Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconsider the purpose and implementation of allow_dynamic_queries #1042

Closed
dblock opened this issue Oct 19, 2017 · 1 comment
Closed

Reconsider the purpose and implementation of allow_dynamic_queries #1042

dblock opened this issue Oct 19, 2017 · 1 comment

Comments

@dblock
Copy link
Contributor

dblock commented Oct 19, 2017

Coming from ashkan18/graphlient#24.

Currently graphql-client forces you to declare static module variables in the name of security and optimization. It makes two good arguments in https://github.com/github/graphql-client/blob/master/guides/dynamic-query-error.md:

  1. Parsing a query and validating a query on every request adds performance overhead. It also prevents validation errors from being discovered until request time, rather than when the query is parsed at startup.

  2. Building runtime GraphQL query strings with user input may lead to security issues. Always using a static query along with variables is a best practice.

This means well, however it forces a certain implementation on the caller that is very un-ruby and cumbersome to manage. It forces the client to keep a static around forever whereas that might not be what the client wants. It requires a client to reload if the schema changed, for example or lead to hard to debug scenarios.

We should be able to define a client, parse a query, then execute it separately, achieving both (1) and (2) without imposing this. I would vote to make allow_dynamic_queries true by default and better document the tradeoffs rather than impose a certain style even if it's for the greater good.

Finally, having gone through the experience of a first time Ruby GraphQL client call I was surprised that I can't just make a query. Creating a module, parsing a query and executing a query are much more complicated compared to just making a query with all its values because this requires understanding of GraphQL parameters. Compare:

Client = ...

InvoiceQuery = Client.parse <<-GRAPHQL
    query($id: Int) {
      invoice(id: :$id) {
        id
        fee_in_cents
      }
    }
GRAPHQL

Client.query InvoiceQuery, id: 42

to

Client = ///

Client.query <<-GRAPHQL
  invoice(id: 42) {
    id
    fee_in_cents 
  }
GRAPHQL

It gets much hairier with complex types or mutations. We want this library to become more friendly to beginners.
@dblock
Copy link
Contributor Author

dblock commented Oct 19, 2017

Whoops wrong repo.

@dblock dblock closed this as completed Oct 19, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dblock