The name is self explanatory. A simple server that creates a GraphQL api using:
- typescript to code type-safety.
- type-graphql to create the GraphQL schema and resolvers using decorators and classes to avoid the fatigue of writing graphql schema separate of code typing. (Highly recommended to learn!)
- apollo the engine that will execute the queries.
- knexjs to query and manage versions of the database.
This repository served to test if the type-graphql package was good enough for production use and I was pleased with the result, but now I found some problems looking at the code:
- Decorators are not a standard yet.
- The code gets more verbose and difficult for other developers to maintain.
- The package in question still needs to be improved.
Anyway, I'm testing another approach now.
git clone https://github.com/httpiago/graphql-and-typescript-legacy.git
cd graphql-and-typescript-legacy
yarn install
yarn run watch
: Start the server with live-reloading using ts-node-dev.yarn run debug
: Start the server using ts-node-dev in debug mode to be attached by VS Code debugger.yarn run build-ts
: Compile all files in the dist folder.yarn run start
: Run the codes compiled by the "build-ts" command.yar run deploy
: It executes the "build-ts" command and sends the files to the remote branch "heroku" which consequently trigger a new build in Heroku.
This server contains some security checks to prevent malicious queries and abuse, for example:
All queries, mutations, and fields in this api contain a cost value and before the query is actually executed, it is summed and checked if its exceeded the defined limit. See implementation.
There is a limit to how depth a query can be and if is greater than the limit, the request will be rejected. Example: If you run query { tweets(first: 10) { edges { node { content } } } }
, the depth of this query is 3. See implementation.
All mutations require a jwt token to determine which user is trying to execute the query and to acquire that token, it is necessary to complete the normal login flow.
A basic package was installed to limit the number of requests to the server and thus to avoid DDoS attacks. See implementation.
Of course, only these security barriers will not be enough to prevent attacks in production but it is enough to prevent errors from the developers working on the project. A good tip is to implement a cost limit system, just as GitHub does with its api in Graphql.
query getLatestTweets {
tweets(first: 20) {
edges {
tweet: node {
id
content
created_at
author {
name
}
}
cursor
}
pageInfo {
endCursor
hasNextPage
}
}
}
query getSpecificUserData {
user(id: "7") {
id
name
email
}
}
mutation {
createTweet(
input: { content: "Just testing" }
) {
id
}
}
subscription listenForNewTweets {
tweetAdded {
id
content
created_at
author {
name
email
}
}
}