I may be misremembering but when I was first introduced to graphQL by some ex-colleagues circa 7 years ago, word on the street was that graphQL was not a replacement for your rest API. I thought it was supposed to be used on top of one or alongside it. Ignorance is bliss I suppose
The initial idea for it was to make make single API composition of our multiple REST APIs. It would perform repeated calls to REST to extend data closer to backend reducing latency and allow frontend devs to select only the things they need. But of course, people started using it everywhere and now it's shit.
Well, a facebook blog about the creation of GraphQL: "When we built Facebook’s mobile applications, we needed a data-fetching API powerful enough to describe all of Facebook, yet simple enough to be easy to learn and use by our product developers."
As a database person, the fact that something called a dataloader pattern exists to soften the N+1 problem boggles the mind. We can do most things with just 1 SQL query and output it all into JSON too directly from that same query.
Using graphql for the last years over all our products. We can spin up new products really fast. Every developers knows how to handle things. Sure, eliminating codegen would be cool but that's not enough for me to shift to trpc.
This fits with the paper I wrote a long time ago about why CORBA (long time ago, ugly, think binary WSDL (also a long time ago and ugly)) and other forms of RPC are a bad idea. The problem with GraphQL is that it exposes too much of your internal state to external users. In my paper I describe RPC as being about what you want the other side to do rather than the messages you want to exchange. And that's true, but the real problem there is that when giving the other side detailed instructions on what you want to do, it necessitates knowing a lot of internal details about how the other side functions. I wrote this paper in the 1990s, but you could look at it as advocating for REST APIs. Though that's a little too narrow of a reading. I intended to lump in things like SMTP as being well designed protocols. I mean, SMTP has numerous security flaws involving verifying senders, but that's not the kind of issue I was talking about.
wundergraph has an open source backend for frontend framework which allows you to select queries from your graphql schema and generates a rpc server + client codegen limited to those queries. Seemed like a really elegant solution but it’s abandonware now in favor of their federated graphql router
precisely. not to mention possibility of additional processing overhead that may incur. we could see it coming and thankfully skipped the hype altogether.
As a backend developer with a big focus on database, query design, and security, GraphQL has always worried me. And the more I learn about it, the more I'm glad I decided not to use it.
0:10 - let me fix this for you. If you have a DESIGN DOCUMENT that SPECIFIES the REST API signatures and the back / front teams are communicating, then you don't need a monorepo, you don't need the same language, you don't need anything. Just a proper Tech Lead who will OWN and ENFORCE this document and an Architect who oversees the whole thing. But I guess, having people actually talk and create design documents is too much these days, huh?
Yeah, an up to date OpenAPI spec as the interface to program to sounds good enough for me, but then I've only ever worked in projects with two or three devs max.
@@bloody_albatross yeah, YMMV. The projects I work on (well, more or less Arch-ing on these days) have at least 7-8 devs, so I end up mostly designing, owning and augmenting the design documents along with the product owner(s). Trust me, as long as everyone comes along for the ride and understand that software engineering is NOT a democracy, it all flows swiftly and smoothly.
20:49 In the php world, its common to have your endpoint for users accept query params to supplement additional fields on the request, which are themselves their own endpoints with authorization already included, (bcs they are their own seperate endpoints), but you can thus essentially make multiple requests with a single request from the client and get the combined data of both. For example, a user, and its posts. They are separate endpoints. But the user endpoint accept a param to supplement the user, data to include the users posts. Just like that. Also, rate limiting as a package lmao
"now you're building crazy DIY rate limiters" - Dude's clearly never used any full-featured backend framework. Pretty much all of them have that for graphql
Out all of the shitposting I've done over the years, the one tweet that got me mobbed on was basically saying exactly this back in 2022.. maybe with a little more color.
What I like about GraphQL: you can track which data is being consumed, which added to tracking request source lets you track how information flows across your app, spot possible optimizations and speed up deprecation. With proper instrumentation, you'll do magic. What I don't like about GraphQL: code generation, additional load and effort, tying up all the infra to an additional standard, security complexity skyrockets. Unoptimized lookups is not a GraphQL problem, it's a design problem.
My one gripe is the argument right at the end about "front-end bugging back-end" in non-GraphQL APIs. I live in the SME world where we're either full-stack doing both, or, we collaborate and "bugging" people is an advantage becuse it leads to a thoughtful architecture where back-end understands how their services are actually being used. As developers we dont just "write code and call stuff". Everything is done with intent and should ve done thoughtfully.
13:37 no it's okay Theo. You're completely correct. Requiring every developer talk to every team for every graphql query they're going to make to get the green light that you won't take down the whole service absolutely does not scale. Shame on that team.
I think that REST with well documented Open API, or even better auto-generated Open API from backend code is the superior solution in combination with auto-generated API client from the Open API on the front-end, I guess literally every front-end technology/language has ability to generate such client. So basically we are receiving features declared by GraphQL and tRPC (I mean synchronization between FE and BE) without huge performance losses (In case GraphQL with Node.js) or without Typescript vendor lock with tRPC
Uhm... regarding security risks mentioned... I am not convinced I should forget about GraphQL and under-estimate it, especially in a large company with distributed back-end teams and different data endpoints to maintain. Are we forgetting why the schemas are for? Are we forgetting about Apollo Server which I don't see being mentioned at all? Theo did not mention Apollo Server. He discussed GraphQL as a general technology, highlighting challenges with security, authorization, performance, and scalability, but he didn’t refer to Apollo Server’s tools or features that address many of these concerns. Apollo Server provides many of the built-in functionalities that mitigate the risks he mentioned, such as field-level authorization, query complexity limiting, and caching strategies. The omission of Apollo Server misses a significant part of how modern GraphQL setups, especially in larger or distributed environments, manage these exact issues.
How about gRPC-web (on the client), and gRPC (on the server). The ProtoBuf compiler (protoc) has plugins for generating gRPC-web client (in JavaScript), as well as plugins for generating server side code in many languages.
I used this on one of my previous jobs. The problem usually is that you still have quite big overhead, besides your frontend and backend you now need to maintain some sort of proxy to be able to request grpc from your browser. Ultimately it's an additional layer of abstraction and complexity, which might make debugging quite painful. Can totally see how it could be used by bigger teams tho, but we found it annoying back then
When I first heard of GraphQL many years ago, most of these fears seemed instantly obvious to me. I never used it in my projects. All this n+1 stuff, how did people not understand this immediately? Is it because of front end devs who never had to think about this?
0:10 GraphQL is not a good solution. In theory we should be able to write actual SQL and send to an endpoint. I don’t get why we need a limited version of that.
@@MadsterV no no. Just the syntax. Then map that to one or more persisted data sources. So much like what GraphQl does, except using the standard SQL syntax.
Although GraphQL is an awesome solution where it fits, I don't often find places where it fits and if I do, I don't find cases where its advantages warrant the complexity of implementing it. This could be due to the bias caused by my level of experience and the type of work I tend to do; maybe this isn't as true in other contexts.
I never even jumped on the GraphQL train. It just never made sense for me. I have always worked on relatively small teams of full-stack devs, so I have always had control over both sides of the API. And with unit testing ensuring that the two don't get out of sync, it was never worth the time to even learn GraphQL in the first place.
I just built my first fastapi endpoint for a react project I'm working on. I took 2 days longer than the 1 day I estimated because I felt compelled to make the json file it served an asyncio call, the fetch was through an async web worker in react, and the fson it serves updates only once per day so it is reprocessed server side to be ready and waiting as soon as it's updated. Did I go overboard or are we suggesting my anal retentive approach ought to be standard? Again, my first time, learning solo, sincerely curious. It sounds like you're suggesting I did as much as we ought to expect of backend to provide to front end.
I've used trpc and graphql, I can't put my finger on why but I'm more comfortable using graphql and find it more enjoyable to use 🙈 Graphql provides a level of power I just love. Even for... Simple projects. 😬 That have more servers than users. 🤣 But I agree with most of your points!
Never used GraphQL, I am a REST API guy, but it sounds to me like all GraphQL issues could be solved by a policy to switch to REST when a query use is mature enough and never give GraphQL the resources to bring down the servers. Meaning that if you need something that works NOW and you don't want to wait for backend guys (as a backend guy I feel a bit offended 😛) just use GraphQL, but after a while that thing should be switched to REST when the endpoint is available. That being said, I've never worked in an environment where data queries were so complex and fast changing that I needed an extra DSL just to define what I want.
Huh, i had heard of graphql but wasn't aware what it did. I can see why it's be useful, but the security issues and limitations just doesn't seem worth it, and I'd likely stick to rest. But I've also been coding since before rest itself was popular so I may be a bit stuck in the past. I've primarily worked in teams where everyone is full stack and so front end waiting for endpoints hasn't been an issue.
I don't know... for the most part, it doesn't sound like GraphQL is the problem. It sounds to me like some devs don't have enough paranoia when creating APIs 🥺
Wouldnt it be amazing if inside the graphql ecosystem we could create pre defined queries that could be executed by name and possibly optional arguments as well, therefore the request could be something line: { query: "query name", args: [] } This is a layer I couldn't find anywhere in the specs of the architecture, also the possibility to isolate "contexts" would be amazing, making free to custom query just part of the data not the entire schema.
Great idea! Let’s call those predefined queries “procedures” and expose a TypeScript friendly way to invoke them remotely. We can call it a TypeScript remote procedure call or just TRPC for short!
@@John2202W I am aware that the concept of such predefined query would basically mimic a REST request, and that's is my point hahahah can't graphql just leverage some of the things trpc does? idk the architecture would need to change in order to address the problems we saw here... I just don't know how or if would be possible.
@ChrisSkene That actually interesting, I didn't know about them, the concept would be similar but implemented 'natively' on the graphql architecture itself somehow, it seems that for now such implementation lives on the client side layer, Apollo has its own implementation of persistent queries, and I was wondering if that could actually become part of the grapqhl specs, a way to request predefined data ( much like rest API ) passing the name of a query, therefore making the "all you can query" style of grapqhl limited somehow because I do agree that setting authorization per field is way too cumbersome most of the time. but thanks for the tip on persisted queries I was looking for something like this!
It's always fascinating at what little detail can bring significant problems later on. I guessed chat history along with chat, but when I think about it badges makes perfect sense.
Also, who tf came up with saying "Authentication and Authorization". So saying "auth" doesn't mean anything any more. Nice. What? It's always been Access Control. Authentication - Determining if the query is from whoe they say they are Permissions - Is he allowed to do that? Permissions, giving you the even more fine-grained terms of “Privileges” and making "Roles" a pretty obvious abstraction on top of that. But no, its auth and auth.... and everyones confused. lol
Many of the problems discussed here are limitations of the tools used with GraphQL. Granted, making those tools is non-trivial, so one must weigh the tradeoffs. Sure, GraphQL isn’t as easy as setting up REST server backends. However, the point of GraphQL is to craft the best possible user experience, not necessarily the best backend developer experience. Many organizations don’t need this at the API layer, but some do.
GraphQL is really good when you don't know how your endpoint will be consumed by a client, and when it's not possible to model a rest api in a good way to serve the data. Notion API is a perfect example when GraphQL would be better then REST for example...
BE vs FE (different teams, technologies, repos, priorities, timing) is the hard truth on most coompanies. GraphQL allows FE devs to cut dependency times on their workflows and be more reliable on estimations. Most of the security / performance issues mentioned were also present in REST APIs a while ago. If anything, FE devs should be actively present in API design decisions, instead of ditching a very useful pattern because someone is not doing they job right.
Give me graphql without the nesting and I'll be happy. Client-side we get all the benefits of type-safety, code-gen and introspection. Server-side we dont have to worry about N+1's and complex schema resolution on fields existing far down on the tree of GQL nodes.
tRPC is awful for exposing API's. Most projects I worked on in my career needed to expose API's so we ended up using tRPC for internal API and REST for exposing endpoints externally. I'm now the techlead on a project that has grown quite a bit and I'm deeply regretting buying into your hype with tRPC, I didn't do enough research. I plan to remove it from our system eventually.
Have you looked into options like trpc-openapi (or the newer fork, trpc-swagger)? They make it very easy to expose your tRPC procedures as REST endpoints following the openapi spec
Exposing APIs with tRPC is really easy with Next.js’s app router. Just create a route.tsx and fetch the data as you would in a page then return it. I can see how this could be annoying with a ton of endpoints though but the above comment has solutions for that.
Isn't trpc mean to be internal? Pretty sure you can expose them with the createCaller or whatever is called, or separate the query/mutation logic and use a service approach to use them in the API.
