Should i make my own graphql style api but only with sequelize?
Context
Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).
What I have done
Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?
this is an example of the client using this API
const res = await http.post(APIs.FINDER,
model: 'User',
options:
where:
id: someId
,
attributes: ['name', 'active']
,
include: [
as: 'zone',
attributes: ['name']
],
order: [['createdAt', 'DESC']]
);
nice right?
Sanitization/Constraints
About sanitization, I have to:
- check that the includes have a known limit, eg.: no more than 10 nested includes
- check that the params are not SQL strings or other hacks (Sequelize take care about that)
- don't allow Sequelize functions, just simple queries
Questions
with that in mind, I think this could be used in production.
- Have I missed something that could reject this idea from production usage? (security/usage/etc)
- Have graphql some specific feature that makes me prefer it against this custom solution?
- Would you use it in a production environment? I can't imagine why not
javascript node.js database sequelize.js graphql
add a comment |
Context
Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).
What I have done
Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?
this is an example of the client using this API
const res = await http.post(APIs.FINDER,
model: 'User',
options:
where:
id: someId
,
attributes: ['name', 'active']
,
include: [
as: 'zone',
attributes: ['name']
],
order: [['createdAt', 'DESC']]
);
nice right?
Sanitization/Constraints
About sanitization, I have to:
- check that the includes have a known limit, eg.: no more than 10 nested includes
- check that the params are not SQL strings or other hacks (Sequelize take care about that)
- don't allow Sequelize functions, just simple queries
Questions
with that in mind, I think this could be used in production.
- Have I missed something that could reject this idea from production usage? (security/usage/etc)
- Have graphql some specific feature that makes me prefer it against this custom solution?
- Would you use it in a production environment? I can't imagine why not
javascript node.js database sequelize.js graphql
add a comment |
Context
Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).
What I have done
Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?
this is an example of the client using this API
const res = await http.post(APIs.FINDER,
model: 'User',
options:
where:
id: someId
,
attributes: ['name', 'active']
,
include: [
as: 'zone',
attributes: ['name']
],
order: [['createdAt', 'DESC']]
);
nice right?
Sanitization/Constraints
About sanitization, I have to:
- check that the includes have a known limit, eg.: no more than 10 nested includes
- check that the params are not SQL strings or other hacks (Sequelize take care about that)
- don't allow Sequelize functions, just simple queries
Questions
with that in mind, I think this could be used in production.
- Have I missed something that could reject this idea from production usage? (security/usage/etc)
- Have graphql some specific feature that makes me prefer it against this custom solution?
- Would you use it in a production environment? I can't imagine why not
javascript node.js database sequelize.js graphql
Context
Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).
What I have done
Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?
this is an example of the client using this API
const res = await http.post(APIs.FINDER,
model: 'User',
options:
where:
id: someId
,
attributes: ['name', 'active']
,
include: [
as: 'zone',
attributes: ['name']
],
order: [['createdAt', 'DESC']]
);
nice right?
Sanitization/Constraints
About sanitization, I have to:
- check that the includes have a known limit, eg.: no more than 10 nested includes
- check that the params are not SQL strings or other hacks (Sequelize take care about that)
- don't allow Sequelize functions, just simple queries
Questions
with that in mind, I think this could be used in production.
- Have I missed something that could reject this idea from production usage? (security/usage/etc)
- Have graphql some specific feature that makes me prefer it against this custom solution?
- Would you use it in a production environment? I can't imagine why not
javascript node.js database sequelize.js graphql
javascript node.js database sequelize.js graphql
edited Nov 11 at 17:42
Sayed Mohd Ali
6441316
6441316
asked Nov 11 at 17:09
David Rearte
1257
1257
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
My thought to the questions:
I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.
You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.
NO! I've experienced a hard time dealing with this api style.
Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.
In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.
When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10
api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10
By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.
For example, here is a User model:
"User":
"id": 1,
"name": "Mary",
"age": 20,
"friendIds": [2, 3, 4]
But in GraphQL, based on what you need, it may become :
type User
id: ID
name: String
friends: [User]
friendCount: Int
friendsOverAge18: [User]
You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251147%2fshould-i-make-my-own-graphql-style-api-but-only-with-sequelize%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
My thought to the questions:
I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.
You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.
NO! I've experienced a hard time dealing with this api style.
Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.
In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.
When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10
api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10
By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.
For example, here is a User model:
"User":
"id": 1,
"name": "Mary",
"age": 20,
"friendIds": [2, 3, 4]
But in GraphQL, based on what you need, it may become :
type User
id: ID
name: String
friends: [User]
friendCount: Int
friendsOverAge18: [User]
You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
add a comment |
My thought to the questions:
I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.
You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.
NO! I've experienced a hard time dealing with this api style.
Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.
In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.
When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10
api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10
By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.
For example, here is a User model:
"User":
"id": 1,
"name": "Mary",
"age": 20,
"friendIds": [2, 3, 4]
But in GraphQL, based on what you need, it may become :
type User
id: ID
name: String
friends: [User]
friendCount: Int
friendsOverAge18: [User]
You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
add a comment |
My thought to the questions:
I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.
You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.
NO! I've experienced a hard time dealing with this api style.
Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.
In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.
When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10
api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10
By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.
For example, here is a User model:
"User":
"id": 1,
"name": "Mary",
"age": 20,
"friendIds": [2, 3, 4]
But in GraphQL, based on what you need, it may become :
type User
id: ID
name: String
friends: [User]
friendCount: Int
friendsOverAge18: [User]
You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial
My thought to the questions:
I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.
You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.
NO! I've experienced a hard time dealing with this api style.
Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.
In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.
When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10
api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10
By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.
For example, here is a User model:
"User":
"id": 1,
"name": "Mary",
"age": 20,
"friendIds": [2, 3, 4]
But in GraphQL, based on what you need, it may become :
type User
id: ID
name: String
friends: [User]
friendCount: Int
friendsOverAge18: [User]
You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial
edited Nov 13 at 5:39
answered Nov 13 at 2:55
fon g
162
162
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
add a comment |
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
– David Rearte
Nov 14 at 16:39
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251147%2fshould-i-make-my-own-graphql-style-api-but-only-with-sequelize%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown