Tanmai Gopal, CEO of Hasura.io, joined SE Radio host Jeff Doolittle for a conversation about GraphQL. They discussed the history and rationale behind the original conception of GraphQL, as well as some of the use cases it is best suited for. Tanmai described how GraphQL differs from other API specification styles such as REST and gRPC. Various concepts related to GraphQL were also explored such as performance, caching, and security.
Show Notes
Related Links
From SE Radio
- Episode 143: API Design with Jim des Rivieres
- Episode 376: Justin Richer On API Security with OAuth 2
- Episode 383: Neil Madden On Securing Your API
- Episode 387: Abhinav Asthana on Designing and Testing APIs
- Episode 511: Ant Wilson on Supabase (Postgres as a Service)
From IEEE
- GraphQL for archival metadata: An overview of the EHRI GraphQL API
- Migrating to GraphQL: A Practical Assessment
- REST vs GraphQL: A Controlled Experiment
- Can GraphQL Replace REST? A Study of Their Efficiency and Viability
From the Show
- Hasura
- GraphQL
- gRPC
- SDLC (Software Development Lifecycle)
- Specification Pattern
- PostgreSQL
- Open Telemetry
- AST (Abstract Syntax Tree)
SE Radio theme: “Broken Reality” by Kevin MacLeod (incompetech.com — Licensed under Creative Commons: By Attribution 3.0)
Under Zero Trust, one interpretation of its needs might mean every system, and its app, must not trust the security checks which they dont implement. In this regard a backend database will need one or more of (User ID, client computer ID, user role) passed to it in the transaction request to perform its security checks, e.g. an RBAC approach, on the data being CRUD by any transaction. It does not matter how many systems a transaction traverses to get satisfied. The same authentication data (and maybe even the IDs of the entire set of all computers on the path to it) must be provided to every application for it to verify. It did not sound as though GraphQL has this and so the developers will have to define this architecture themselves “over the top” of using GraphQL. It would be great if they added that capability to the product. FYI this security architecture may need to be added to every distributed system in future as most architectures rely on authentication at the edge and not in the interior of a system-of-systems.