It's annoying that you still try to sell GraphQL solely as an API schema solution, because it's not even the easiest way to do it. It's very easy to set up a similar kind of type-safety around a REST API, but using swagger/openapi schemas with code generation in any languages / technology so you don't have to have your backend and front-end shared. You can also host the schema ON the API endpoint so you don't have totechnically "share code"
from a software engineering perspective i get why you justifiably throw overboard a whole technology and have keep changing technologies, because of these problems. but from a language or technology design perspective i think it's really dissatisfying, because there are some deeper issues here that cut across the tech being used, whether it's tRPC, GraphQL, REST. especially caching issues and the N+1 problem
My biggest gripe of GraphQL is performance. You have to engineer a lot of stuff together to get the same level of performance of REST on the first day.
If your app is the only consumer of your API you really don't need graphQL. If you are building an API for customers to user it's a fantastic solution.
@@zhanezar Not being a dick by why can't 2 things be good? I like NY style pizza, Chicago deep dish and classic napoleon they are all good and all satisfy me in different ways. Choose the tool that makes sense. My stack at work uses both. All are alphanumeric data is accessed from graphql where as all our file based operations use rest? Why you might ask? Because graphQL is a better fit for the complex queries our customer wants on our data sets in our databases. Why still use REST? Because serving generic files in REST is easy and stupid complicated in graphql.
@@jpegjpg Because GraphQL fucking sucks when the consumer doesn't have a direct line of communication with you, and most companies don't have the luxury of having an on-call developer answer customer service requests. Also because GraphQL is a fucking nightmare to secure and ALL consumers outside of your organization are potential threat actors. If you're building an API for customers to use, GraphQL is one of the worst solutions possible. Did you not watch the video? That was literally one of the conclusions.
To me, the type inferencing of GraphQL is like a happy accident. The reason you should use GraphQL is if you have many different API users and you want to allow the user to decide the shape of the data they pull.
1:59 you know when you separate the front end development from back end development, the code seems to get a lot more complex. The code always seems to be simpler on apps where teams are full stack.
@@MadsterV the reason is simple. When you develop a solution full stack, you can manage the code complexity from both ends, whereas, when you split the front end work from the backend work, each team must coordinate changes with the other, and often that’s time consuming, so instead, they implement all this complexity so they can defer communicating and coordinating with the other team. It leads to the creation of unnecessary code that could have otherwise been avoided. The better way to divide work is feature slicing. A person or team develops a feature across the entire stack. The complexity in that case is when features are interoperable…. Which is then more a design choice.
Your issue with badges is completely unrelated to graphql. If the api is super slow then using a rest endpoint would not have sped it up. And the rest of the points boil down to inexperience. Just because you couldn't figure it out doesn't mean others couldn't.
I get the feeling that Theo has never actually implemented/architected a good GraphQL pipeline. Only then would he understand the real value of it. For small and simple projects, he is correct. GraphQL is an overkill for those scenarios. However, for data intensive apps, GraphQL cannot be beat. For example our webapp has data tables that need to show large amounts of data. Thousands of rows. They need to be paginated, filtered, and sorted among other things. And we have several dozen tables that need to do this. This is the sort of thing where GraphQL really really shines. GraphQL libraries in the frontend and also at the backend do most of the work. They provide type safety, performance and so much more. Also, if you are not using Relay in the frontend, you are doing GraphQL wrong.
Here's something funny - I wanted to learn graphQL, so I followed a bit of random advice online and tried to make a clone - sineQL works, but is unweildy to use. I still don't understand graphQL.
I think GraphQL shines the most when you expose it to the public. Of course, you have to be careful with security, throttling, and N+1 problems, but you are giving the best experience to the people consuming the API. They can get the schema, and query whatever they need
@@victor95pc All the problems described for GraphQL are not inherent to GraphQL. You can also have N+1 problems in your REST API if you suck at making queries. I even think GraphQL makes it easier to dismantle these problems in smaller portions and reduce complexity like that. Even the badge issue that Theo describes could have happend in rest or gRPC or whatever.
@@LucasLuengo Most of the issues in that post seems like a skill issue, even the one about re-running authorization checks, if you use Pundit the authorization result is cached by session, so even you run "authorize record, :update?" 10 times it will run only once... Also not that hard to save the result in the global object
I understood it was not a persisted field, meaning they had to run lots of calculations to compute each badge on every request. In short: bad database and API designs
I always said k8s is overrated. It’s a great and powerful tool (we use it as well) but not everyone should employ it because not every system needs it.
