Should i make my own graphql style api but only with sequelize?









up vote
0
down vote

favorite












Context



Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).



What I have done



Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?



this is an example of the client using this API



 const res = await http.post(APIs.FINDER, 
model: 'User',
options:
where:
id: someId
,
attributes: ['name', 'active']
,
include: [

as: 'zone',
attributes: ['name']

],
order: [['createdAt', 'DESC']]
);


nice right?



Sanitization/Constraints



About sanitization, I have to:



  • check that the includes have a known limit, eg.: no more than 10 nested includes

  • check that the params are not SQL strings or other hacks (Sequelize take care about that)

  • don't allow Sequelize functions, just simple queries

Questions



with that in mind, I think this could be used in production.



  • Have I missed something that could reject this idea from production usage? (security/usage/etc)

  • Have graphql some specific feature that makes me prefer it against this custom solution?

  • Would you use it in a production environment? I can't imagine why not









share|improve this question



























    up vote
    0
    down vote

    favorite












    Context



    Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).



    What I have done



    Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?



    this is an example of the client using this API



     const res = await http.post(APIs.FINDER, 
    model: 'User',
    options:
    where:
    id: someId
    ,
    attributes: ['name', 'active']
    ,
    include: [

    as: 'zone',
    attributes: ['name']

    ],
    order: [['createdAt', 'DESC']]
    );


    nice right?



    Sanitization/Constraints



    About sanitization, I have to:



    • check that the includes have a known limit, eg.: no more than 10 nested includes

    • check that the params are not SQL strings or other hacks (Sequelize take care about that)

    • don't allow Sequelize functions, just simple queries

    Questions



    with that in mind, I think this could be used in production.



    • Have I missed something that could reject this idea from production usage? (security/usage/etc)

    • Have graphql some specific feature that makes me prefer it against this custom solution?

    • Would you use it in a production environment? I can't imagine why not









    share|improve this question

























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Context



      Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).



      What I have done



      Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?



      this is an example of the client using this API



       const res = await http.post(APIs.FINDER, 
      model: 'User',
      options:
      where:
      id: someId
      ,
      attributes: ['name', 'active']
      ,
      include: [

      as: 'zone',
      attributes: ['name']

      ],
      order: [['createdAt', 'DESC']]
      );


      nice right?



      Sanitization/Constraints



      About sanitization, I have to:



      • check that the includes have a known limit, eg.: no more than 10 nested includes

      • check that the params are not SQL strings or other hacks (Sequelize take care about that)

      • don't allow Sequelize functions, just simple queries

      Questions



      with that in mind, I think this could be used in production.



      • Have I missed something that could reject this idea from production usage? (security/usage/etc)

      • Have graphql some specific feature that makes me prefer it against this custom solution?

      • Would you use it in a production environment? I can't imagine why not









      share|improve this question















      Context



      Hi! I made something like graphql but with just Sequelize. I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization).



      What I have done



      Just for curiosity, I built that, and it works just fine. Now my doubt is: how bad is that?



      this is an example of the client using this API



       const res = await http.post(APIs.FINDER, 
      model: 'User',
      options:
      where:
      id: someId
      ,
      attributes: ['name', 'active']
      ,
      include: [

      as: 'zone',
      attributes: ['name']

      ],
      order: [['createdAt', 'DESC']]
      );


      nice right?



      Sanitization/Constraints



      About sanitization, I have to:



      • check that the includes have a known limit, eg.: no more than 10 nested includes

      • check that the params are not SQL strings or other hacks (Sequelize take care about that)

      • don't allow Sequelize functions, just simple queries

      Questions



      with that in mind, I think this could be used in production.



      • Have I missed something that could reject this idea from production usage? (security/usage/etc)

      • Have graphql some specific feature that makes me prefer it against this custom solution?

      • Would you use it in a production environment? I can't imagine why not






      javascript node.js database sequelize.js graphql






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 11 at 17:42









      Sayed Mohd Ali

      571216




      571216










      asked Nov 11 at 17:09









      David Rearte

      1157




      1157






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          My thought to the questions:



          1. I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.


          2. You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.


          3. NO! I've experienced a hard time dealing with this api style.



          Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.



          In the client side, it only need a finite set of apis instead of apis with infinite possibilities.



          In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.



          When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10 api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10



          By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.



