DEV Community: Owen Ou The latest articles on DEV Community by Owen Ou (@owenthereal). https://dev.to/owenthereal https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F416213%2F129da3c9-f92f-475e-ac0a-c8808acefdf8.jpg DEV Community: Owen Ou https://dev.to/owenthereal en Upterm - Secure Terminal Sharing Owen Ou Mon, 13 Jul 2020 17:40:02 +0000 https://dev.to/owenthereal/upterm-secure-terminal-sharing-1cmb https://dev.to/owenthereal/upterm-secure-terminal-sharing-1cmb <p><a href="https://github.com/jingweno/upterm">Upterm</a> is an open-sourced solution for sharing terminal sessions instantly over the public internet via SSH tunnels.<br> It is good for</p> <ul> <li>Remote pair programming</li> <li>Access remote computers behind NATs and firewalls</li> <li>Remote debugging</li> </ul> <p>Upterm is written in Go and is open-sourced at <a href="https://github.com/jingweno/upterm">https://github.com/jingweno/upterm</a>.</p> <h2> How it works </h2> <p>You run the <code>upterm</code> program by hosting a terminal session.<br> Upterm starts an SSH server on your machine and connects to an Upterm server (a.k.a. uptermd) via reverse SSH tunnel.<br> Your friends connect to your terminal session using ssh via the same Upterm server.</p> <p>Here is a diagram on the technical details:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--wYm_EDF8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/jingweno/upterm/gh-pages/upterm-flowchart.svg%3Fsanitize%3Dtrue" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--wYm_EDF8--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/jingweno/upterm/gh-pages/upterm-flowchart.svg%3Fsanitize%3Dtrue" alt="diagram"></a></p> <h2> Demo </h2> <p><a href="https://asciinema.org/a/LTwpMqvvV98eo3ueZHoifLHf7"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--V7cIs3RI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://asciinema.org/a/LTwpMqvvV98eo3ueZHoifLHf7.svg" alt="asciicast"></a></p> <h2> Quickstart </h2> <p>Install <code>upterm</code> by following <a href="https://github.com/jingweno/upterm#installation">this guide</a>.</p> <p>On your machine, host a terminal session by specifying a command:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ upterm host -- bash </code></pre></div> <p><code>upterm</code> will start the command and pop up an ssh connection string that one can connect.<br> In case you miss the connection string, display it with:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ upterm session current === IQKSFOICLSNNXQZTDKOJ Command: bash Force Command: n/a Host: ssh://uptermd.upterm.dev:22 SSH Session: ssh IqKsfoiclsNnxqztDKoj:MTAuMC40OS4xNjY6MjI=@uptermd.upterm.dev </code></pre></div> <p>Open a new terminal and connect to the session:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ ssh IqKsfoiclsNnxqztDKoj:MTAuMC40OS4xNjY6MjI=@uptermd.upterm.dev </code></pre></div> <p>You should see the input and output of both terminals are linked!</p> <p>If you want only authorized clients to connect to your session, you can specify the clients' authorized keys with<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ upterm host --authorized-key PATH_TO_PUBLIC_KEY -- bash </code></pre></div> <p>If you are looking for a <a href="https://tmate.io">Tmate</a>-like experience, create a <a href="https://github.com/tmux/tmux">Tmux</a> session, and "force" clients to attach to the Tmux session:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ upterm host --force-command 'tmux attach -t pair-programming' -- tmux new -t pair-programming </code></pre></div> <p>The above creates a Tmux session by running <code>tmux new -t pair-programming</code>.<br> After a client connects, Upterm will attach the client's input and output to the input and output of the Tmux session "pair-programming".</p> <p>If you are concerned with others accessing your root file system, wrap the terminal session in a Docker container:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ upterm host -- docker run --rm -ti ubuntu bash </code></pre></div> <p>I will write another blog post in the future to share how I securely host a terminal session using containers.</p> <h2> How is Upterm compared to prior arts? </h2> <p>Upterm is an alternative to <a href="https://tmate.io">Tmate</a>.</p> <p>Tmate is a fork of an older version of Tmux. It adds terminal sharing capability on top of Tmux 2.x.<br> Tmate doesn't intend to catch up with the latest Tmux (at this time of the post, the latest Tmux is 3.x), so any Tmate &amp; Tmux users must maintain two versions of the configuration.<br> For example, you must <a href="https://github.com/tmate-io/tmate/issues/108">bind the same keys twice with a condition</a>.</p> <p>Upterm is designed from the group up not to be a fork of anything.<br> It builds around the concept of linking the input &amp; output of any shell command between a host and its clients.<br> As you see above, you can share any command besides <code>tmux</code>.<br> This opens up a door for securely sharing a terminal session using containers (I will explain more in a future post).</p> <p>Upterm is written in Go.<br> It is more friendly hackable than Tmate that is written in C because Tmux is C.<br> The Upterm CLI and server (<code>uptermd</code>) are compiled into a single binary.<br> You can quickly <a href="https://github.com/jingweno/upterm#deploy-uptermd">spawn up your pairing server</a> in any cloud environment with zero dependencies.</p> <h2> Tips </h2> <h3> Why doesn't upterm show the current terminal session in Tmux? </h3> <p><code>upterm session current</code> shows the connection info of the current terminal session.<br> It needs the <code>UPTERM_ADMIN_SOCKET</code> environment variable to function.<br> By default, Tmux doesn't carry over environment variables that are not in its <a href="http://man.openbsd.org/i386/tmux.1#GLOBAL_AND_SESSION_ENVIRONMENT">default list</a> to a Tmux session unless you tell it.<br> So add the following line to your <code>~/.tmux.conf</code><br> </p> <div class="highlight"><pre class="highlight plaintext"><code>set-option -ga update-environment " UPTERM_ADMIN_SOCKET" </code></pre></div> <h3> How to make it obvious that I am in an upterm session? </h3> <p>It can be confusing whether your terminal session is an upterm session or not.<br> As an example, I add an emoji to my prompt to identify an upterm session:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="c"># in your ~/.bashrc or ~/.zshrc </span> <span class="nb">export </span><span class="nv">PS1</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="o">[[</span> <span class="o">!</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">UPTERM_ADMIN_SOCKET</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nb">echo</span> <span class="nt">-e</span> <span class="s1">'\xF0\x9F\x86\x99 '</span><span class="si">)</span><span class="nv">$PS1</span><span class="s2">"</span> <span class="c"># Add an emoji</span> </code></pre></div> <p>This is what it looks like :-):</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--K3Oqf9Zh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/37atfmpmzk0ci8erjbhm.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--K3Oqf9Zh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/37atfmpmzk0ci8erjbhm.png" alt="Alt Text"></a></p> <h2> Deploy Uptermd </h2> <p>Upterm needs an Upterm server (a.k.a. <code>uptermd</code>) to expose terminal sessions securely.<br> There is a community server running at <code>uptermd.upterm.dev</code> for your convenience (please put it into good use!).<br> However, if you want to host your pairing server on <a href="https://kubernetes.io/">Kubernetes</a> or <a href="https://heroku.com">Heroku</a>, follow <a href="https://github.com/jingweno/upterm#how-it-works">this deployment guide</a>.<br> You are welcome to contribute one for your favorite cloud platforms.<br> I am pleased to review it if you shoot me a <a href="https://github.com/jingweno/upterm/pulls">PR</a> :-).</p> <p>To talk to a different uptermd server other than the community server, you specify with the <code>--server</code> flag:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code># Use your Uptermd server via SSH on TCP $ upterm host --server ssh://YOUR_SERVER -- YOUR_COMMAND # Use your Uptermd server via SSH on WebSocket $ upterm host --server wss://YOUR_SERVER -- YOUR_COMMAND # Client connects to the host session via SSH on WebSocket $ ssh -o ProxyCommand='upterm proxy wss://TOKEN@YOUR_SERVER' TOKEN@YOUR_SERVER:443 </code></pre></div> <h2> Conclusion </h2> <p>I am super excited about <code>upterm</code>, and I dogfood it daily to pair program with my coworkers (Disclaimer: I work remotely for Heroku).<br> If you like what you see here, give upterm a shot.<br> I am looking forward to your valuable feedback and contributions: <a href="https://github.com/jingweno/upterm/issues">https://github.com/jingweno/upterm/issues</a> :-). </p> <p>Originally published at <a href="https://owenou.com/upterm/">https://owenou.com</a> on July 11, 2020.</p> go terminal pairprogramming cli Building a GraphQL API in JavaScript Owen Ou Wed, 24 Jun 2020 15:30:00 +0000 https://dev.to/heroku/building-a-graphql-api-in-javascript-52ko https://dev.to/heroku/building-a-graphql-api-in-javascript-52ko <p>Over the last few years, <a href="https://graphql.org/">GraphQL</a> has emerged as a very popular API specification that focuses on making data fetching easier for clients, whether the clients are a front-end or a third-party.</p> <p>In a traditional REST-based API approach, the client makes a request, and the server dictates the response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl https://api.heroku.space/users/1 <span class="o">{</span> <span class="s2">"id"</span>: 1, <span class="s2">"name"</span>: <span class="s2">"Luke"</span>, <span class="s2">"email"</span>: <span class="s2">"luke@heroku.space"</span>, <span class="s2">"addresses"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"street"</span>: <span class="s2">"1234 Rodeo Drive"</span>, <span class="s2">"city"</span>: <span class="s2">"Los Angeles"</span>, <span class="s2">"country"</span>: <span class="s2">"USA"</span> <span class="o">}</span> <span class="o">]</span> <span class="o">}</span> </code></pre> </div> <p>But, in GraphQL, the client determines precisely the data it wants from the server. For example, the client may want only the user's name and email, and none of the address information:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl <span class="nt">-X</span> POST https://api.heroku.space/graphql <span class="nt">-d</span> <span class="s1">' query { user(id: 1) { name email } } '</span> <span class="o">{</span> <span class="s2">"data"</span>: <span class="o">{</span> <span class="s2">"name"</span>: <span class="s2">"Luke"</span>, <span class="s2">"email"</span>: <span class="s2">"luke@heroku.space"</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>With this new paradigm, clients can make more efficient queries to a server by trimming down the response to meet their needs. For single-page apps (SPAs) or other front-end heavy client-side applications, this speeds up rendering time by reducing the payload size. However, as with any framework or language, GraphQL has its trade-offs. In this post, we'll take a look at some of the pros and cons of using GraphQL as a query language for APIs, as well as how to get started building an implementation.</p> <h2> Why would you choose GraphQL? </h2> <p>As with any technical decision, it's important to understand what advantages GraphQL offers to your project, rather than simply choosing it because it's a buzzword.</p> <p>Consider a SaaS application that uses an API to connect to a remote database; you'd like to render a user's profile page. You might need to make one API <code>GET</code> call to fetch information about the user, like their name or email. You might then need to make another API call to fetch information about the address, which is stored in a different table. As the application evolves, because of the way it's architected, you might need to continue to make more API calls to different locations. While each of these API calls can be done asynchronously, you must also handle their responses, whether there's an error, a network timeout, or even pausing the page render until all the data is received. As noted above, the payloads from these responses might be more than necessary to render your current pages. And each API call has network latency and the total latencies added up can be substantial.</p> <p>With GraphQL, instead of making several API calls, like <code>GET /user/:id</code> and <code>GET /user/:id/addresses</code>, you make one API call and submit your query to a single endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="n">addresses</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">street</span><span class="w"> </span><span class="n">city</span><span class="w"> </span><span class="n">country</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>GraphQL, then, gives you just one endpoint to query for all the domain logic that you need. If your application grows, and you find yourself adding more data stores to your architecture—PostgreSQL might be a good place to store user information, while Redis might be good for other kinds—a single call to a GraphQL endpoint will resolve all of these disparate locations and respond to a client with the data they requested.</p> <p>If you're unsure of the needs of your application and how data will be stored in the future, GraphQL can prove useful here, too. To modify a query, you'd only need to add the name of the field you want:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code> addresses { street <span class="gi">+ apartmentNumber # new information </span> city country } <span class="err"> </span></code></pre> </div> <p>This vastly simplifies the process of evolving your application over time.</p> <h2> Defining a GraphQL schema </h2> <p>There are GraphQL server implementations in a variety of programming languages, but before you get started, you'll need to identify the objects in your business domain, as with any API. Just as a REST API might use something like <a href="https://json-schema.org/">JSON schema</a>, GraphQL defines its schema using SDL, or <a href="https://graphql.org/learn/schema/">Schema Definition Language</a>, an idempotent way to describe all the objects and fields available by your GraphQL API. The general format for an SDL entry looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">type</span><span class="w"> </span><span class="err">$</span><span class="n">OBJECT_TYPE</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">$</span><span class="n">FIELD_NAME</span><span class="p">(</span><span class="nv">$ARGUMENTS</span><span class="p">):</span><span class="w"> </span><span class="err">$</span><span class="n">FIELD_TYPE</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Let's build on our earlier example by defining what entries for the user and address might look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">type</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">email</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">addresses</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="n">Address</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">street</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">city</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="n">country</span><span class="p">:</span><span class="w"> </span><span class="nb">String</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><code>User</code> defines two <code>String</code> fields called <code>name</code> and <code>email</code>. It also includes a field called <code>addresses</code>, which is an array of <code>Address</code> objects. <code>Address</code> also defines a few fields of its own. (By the way, there's more to a GraphQL <a href="https://graphql.org/learn/schema/">schema</a> than just objects, fields, and scalar types. You can also incorporate interfaces, unions, and arguments, to build more complex models, but we won’t cover those for this post.)</p> <p>There's one more type we need to define, which is the entry point to our GraphQL API. You'll remember that earlier, we said a GraphQL query looked like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That <code>query</code> field belongs to a special reserved type called <code>Query</code>. This specifies the main entry point to fetching objects. (There’s also a <code>Mutation</code> type for modifying objects.) Here, we define a <code>user</code> field, which returns a <code>User</code> object, so our schema needs to define this too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">type</span><span class="w"> </span><span class="n">Query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="nb">Int</span><span class="p">!):</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">type</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Arguments on a field are a comma-separated list, which takes the form of <code>$NAME: $TYPE</code>. The <code>!</code> is GraphQL's way of denoting that the argument is required—omitting means it's optional.</p> <p>Depending on your language of choice, the process of incorporating this schema into your server varies, but in general, consuming this information as a string is enough. Node.js has <a href="https://www.npmjs.com/package/graphql">the <code>graphql</code> package</a> to prepare a GraphQL schema, but we're going to use <a href="https://www.npmjs.com/package/graphql-tools">the <code>graphql-tools</code> package</a> instead, because it provides a few more niceties. Let's import the package and read our type definitions in preparation for future development:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">makeExecutableSchema</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">graphql-tools</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">typeDefs</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">"</span><span class="s2">schema.graphql</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">encoding</span><span class="p">:</span> <span class="dl">"</span><span class="s2">utf8</span><span class="dl">"</span><span class="p">,</span> <span class="na">flag</span><span class="p">:</span> <span class="dl">"</span><span class="s2">r</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Setting up resolvers </h2> <p>A schema sets up the ways in which queries can be constructed but establishing a schema to define your data model is just one part of the GraphQL specification. The other portion deals with actually fetching the data. This is done through the use of <a href="https://graphql.org/learn/execution/#root-fields-resolvers"><em>resolvers</em></a>. A resolver is a function that returns a field's underlying value.</p> <p>Let's take a look at how you might implement resolvers in Node.js. The intent is to solidify concepts around how resolvers operate in conjunction with schemas, so we won't go into too much detail around how the data stores are set up. In the "real world", we might establish a database connection with something like <a href="https://knexjs.org/">knex</a>. For now, let's just set up some dummy data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">users</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">1</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Luke</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">luke@heroku.space</span><span class="dl">"</span><span class="p">,</span> <span class="na">addresses</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">street</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1234 Rodeo Drive</span><span class="dl">"</span><span class="p">,</span> <span class="na">city</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Los Angeles</span><span class="dl">"</span><span class="p">,</span> <span class="na">country</span><span class="p">:</span> <span class="dl">"</span><span class="s2">USA</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="mi">2</span><span class="p">:</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Jane</span><span class="dl">"</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">jane@heroku.space</span><span class="dl">"</span><span class="p">,</span> <span class="na">addresses</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">street</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1234 Lincoln Place</span><span class="dl">"</span><span class="p">,</span> <span class="na">city</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Brooklyn</span><span class="dl">"</span><span class="p">,</span> <span class="na">country</span><span class="p">:</span> <span class="dl">"</span><span class="s2">USA</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>GraphQL resolvers in Node.js amount to an Object with the key as the name of the field to be retrieved, and the value being a function that returns the data. Let's start with a barebones example of the initial <code>user</code> lookup by id:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">})</span> <span class="p">{</span> <span class="c1">// user lookup logic</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <p>This resolver takes two arguments: an object representing the parent (which in the initial root query is often unused), and a JSON object containing the arguments passed to your field. Not every field will have arguments, but in this case, we will, because we need to retrieve our user by their ID. The rest of the function is straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">users</span><span class="p">[</span><span class="nx">id</span><span class="p">];</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>You'll notice that we didn't explicitly define a resolver for <code>User</code> or <code>Addresses</code>. The <code>graphql-tools</code> package is intelligent enough to automatically map these for us. We can override these if we choose, but with our type definitions and resolvers now defined, we can build our complete schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nf">makeExecutableSchema</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span> <span class="p">});</span> </code></pre> </div> <h2> Running the server </h2> <p>Finally, let's get this demo running! Since we're using Express, we can use <a href="https://www.npmjs.com/package/express-graphql">the <code>express-graphql</code> package</a> to expose our schema as an endpoint. The package requires two arguments: your schema, and your root value. It takes one optional argument, <code>graphiql</code>, which we'll talk about in a bit.