The absolute funniest thing for me is that in a world where postgresql exists graphql is useless; if youre really at a point where you need graphql for some odd reason you might as well expose your db since it has all the security for doing that if you set it up (hello supabase) but for some reason reimplementing a slower (thanks to n+1 instead of letting the db handle internal re-queries) and less secure version is seen as a win but just doing the simple thing of using your db query language as the query language is seen as bad.
@@PanosPitsi PostgreSQL has fine grain permission xD I'm on firebase and supebase and all these backend as a service things exist universe, what universe are you in?
It was a terrible idea from day zero. For all the reasons I was telling my coworkers that thought it was this silver bullet to get front end devs to leave them alone. Dozens of projects ripped it all out in less than a year for all the reasons I told them would happen.
@@valerysmirnov9535 I wouldn't say none. Elasticseach's apis for getting documents are all GET apis(atleast they used to be last time i checked) Elasticseach has got a big userbase too. But i do get your point. My overarching point basically here is that Theo keeps getting things wrong. Sometimes because he wants paid promotions. Sometimes he just don't know stuff but acts like he does
@@valerysmirnov9535 Defining a body for GET request is not forbidden by HTTP protocol, so you can define it. That's the point. ElasticSearch uses it, OpenSearch uses it. This is correct technically and practically, Google and Amazon cloud services use it. There were event requests from community to add support for GET requests with body in Apolo Client for some optimization purposes. So, you are just wrong...
So we Structure our QL now ?
This needs more upvotes
tech is cyclic, web dev double so
Do not pronounce QL in spanish.
😂🤣
Well.. Theo is changing technologies every 3 months so no wonder..
U watch the video?
Where did he change anything?
@@greidinger-reiseg. trpc to server components
I may be misremembering but when I was first introduced to graphQL by some ex-colleagues circa 7 years ago, word on the street was that graphQL was not a replacement for your rest API. I thought it was supposed to be used on top of one or alongside it.
Ignorance is bliss I suppose
The initial idea for it was to make make single API composition of our multiple REST APIs. It would perform repeated calls to REST to extend data closer to backend reducing latency and allow frontend devs to select only the things they need.
But of course, people started using it everywhere and now it's shit.
Well, a facebook blog about the creation of GraphQL:
"When we built Facebook’s mobile applications, we needed a data-fetching API powerful enough to describe all of Facebook, yet simple enough to be easy to learn and use by our product developers."
For the majority of developers seeing this video.... just use rest, thank me later.
@hellotherenameishere There're too many cons, simply don't worth it. Eventually, you'll see.
@@O_Eduardo I saw frontend devs decided to grab all properties and use only those he/she actually need then. ummm....
As a database person, the fact that something called a dataloader pattern exists to soften the N+1 problem boggles the mind.
We can do most things with just 1 SQL query and output it all into JSON too directly from that same query.
Everyone is just afraid of rawdoggin some SQUEAL
Using graphql for the last years over all our products. We can spin up new products really fast. Every developers knows how to handle things. Sure, eliminating codegen would be cool but that's not enough for me to shift to trpc.
Are you using Apollo Server?
@@comboschtap yes, via nestjs
This fits with the paper I wrote a long time ago about why CORBA (long time ago, ugly, think binary WSDL (also a long time ago and ugly)) and other forms of RPC are a bad idea.
The problem with GraphQL is that it exposes too much of your internal state to external users. In my paper I describe RPC as being about what you want the other side to do rather than the messages you want to exchange. And that's true, but the real problem there is that when giving the other side detailed instructions on what you want to do, it necessitates knowing a lot of internal details about how the other side functions.
I wrote this paper in the 1990s, but you could look at it as advocating for REST APIs. Though that's a little too narrow of a reading. I intended to lump in things like SMTP as being well designed protocols. I mean, SMTP has numerous security flaws involving verifying senders, but that's not the kind of issue I was talking about.
wundergraph has an open source backend for frontend framework which allows you to select queries from your graphql schema and generates a rpc server + client codegen limited to those queries. Seemed like a really elegant solution but it’s abandonware now in favor of their federated graphql router
you can use graphql in development and convert it to restapi for production
precisely. not to mention possibility of additional processing overhead that may incur. we could see it coming and thankfully skipped the hype altogether.
As a backend developer with a big focus on database, query design, and security, GraphQL has always worried me. And the more I learn about it, the more I'm glad I decided not to use it.
maybe you haven't learned enough to work with GraphQL and how to optimize your queries over db
because you are lazy
Have you tried Apollo Server?
why? because with gql now frontend devs don't need to communicate much with annoying backend devs like you anymore??
0:10 - let me fix this for you. If you have a DESIGN DOCUMENT that SPECIFIES the REST API signatures and the back / front teams are communicating, then you don't need a monorepo, you don't need the same language, you don't need anything. Just a proper Tech Lead who will OWN and ENFORCE this document and an Architect who oversees the whole thing.
But I guess, having people actually talk and create design documents is too much these days, huh?
to be honest I don't like UML
@@ea_naseer design documents dont need to be UML though. even a swagger document can do a lot already
Yeah, an up to date OpenAPI spec as the interface to program to sounds good enough for me, but then I've only ever worked in projects with two or three devs max.
As a solo developer I approve this. LOL.
@@bloody_albatross yeah, YMMV. The projects I work on (well, more or less Arch-ing on these days) have at least 7-8 devs, so I end up mostly designing, owning and augmenting the design documents along with the product owner(s). Trust me, as long as everyone comes along for the ride and understand that software engineering is NOT a democracy, it all flows swiftly and smoothly.
20:49 In the php world, its common to have your endpoint for users accept query params to supplement additional fields on the request, which are themselves their own endpoints with authorization already included, (bcs they are their own seperate endpoints), but you can thus essentially make multiple requests with a single request from the client and get the combined data of both.
For example, a user, and its posts. They are separate endpoints.
But the user endpoint accept a param to supplement the user, data to include the users posts.
Just like that.
Also, rate limiting as a package lmao
"now you're building crazy DIY rate limiters" - Dude's clearly never used any full-featured backend framework. Pretty much all of them have that for graphql
Theo is a web developer. He knows nothing about software engineering.
Out all of the shitposting I've done over the years, the one tweet that got me mobbed on was basically saying exactly this back in 2022.. maybe with a little more color.
What I like about GraphQL: you can track which data is being consumed, which added to tracking request source lets you track how information flows across your app, spot possible optimizations and speed up deprecation. With proper instrumentation, you'll do magic.
What I don't like about GraphQL: code generation, additional load and effort, tying up all the infra to an additional standard, security complexity skyrockets.
Unoptimized lookups is not a GraphQL problem, it's a design problem.
Our BE team: We can't in GraphQL, we will use REST. Period!
My one gripe is the argument right at the end about "front-end bugging back-end" in non-GraphQL APIs.
I live in the SME world where we're either full-stack doing both, or, we collaborate and "bugging" people is an advantage becuse it leads to a thoughtful architecture where back-end understands how their services are actually being used.
As developers we dont just "write code and call stuff". Everything is done with intent and should ve done thoughtfully.
Clickbait title, what a suprise.
I mean it is Theo...
I've been seeing this a lot lately at TH-cam. Not sure why it's happening
First time?
@@Jzhongzhi Theos titles and thumbnails are so bad even chatgpt hates him, he sucks
@@gusvanwes6192 Clickbait generates more clicks. The algorithm likes more clicks. Shows more videos with clickbait.
13:37 no it's okay Theo. You're completely correct. Requiring every developer talk to every team for every graphql query they're going to make to get the green light that you won't take down the whole service absolutely does not scale. Shame on that team.
I think that REST with well documented Open API, or even better auto-generated Open API from backend code is the superior solution in combination with auto-generated API client from the Open API on the front-end, I guess literally every front-end technology/language has ability to generate such client. So basically we are receiving features declared by GraphQL and tRPC (I mean synchronization between FE and BE) without huge performance losses (In case GraphQL with Node.js) or without Typescript vendor lock with tRPC
19:08 Great job by your editor with the seamless transition...as I watched this on stream, it's so different I almost didn't notice
Uhm... regarding security risks mentioned... I am not convinced I should forget about GraphQL and under-estimate it, especially in a large company with distributed back-end teams and different data endpoints to maintain. Are we forgetting why the schemas are for? Are we forgetting about Apollo Server which I don't see being mentioned at all?
Theo did not mention Apollo Server. He discussed GraphQL as a general technology, highlighting challenges with security, authorization, performance, and scalability, but he didn’t refer to Apollo Server’s tools or features that address many of these concerns.
Apollo Server provides many of the built-in functionalities that mitigate the risks he mentioned, such as field-level authorization, query complexity limiting, and caching strategies. The omission of Apollo Server misses a significant part of how modern GraphQL setups, especially in larger or distributed environments, manage these exact issues.