          For example, here is a User model:




          "User":
          "id": 1,
          "name": "Mary",
          "age": 20,
          "friendIds": [2, 3, 4]




          But in GraphQL, based on what you need, it may become :



          type User 
          id: ID
          name: String
          friends: [User]
          friendCount: Int
          friendsOverAge18: [User]



          You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial






          share|improve this answer






















          • thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
            – David Rearte
            Nov 14 at 16:39










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251147%2fshould-i-make-my-own-graphql-style-api-but-only-with-sequelize%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote



          accepted










          My thought to the questions:



          1. I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.


          2. You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.


          3. NO! I've experienced a hard time dealing with this api style.



          Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.



          In the client side, it only need a finite set of apis instead of apis with infinite possibilities.



          In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.



          When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10 api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10



          By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.



          For example, here is a User model:




          "User":
          "id": 1,
          "name": "Mary",
          "age": 20,
          "friendIds": [2, 3, 4]




          But in GraphQL, based on what you need, it may become :



          type User 
          id: ID
          name: String
          friends: [User]
          friendCount: Int
          friendsOverAge18: [User]



          You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial






          share|improve this answer






















          • thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
            – David Rearte
            Nov 14 at 16:39














          up vote
          0
          down vote



          accepted










          My thought to the questions:



          1. I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.


          2. You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.


          3. NO! I've experienced a hard time dealing with this api style.



          Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.



          In the client side, it only need a finite set of apis instead of apis with infinite possibilities.



          In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.



          When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10 api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10



          By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.



          For example, here is a User model:




          "User":
          "id": 1,
          "name": "Mary",
          "age": 20,
          "friendIds": [2, 3, 4]




          But in GraphQL, based on what you need, it may become :



          type User 
          id: ID
          name: String
          friends: [User]
          friendCount: Int
          friendsOverAge18: [User]



          You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial






          share|improve this answer






















          • thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
            – David Rearte
            Nov 14 at 16:39












          up vote
          0
          down vote



          accepted







          up vote
          0
          down vote



          accepted






          My thought to the questions:



          1. I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.


          2. You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.


          3. NO! I've experienced a hard time dealing with this api style.



          Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.



          In the client side, it only need a finite set of apis instead of apis with infinite possibilities.



          In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.



          When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10 api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10



          By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.



          For example, here is a User model:




          "User":
          "id": 1,
          "name": "Mary",
          "age": 20,
          "friendIds": [2, 3, 4]




          But in GraphQL, based on what you need, it may become :



          type User 
          id: ID
          name: String
          friends: [User]
          friendCount: Int
          friendsOverAge18: [User]



          You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial






          share|improve this answer














          My thought to the questions:



          1. I don't recommend this style of API. It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package.


          2. You can consider this post: GraphQL Mutation Design: Anemic Mutations. A good GraphQL API should be driven by domain and requirement instead of be driven by data.


          3. NO! I've experienced a hard time dealing with this api style.



          Actually, this is not a good idea. If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing.



          In the client side, it only need a finite set of apis instead of apis with infinite possibilities.



          In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase.



          When it comes to designing an API, you can consider Domain Driven Design which known as DDD. It's preferred to use GET Friends?limit=10 api than to use GET type: 'User", where: ..., include: ..., order: ..., limit: 10



          By the way, GraphQL is not just a query language, it is a thin API layer in essence (ref). So don't use it as a JSON database but treat it as an API which focuses on the business need.



          For example, here is a User model:




          "User":
          "id": 1,
          "name": "Mary",
          "age": 20,
          "friendIds": [2, 3, 4]




          But in GraphQL, based on what you need, it may become :



          type User 
          id: ID
          name: String
          friends: [User]
          friendCount: Int
          friendsOverAge18: [User]



          You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 13 at 5:39

























          answered Nov 13 at 2:55









          fon g

          162




          162











          • thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
            – David Rearte
            Nov 14 at 16:39
















          • thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
            – David Rearte
            Nov 14 at 16:39















          thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
          – David Rearte
          Nov 14 at 16:39




          thanks, i keep this quote In the client side, it only need a finite set of apis instead of apis with infinite possibilities.
          – David Rearte
          Nov 14 at 16:39

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53251147%2fshould-i-make-my-own-graphql-style-api-but-only-with-sequelize%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          How to read a connectionString WITH PROVIDER in .NET Core?

          Node.js Script on GitHub Pages or Amazon S3

          Museum of Modern and Contemporary Art of Trento and Rovereto