations suck. We all try to avoid them, and yes it's annoying for clients. But if anything GraphQL makes this easier, not harder.

Conclusion
----------

Overall, I can feel the pain of the author when it comes to building public GraphQL APIs. It's not easy. But the post in general never really addresses a very common use-case for GraphQL, which is an internal API for known multiple clients. In this context, using persisted queries is easy, and solves a lot of the problems the author encountered in their journey. There are also a lot of problems mentionned here that are hard problems in general, and I don't always buy the fact that GraphQL makes them any harder.

After 8 years of GraphQL, I still enjoy the decoupling a GraphQL schema offers between server-side capabilities and client-side requirements, but am aware of the trade-offs when picking it as a technology.

Anyway, **Persist your queries and probably don't build public GraphQL APIs unless you really know what you're doing.**
## Conclusion

* [xuorig](https://x.com/__xuorig__)
After 8 years of GraphQL, I still enjoy the decoupling a GraphQL schema offers between server-side capabilities and client-side requirements, but am aware of the trade-offs when picking it as a technology. Definitely persist your queries. Definitely build a public GraphQL API only if you really know what you're doing. Many critiques of GraphQL apply to any sufficiently complex API, there are no silver bullets in software engineering.

0 comments on commit 13b1ed2

Please sign in to comment.