10:40 -- why do they not just call the function to get badges when you change it......
Would be interesting to hear your thoughts on what tRPC does better than just regular server actions.
Everything is better with trpc
trpc is a joke compared to deepkit rpc
@@marcuss.abildskov7175 Why would you use deepkit?
How about gRPC-web (on the client), and gRPC (on the server). The ProtoBuf compiler (protoc) has plugins for generating gRPC-web client (in JavaScript), as well as plugins for generating server side code in many languages.
TIL about grpc-web. TBH I think most people don’t go this route because of the learning curve. But I’d agree grpc > trpc
I used this on one of my previous jobs. The problem usually is that you still have quite big overhead, besides your frontend and backend you now need to maintain some sort of proxy to be able to request grpc from your browser. Ultimately it's an additional layer of abstraction and complexity, which might make debugging quite painful.
Can totally see how it could be used by bigger teams tho, but we found it annoying back then
Many companies encode their requests to binary, grpc is nice.
When I first heard of GraphQL many years ago, most of these fears seemed instantly obvious to me. I never used it in my projects. All this n+1 stuff, how did people not understand this immediately? Is it because of front end devs who never had to think about this?
Tbh front ends shouldn’t be making complex data queries, just request the component you need and get it whether it’s htmx or React server components
What are you thoughts on openapi specs for the contracts of rest api's?
Errrr... Yes?
Been using it for years now, I love it. Fully type safe rest APIs for any client in any language without the mumbo jumbo.
0:10 GraphQL is not a good solution. In theory we should be able to write actual SQL and send to an endpoint. I don’t get why we need a limited version of that.
because then you'd be running untrusted SQL in your database.
@@MadsterV no no. Just the syntax. Then map that to one or more persisted data sources. So much like what GraphQl does, except using the standard SQL syntax.
The abstraction of the types is the whole point.
@@EricLouisYoung thats what schemas are for. To define the structure of the data that can be queried.
just like “every slow car handles well” “every tech works well with every trival application”
Although GraphQL is an awesome solution where it fits, I don't often find places where it fits and if I do, I don't find cases where its advantages warrant the complexity of implementing it. This could be due to the bias caused by my level of experience and the type of work I tend to do; maybe this isn't as true in other contexts.
Honestly, what you describe with the Twitch badges is a dev problem, not really GraphQL
I never even jumped on the GraphQL train. It just never made sense for me. I have always worked on relatively small teams of full-stack devs, so I have always had control over both sides of the API. And with unit testing ensuring that the two don't get out of sync, it was never worth the time to even learn GraphQL in the first place.
I just built my first fastapi endpoint for a react project I'm working on. I took 2 days longer than the 1 day I estimated because I felt compelled to make the json file it served an asyncio call, the fetch was through an async web worker in react, and the fson it serves updates only once per day so it is reprocessed server side to be ready and waiting as soon as it's updated.
Did I go overboard or are we suggesting my anal retentive approach ought to be standard?
Again, my first time, learning solo, sincerely curious. It sounds like you're suggesting I did as much as we ought to expect of backend to provide to front end.
we use Nuxt for frontend and Symfony for backend and separate teams so GraphQL is really nice
Same with Statamic but with Next (I honestly thought Nuxt was dead).
I never liked graphql. And never will.
I've used trpc and graphql, I can't put my finger on why but I'm more comfortable using graphql and find it more enjoyable to use 🙈
Graphql provides a level of power I just love. Even for... Simple projects. 😬 That have more servers than users. 🤣
But I agree with most of your points!
Never used GraphQL, I am a REST API guy, but it sounds to me like all GraphQL issues could be solved by a policy to switch to REST when a query use is mature enough and never give GraphQL the resources to bring down the servers. Meaning that if you need something that works NOW and you don't want to wait for backend guys (as a backend guy I feel a bit offended 😛) just use GraphQL, but after a while that thing should be switched to REST when the endpoint is available.
That being said, I've never worked in an environment where data queries were so complex and fast changing that I needed an extra DSL just to define what I want.
why not protobuf if it’s just about the schema?
Does TRPC make sense if we can query and mutate the data directly with server components?
What about if API needs to be externally exposed for a mobile app? Can tRPC expose the endpoints?
Huh, i had heard of graphql but wasn't aware what it did.
