Why, after 8 years, I still like GraphQL sometimes in the right context

A recent post, Why, after 6 years, I’m over GraphQL, made the rounds in the tech circle. The author argues that they would not recommend GraphQL anymore due to concerns like security, performance, and maintainability. In this post, I want to go over some interesting points made, and some points I think don't hold up to scrutiny.

Always be Persistin'

Ok, first of all, let's start with something maybe a little bold: Persisted Queries are basically essential for building a solid GraphQL API. If you are not using them, you're doing GraphQL on hard mode. It's not impossible, but it leads to difficult problems, some of them discussed in the post. After 8 years of GraphQL, this has only gotten more and more important to me. Persist all queries, as soon as possible in your GraphQL journey. You'll thank yourself later.

It is a little sad that this is basically glossed over and mentionned only in a small note at the bottom:

Persisted queries are also a mitigation for this and many attacks, but if you actually want to expose a customer facing GraphQL API, persisted queries are not an option.

I assume the author is talking about public APIs here. While I don't think this is necessarily inherently true (One could ask customers to register queries first, figuring out the DX for this would be an interesting task), it's still a valid point. That's why We Don’t See Many Public GraphQL APIs out there, and why I would not pick GraphQL if I were to expose a public API today.

For a public API, a coarser-grained, resource-based API works great, and can be described through OpenAPI. SDKs can be generated through amazing tools like Kiota. It's hard to beat a well-made SDK for a public API, and in my experience, that's actually what customers expect and want to use. Moving on.

Haxors

The author's first point is about GraphQL's allegedly bigger attack surface. Again this focuses more on completely public GraphQL APIs which are relatively rare:

exposing a query language to untrusted clients increases the attack surface of the application

I think that's right, it's hard to argue about this, hence not exposing a query language to untrusted clients unless you're ready to handle the trade-offs. But let's see what they think is hard to get right here.

Authz is really hard...

Authorization is a challenge with GraphQL. The thing is it's almost always challenging no matter what API style you use. I'd go as far as saying it is a challenge with designing software in general. The example given in the post actually highlights this very well:

query {
  user(id: 321) {
    handle # ✅ I am allowed to view Users public info
    email # 🛑 I shouldn't be able to see their PII just because I can view the User
  }
  user(id: 123) {
    blockedUsers {
      # 🛑 And sometimes I shouldn't even be able to see their public info,
      # because context matters!
      handle
    }
  }
}

handle and email both have different authorization rules. This is actually quite tricky to handle with a GET /user/:id endpoint as well. There's really nothing that makes GraphQL harder here. Yes when fine-grained authorization is needed, you'll need fine-grained authorization checks at that level.

  user(id: 123) {
    blockedUsers {
      # 🛑 And sometimes I shouldn't even be able to see their public info,
      # because context matters!
      handle
    }
  }

This part is interesting as well and another challenge of authorizing code and models in general. The same "object" accessed through different contexts can actually have different authorization rules. Again, this is common in all API styles as well. That's why I actually usually advise designing this through a different model entirely, since it's likely they'll evolve differently. Here this is even possibly an API design mistake instead. If handle should never be seen for blockedUsers, then it shouldn't even be part of the schema here. This is a super common mistake where folks try to reuse common models/types instead of being specific.

After 8 years of GraphQL, I realize more and more that authorization is much more than a GraphQL problem. The API layer part is easy, but most code-bases are much more complex and must guard against unauthorized access in much better ways. Companies like oso and authzed and two great examples of how to do this well but also how complex this thing can be in general.

Demand Control

The section on rate limiting starts with this:

With GraphQL we cannot assume that all requests are equally hard on the server.

Let me fix this to something I think is more accurate:

We cannot assume that all requests are equally hard on the server.

There, much better. The truth is that no matter what API style you use, whether that's a binary protocol over UDP or GraphQL, it is extremelly rare, especially as the API surface grows, that all use-cases and "requests" will be equally expensive for a server to process.

A very easy example to show this is simply a paginated endpoint:

GET /users?first=100
GET /users?first=1

Or super expensive mutations:

POST /expensive-creation

To be 100% fair, of course GraphQL exposes this problem a bit more, earlier on, especially when not using persisted queries (Which should not happen!!). And while folks building a small RPC API may not need to implement variable rate limiting or some sort of cost categories, they almost always end up having to.

And again: this focuses on public, unauthenticated public APIs. I think we can agree this is not GraphQL's Sweet Spot.

