堆栈内存溢出
  简体   繁体   English

我应该制作自己的graphql样式api,但只能使用续集吗?

[英]Should i make my own graphql style api but only with sequelize?

 原文  2018-11-11 17:09:06       javascript/ node.js/ database/ sequelize.js/ graphql

问题描述

Context 语境

Hi! 嗨! I made something like graphql but with just Sequelize. 我做了类似graphql的东西,但仅使用了Sequelize。 I mean, Sequelize query options are JSON objects so, the client could send the options directly (with correct sanitization). 我的意思是,Sequelize查询选项是JSON对象,因此,客户端可以直接发送选项(使用正确的清理方法)。

What I have done 我做了什么

Just for curiosity, I built that, and it works just fine. 出于好奇,我建立了它,并且效果很好。 Now my doubt is: how bad is that? 现在我的疑问是:那有多糟?

this is an example of the client using this API 这是使用此API的客户端的示例 

    const res = await http.post(APIs.FINDER, {
      model: 'User',
      options: {
        where: {
          id: someId
        },
        attributes: ['name', 'active']
      },
      include: [
          {
            as: 'zone',
            attributes: ['name']
          }
      ],
      order: [['createdAt', 'DESC']]
    });

nice right? 好吧?

Sanitization/Constraints 消毒/约束

About sanitization, I have to: 关于消毒,我必须:

  • check that the includes have a known limit, eg.: no more than 10 nested includes 检查包含项是否具有已知限制,例如:嵌套的包含项不超过10个
  • check that the params are not SQL strings or other hacks (Sequelize take care about that) 检查参数是否不是SQL字符串或其他技巧(Sequelize对此有所注意)
  • don't allow Sequelize functions, just simple queries 不允许Sequelize函数,仅允许简单查询

Questions 问题

with that in mind, I think this could be used in production. 考虑到这一点,我认为这可以用于生产中。

  • Have I missed something that could reject this idea from production usage? 我是否错过了一些可以在生产使用中拒绝这个想法的东西? (security/usage/etc) (安全/使用/等)
  • Have graphql some specific feature that makes me prefer it against this custom solution? graphql是否具有一些使我更喜欢此自定义解决方案的特定功能?
  • Would you use it in a production environment? 您会在生产环境中使用它吗? I can't imagine why not 我无法想象为什么不

1 个解决方案

解决方案1
 0 已采纳  2018-11-13 02:55:19

My thought to the questions: 我对以下问题的看法:

  1. I don't recommend this style of API. 我不推荐这种风格的API。 It will expose your backend implementation to the public which make you have difficulty dealing with every security conditions, not to mention the business logic and authorization. 它将使您的后端实现向公众公开,这使您难以处理所有安全条件,更不用说业务逻辑和授权了。 Also, it would be hard to improve your performance because the behavior is tightly coupled with the sequelize package. 另外,由于行为与sequ​​elize程序包紧密相关,因此很难提高性能。

  2. You can consider this post: GraphQL Mutation Design: Anemic Mutations . 您可以考虑这篇文章: GraphQL突变设计:贫血突变 A good GraphQL API should be driven by domain and requirement instead of be driven by data. 一个好的GraphQL API应该由领域和需求驱动,而不是由数据驱动。

  3. NO! 没有! I've experienced a hard time dealing with this api style. 我在处理这种api样式时遇到了困难。

Actually, this is not a good idea. 实际上,这不是一个好主意。 If you are organizing an one-man full-stack project, it may seem fast in the first place, but the cost of development would skyrocket until you cannot move on. 如果您正在组织一个单人的全栈项目,乍一看它可能看起来很快,但是开发成本会飞涨,直到您不能继续前进为止。 If you are working as a group, you can notice that the client side is tightly coupled with the server side, which is very bad for developing. 如果您是一个小组,则可能会注意到客户端与服务器端紧密相连,这对开发非常不利。

In the client side, it only need a finite set of apis instead of apis with infinite possibilities. 在客户端,它只需要有限的一组api,而不需要无限的api。

In the server side, you can do nothing but hand the data over to sequelize, which make it hard to improve your performance, to add logic layer and to introduce another database system like elastic search into your codebase. 在服务器端,您什么也做不了,只能将数据移交给序列化,这很难提高性能,添加逻辑层以及将其他数据库系统(例如弹性搜索)引入您的代码库。

When it comes to designing an API, you can consider Domain Driven Design which known as DDD. 在设计API时,可以考虑称为DDD的域驱动设计 It's preferred to use GET Friends?limit=10 api than to use GET { type: 'User", where: ..., include: ..., order: ..., limit: 10 } 与使用GET { type: 'User", where: ..., include: ..., order: ..., limit: 10 }相比,首选使用GET Friends?limit=10 api GET { type: 'User", where: ..., include: ..., order: ..., limit: 10 }

By the way, GraphQL is not just a query language, it is a thin API layer in essence ( ref ). 顺便说一句,GraphQL不仅是一种查询语言,本质上还是一个薄API层( ref )。 So don't use it as a JSON database but treat it as an API which focuses on the business need. 因此,请勿将其用作JSON数据库,而应将其视为关注业务需求的API。

For example, here is a User model: 例如,这是一个用户模型: 

{
  "User": {
    "id": 1,
    "name": "Mary",
    "age": 20,
    "friendIds": [2, 3, 4] 
  }
}

But in GraphQL, based on what you need, it may become : 但是在GraphQL中,根据您的需要,它可能变为: 

type User {
  id: ID
  name: String
  friends: [User]
  friendCount: Int
  friendsOverAge18: [User]
}

You can read this great article about how to design a GraphQL API: Shopify/graphql-design-tutorial 您可以阅读有关如何设计GraphQL API的精彩文章: Shopify / graphql-design-tutorial

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在JavaScript中制作最快的自底向上树形转换器? 我应该自己管理内存吗? - How to make the fastest possible bottom-up tree transformer in JavaScript? Should I manage memory on my own? 使 GraphQL api 安全 - Make GraphQL api secure 我自己的文件夹结构中的Sequelize中的迁移 - Migrations in Sequelize in my own folder structure 如何为我自己的文件使用 React 样式导入? - How can I use React style imports for my own files? 如何用自己的样式创建自己的所见即所得编辑器? - How I can create my own wysiwyg editor with my own style? 我的 NEXTJS 博客遇到问题,Server Error TypeError: Only absolute URLs are supported when fetching data from graphql api - I'm having trouble with my NEXTJS blog, Server Error TypeError: Only absolute URLs are supported when fetching data from graphql api Websokets:我应该/可以自己有线端口吗? - Websokets: Should/could I Wireshark my own ports? 我是否应该通过节点应用程序中的静态API进行所有数据库调用? - Should I make all database calls through a restful api in my node app? 让我自己变得更深 - Make my own deepEqual 向我自己的API发送请求以更改未更新的DB。 我想要更新数据库 - sending requests to my own API to make changes to DB which is not being updated. I would like the DB to be updated
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM