Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Details about the backend are often vague or missing in every article that covers GraphQL that I've read so far.

Where are guidelines to implement it? How do we make our existing business code integrate with it? How do we make sure a client cannot access data from another client? Does it work well or at all with relational databases?

Is the backend a second-class citizen in this approach?



There are several implementations. There's a reference in javascript based on express, sangria for scala, and I read on a blog post about people working on a ruby server. See: http://facebook.github.io/react/blog/2015/09/14/community-ro...

You basically define the schema, and for each method you want to support you implement pulling the data from your datastore.

Authentication is up to you - stick a bearer header on your requests and implement checks in your server and you have secure backends, etc.


Yes, it feels like the initial Firebase hype. Security? Answer: jazz hands.

I look forward to a sample that implements fine-grained (multi-role) security on a SQL database. Is there a .NET implementation already in development I can contribute to?


About security, I'd also like to see just one example project where Role based authorization is implemented with GraphQL+Relay+React. Unfortunately, despite being so common requirement these days, I couldn't find any so far.

Edit: I'm interested more in GraphQL official JavaScript implementation, since that's the one most people are going to use.


https://github.com/OlegIlyenko/sangria-auth-example


https://github.com/vslinko/ripster


There are some backend implementations: http://blog.startifact.com/posts/the-emerging-graphql-python...


https://github.com/graphql/graphql-js

Just implement resolve.


If you have two fields in a query, does that mean two resolve functions? If I using a SQL database and the two fields were stored on two columns on the same table, wouldn't that cause 2 SQL queries to be run?


Only if each field required loading a new row, and even then batching can be used to turn this back into one query.

eg: { firstName, lastName } doesn't need to load new rows but { mother { name }, father { name } } does need to load new rows.

DataLoader (https://github.com/facebook/dataloader) is a small utility which makes batching and caching database requests straight forward.


Yes. But only one http request. If they're both the same query but access a different field you might be able to cache it.


Sangria in Scala has a mechanism called "Deferred" that lets you specify that it should ask you to resolve objects of a certain type all at once at the end, and you would do a single SQL query per object type there.

If the JavaScript implementation doesn't have something like this, perhaps it can be hacked on top.


and you'll end up with an endpoint that can potentially bomb your datastore

    query User {
      friends {
        friends {
          friends {
            ...
          }
        }
      }
    }
how do you prevent something like this happening on graphQL backed with a series of resolves that query a SQL database?


Limit recursion with a max depth parameter (sangria)


I don't need that many levels to make it explode and you probably don't want to set a very low max depth since it beats the purpose of graphql itself.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: