DEV Community

Discussion on: Why I no longer use GraphQL for new projects

daniel15 profile image
Daniel Lo Nigro

Regarding security, ideally the security of your data should be enforced in your data layer (whatever technology you're using to load the data) rather than in your business layer, to ensure that access restrictions are consistently applied in every place the data is loaded. Applying permission policies just in individual REST or GraphQL endpoints is quite error-prone and it's likely you'll forget to apply them somewhere (eg in scripts that send emails to users, batch data processing jobs that summarise data for users, etc).

At Meta / Facebook we have the concept of a "viewer context" object which describes the currently logged-in user (user ID, etc), and this viewer context is mandatory to pass to all data loading calls. Each type of entity (eg. post, photo, comment etc) has a set of privacy rules that determine if the user can see it or not (eg. is the user a friend of the author if the post is set to friends only, is the user in the group if the post is in a private group, etc). This ensures the access restrictions are the same across everywhere that loads the days - GraphQL, GraphAPI, backend scripts, etc.