The rest of the section shows how simple it is to rate limit a simple rest API. Sure? I have never had the chance to work on an API that was that easy to implement demand control for.

Performance

The performance section focuses mainly on dataloader and n+1s. I think the author makes some good points here. It's true that a GraphQL API must be ready for many query shapes and use cases. It is wise to implement efficient data loader for most fields through dataloaders. In fact, that's why I don't recommend using datafetching techniques that are overly coupled to the query shape, things like AST analysis, lookaheads, and things using context from sibling or parent fields.

The author acknowledges that this is a problem with REST as well, but still makes this statement:

Meanwhile, in REST, we can generally hoist nested N+1 queries up to the controller, which I think is a pattern much easier to wrap your head around.

Again this is an extremelly simple example, which has a trivial solution. But it's true, an endpoint based API that is simple can usually be kept simple, rather than being part of multiple other use-cases that could affect its performance long term.

Overall I think dataloader is a requirement for GraphQL, and I agree that it's part of the slight complexity add for a GraphQL API, even simple ones. Authorization n+1s are also an issue.

Again, this problem simply does not exist in the REST world.

But that's simply not true. Authz n+1s exist everywhere including in REST given a sufficiently complex API. Performant authz is a problem of its own.

Coupling

In my experience, in a mature GraphQL codebase, your business logic is forced into the transport layer. This happens through a number of mechanisms, some of which we’ve already talked about:

That's of course an observation from the author's experience, but in general, this couldn't be further from the truth. Hell, this is even specifically stated on GraphQL's website:

business logic

If one ends up with coupling it's because there's a tendency to couple business logic with the transport layer in general. But it's not like GraphQL encourages you to do so. It actually does the opposite.

Solving data authorisation leads to peppering authorisation rules throughout your GraphQL types

Again, even the website tells you not to do this: Delegate authorization logic to the business logic layer.

Solving resolver data fetching N+1s leads to moving this logic into GraphQL specific dataloaders

I actually agree with this one. Data-loading in a performant way can be in tension with keeping things in reusable "business logic" units. I think this is a challenge when it comes to implementing a GraphQL API.

Leveraging the (lovely) Relay Connection pattern leads to moving data fetching logic into GraphQL specific custom connection objects

True, similar to the point above.

Breaking Changes??

Probably the strangest sentence in the post is this one:

GraphQL discourages breaking changes and provides no tools to deal with them. This adds needless complexity for those who control all their clients, who will have to find workarounds.

What? What API style encourages breaking changes? That's probably not a good idea. I think there's some confusion here. GraphQL encourages continuous evolution of your API. This usually relates to versioning rather than avoiding breaking changes. Instead of breaking changes, with GraphQL you deprecate schema members, and only remove them once they are not used anymore (or are ok with breaking).

Arguably one of GraphQL's most powerful tool is around continuous evolution. The fact the client declaratively selects the API surface it is interested in means we can track with very high precision how our API is used. This allows us to actually avoid breaking changes, and make removals safely on fine grained parts of the schema.

Breaking changes and deprecations suck. We all try to avoid them, and yes it's annoying for clients. But if anything GraphQL makes this easier, not harder.

Conclusion

Overall, I can feel the pain of the author when it comes to building public GraphQL APIs. It's not easy. But the post in general never really addresses a very common use-case for GraphQL, which is an internal API for known multiple clients. In this context, using persisted queries is easy, and solves a lot of the problems the author encountered in their journey. There are also a lot of problems mentionned here that are hard problems in general, and I don't always buy the fact that GraphQL makes them any harder.

After 8 years of GraphQL, I still enjoy the decoupling a GraphQL schema offers between server-side capabilities and client-side requirements, but am aware of the trade-offs when picking it as a technology.

Anyway, Persist your queries and probably don't build public GraphQL APIs unless you really know what you're doing.

Rust Heap Profiling with Jemalloc

I recently had to investigate a memory leak in apollo/router, a federated GraphQL gateway written in Rust. The first question I had was how to get a memory profile out of our running instances. For several reasons I decided to use Jemalloc's Heap Profiling tooling to do so:

  • apollo/router uses jemalloc on linux by default
  • jemalloc's has a relatively low performance overhead compared to other tools.
  • ByteHound sounded amazing but could not get it to work with apollo/router, something about it using V8 under the hood.

Took me a bit to get all the pieces working, so hopefully this post saves someone some time.

Read more  ↩︎