</p> <p>Set up your Express server on your favorite port with the GraphQL middleware like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">express</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">express</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">express_graphql</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">express-graphql</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/graphql</span><span class="dl">"</span><span class="p">,</span> <span class="nf">express_graphql</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">schema</span><span class="p">,</span> <span class="na">graphiql</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">5000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Express is now live at localhost:5000</span><span class="dl">"</span><span class="p">));</span> </code></pre> </div> <p>Navigate your browser to <code>http://localhost:5000/graphql</code>, and you should see a sort of IDE interface. On the left pane, you can enter any valid GraphQL query you like, and on your right you'll get the results. This is what <code>graphiql: true</code> provides: a convenient way of testing out your queries. You probably wouldn't want to expose this in a production environment, but it makes testing much easier.</p> <p>Try entering the query we demonstrated above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>To explore GraphQL's typing capabilities, try passing in a string instead of an integer for the ID argument:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># this doesn't work</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can even try requesting fields that don't exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="c"># this doesn't work</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="n">zodiac</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With just a few clear lines of code expressed by the schema, a strongly-typed contract between the client and server is established. This protects your services from receiving bogus data and expresses errors clearly to the requester.</p> <h2> Performance considerations </h2> <p>For as much as GraphQL takes care of for you, it doesn't solve every problem inherent in building APIs. In particular, caching and authorization are just two areas that require some forethought to prevent performance issues. The GraphQL spec does not provide any guidance for implementing either of these, which means that the responsibility for building them falls onto you.</p> <h3> Caching </h3> <p>REST-based APIs don't need to be overly concerned when it comes to caching, because they can build on <a href="https://restfulapi.net/caching/">existing HTTP header strategies</a> that the rest of the web uses. GraphQL doesn't come with these caching mechanisms, which can place undue processing burden on your servers for repeated requests. Consider the following two queries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">email</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Without some sort of caching in place, this would result in two database queries to fetch the <code>User</code> with an ID of <code>1</code>, just to retrieve two different columns. In fact, since GraphQL also allows for <a href="https://graphql.org/learn/queries/#aliases">aliases</a>, the following query is valid and also performs two lookups:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight graphql"><code><span class="k">query</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">one</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="n">two</span><span class="p">:</span><span class="w"> </span><span class="n">user</span><span class="p">(</span><span class="n">id</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This second example exposes the problem of how to batch queries. In order to be fast and efficient, we want GraphQL to access the same database rows with as few roundtrips as possible.</p> <p><a href="https://github.com/graphql/dataloader">The <code>dataloader</code> package</a> was designed to handle both of these issues. Given an array of IDs, we will fetch all of those at once from the database; as well, subsequent calls to the same ID will fetch the item from the cache. To build this out using <code>dataloader</code>, we need two things. First, we need a function to load all of the requested objects. In our sample, that looks something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">DataLoader</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dataloader</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">batchGetUserById</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">ids</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// in real life, this would be a DB call</span> <span class="k">return</span> <span class="nx">ids</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">id</span> <span class="o">=&gt;</span> <span class="nx">users</span><span class="p">[</span><span class="nx">id</span><span class="p">]);</span> <span class="p">};</span> <span class="c1">// userLoader is now our "batch loading function"</span> <span class="kd">const</span> <span class="nx">userLoader</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DataLoader</span><span class="p">(</span><span class="nx">batchGetUserById</span><span class="p">);</span> </code></pre> </div> <p>This takes care of the issue with batching. To load the data, and work with the cache, we'll replace our previous data lookup with a call to the <code>load</code> method and pass in our user ID:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">userLoader</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}</span> </code></pre> </div> <h3> Authorization </h3> <p>Authorization is an entirely different problem with GraphQL. In a nutshell, it's the process of identifying whether a given user has permission to see some data. We can imagine scenarios where an authenticated user can execute queries to get their own address information, but they should not be able to get the addresses of other users.</p> <p>To handle this, we need to modify our resolver functions. In addition to a field's arguments, a resolver also has access to its parent, as well as a special <em>context</em> value passed in, which can provide information about the currently authenticated user. Since we know that <code>addresses</code> is a sensitive field, we need to change our code such that a call to users doesn't just return a list of addresses, but actually, calls out to some business logic to validate the request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">getAddresses</span> <span class="o">=</span> <span class="kd">function</span><span class="p">(</span><span class="nx">currUser</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">currUser</span><span class="p">.</span><span class="nx">id</span> <span class="o">==</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">user</span><span class="p">.</span><span class="nx">addresses</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[];</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Query</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">_</span><span class="p">,</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">users</span><span class="p">[</span><span class="nx">id</span><span class="p">];</span> <span class="p">},</span> <span class="p">},</span> <span class="na">User</span><span class="p">:</span> <span class="p">{</span> <span class="na">addresses</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">parentObj</span><span class="p">,</span> <span class="p">{},</span> <span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">getAddresses</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">currUser</span><span class="p">,</span> <span class="nx">parentObj</span><span class="p">);</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>Again, we don't need to explicitly define a resolver for each <code>User</code> field—only the one which we want to modify.</p> <p>By default, <code>express-graphql</code> passes the current HTTP <code>request</code> as a value for <code>context</code>, but this can be changed when setting up your server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="dl">"</span><span class="s2">/graphql</span><span class="dl">"</span><span class="p">,</span> <span class="nf">express_graphql</span><span class="p">({</span> <span class="na">schema</span><span class="p">:</span> <span class="nx">schema</span><span class="p">,</span> <span class="na">graphiql</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">context</span><span class="p">:</span> <span class="p">{</span> <span class="na">currUser</span><span class="p">:</span> <span class="nx">user</span> <span class="c1">// currently authenticated user</span> <span class="p">}</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <h2> Schema best practices </h2> <p>One aspect missing from the GraphQL spec is the lack of guidance on versioning schemas. As applications grow and change over time, so too will their APIs, and it's likely that GraphQL fields and objects will need to be removed or modified. But this downside can also be positive: by designing your GraphQL schema carefully, you can avoid pitfalls apparent in easier to implement (and easier to break) REST endpoints, such as inconsistencies in naming and confusing relationships. Marc-Andre has <a href="https://www.apollographql.com/blog/graphql-schema-design-building-evolvable-schemas-1501f3c59ed5">listed several strategies</a> for building evolvable schemas which we highly recommend reading through.</p> <p>In addition, you should try to keep as much of <a href="https://graphql.org/learn/thinking-in-graphs/#business-logic-layer">your business logic separate from your resolver logic</a>. Your business logic should be a single source of truth for your entire application. It can be tempting to perform validation checks within a resolver, but as your schema grows, it will become an untenable strategy.</p> <h2> When is GraphQL not a good fit? </h2> <p>GraphQL doesn't mold precisely to the needs of HTTP communication the same way that REST does. For example, GraphQL specifies only a single status code—<code>200 OK</code>—regardless of the query’s success. A special <code>errors</code> key is returned in this response for clients to parse and identify what went wrong. Because of this, error handling can be a bit trickier.</p> <p>As well, GraphQL is just a specification, and it won't automatically solve every problem your application faces. Performance issues won't disappear, database queries won't become faster, and in general, you'll need to rethink everything about your API: authorization, logging, monitoring, caching. Versioning your GraphQL API can also be a challenge, as the official spec currently has no support for handling breaking changes, an inevitable part of building any software. If you're interested in exploring GraphQL, you will need to dedicate some time to learning how to best integrate it with your needs.</p> <h2> Learning more </h2> <p>The community has rallied around this new paradigm and come up with <a href="https://github.com/chentsulin/awesome-graphql">a list of awesome GraphQL resources</a>, for both frontend and backend engineers. You can also see what queries and types look like by <a href="https://graphql.org/swapi-graphql/">making real requests on the official playground</a>.</p> <p>We also have a <a href="https://www.heroku.com/podcasts/codeish/44-graphqls-benefits-and-costs">Code[ish] podcast episode</a> dedicated entirely to the benefits and costs of GraphQL.</p> graphql api javascript