I can see why it's be useful, but the security issues and limitations just doesn't seem worth it, and I'd likely stick to rest. But I've also been coding since before rest itself was popular so I may be a bit stuck in the past. I've primarily worked in teams where everyone is full stack and so front end waiting for endpoints hasn't been an issue.
I don't know... for the most part, it doesn't sound like GraphQL is the problem. It sounds to me like some devs don't have enough paranoia when creating APIs 🥺
Going from REST to graphQL made me insist that my next job absolutely needed to be in a fullstack environment with something like TRPC.
Wouldnt it be amazing if inside the graphql ecosystem we could create pre defined queries that could be executed by name and possibly optional arguments as well, therefore the request could be something line: { query: "query name", args: [] }
This is a layer I couldn't find anywhere in the specs of the architecture, also the possibility to isolate "contexts" would be amazing, making free to custom query just part of the data not the entire schema.
Great idea! Let’s call those predefined queries “procedures” and expose a TypeScript friendly way to invoke them remotely. We can call it a TypeScript remote procedure call or just TRPC for short!
I think you're looking for persisted queries? Here is what that looks like in code:
const response = await fetch(graphQlUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
documentId: 'md5-query-hash-of-query',
variables: {
variableOne: '',
variableTwo: '',
},
}),
});
@@ChrisSkene Interesting I didnt know about them
@@John2202W I am aware that the concept of such predefined query would basically mimic a REST request, and that's is my point hahahah can't graphql just leverage some of the things trpc does? idk the architecture would need to change in order to address the problems we saw here... I just don't know how or if would be possible.
@ChrisSkene That actually interesting, I didn't know about them, the concept would be similar but implemented 'natively' on the graphql architecture itself somehow, it seems that for now such implementation lives on the client side layer, Apollo has its own implementation of persistent queries, and I was wondering if that could actually become part of the grapqhl specs, a way to request predefined data ( much like rest API ) passing the name of a query, therefore making the "all you can query" style of grapqhl limited somehow because I do agree that setting authorization per field is way too cumbersome most of the time. but thanks for the tip on persisted queries I was looking for something like this!
It's always fascinating at what little detail can bring significant problems later on.
I guessed chat history along with chat, but when I think about it badges makes perfect sense.
Also, who tf came up with saying "Authentication and Authorization". So saying "auth" doesn't mean anything any more. Nice. What?
It's always been Access Control.
Authentication - Determining if the query is from whoe they say they are
Permissions - Is he allowed to do that?
Permissions, giving you the even more fine-grained terms of “Privileges” and making "Roles" a pretty obvious abstraction on top of that.
But no, its auth and auth.... and everyones confused. lol
big words look good on presentations, but are terrible in daily use.
I thought that's intentional. Say "auth" and you have to implement both because you don't know which they want.
Many of the problems discussed here are limitations of the tools used with GraphQL. Granted, making those tools is non-trivial, so one must weigh the tradeoffs.
Sure, GraphQL isn’t as easy as setting up REST server backends. However, the point of GraphQL is to craft the best possible user experience, not necessarily the best backend developer experience. Many organizations don’t need this at the API layer, but some do.
GraphQL is really good when you don't know how your endpoint will be consumed by a client, and when it's not possible to model a rest api in a good way to serve the data. Notion API is a perfect example when GraphQL would be better then REST for example...
Six years later I still never gave a single flying f about Graphql
BE vs FE (different teams, technologies, repos, priorities, timing) is the hard truth on most coompanies. GraphQL allows FE devs to cut dependency times on their workflows and be more reliable on estimations. Most of the security / performance issues mentioned were also present in REST APIs a while ago.
If anything, FE devs should be actively present in API design decisions, instead of ditching a very useful pattern because someone is not doing they job right.
6 years too late... seems like someone stopped sending the cheques
They must have scrum overlords and no waterfall
Give me graphql without the nesting and I'll be happy. Client-side we get all the benefits of type-safety, code-gen and introspection. Server-side we dont have to worry about N+1's and complex schema resolution on fields existing far down on the tree of GQL nodes.
Changing tires in mid-air
GraphQl does subscriptions with joins, can't do that with anything else I think.
I don't hate it either but as a Devops / SRE there is nothing that has caused me more grief with performance issues than GraphQL.
I wanted to love it (on AWS) but I came to hate it and moved on.
Did you bleach your teeth? They look good.
tRPC is awful for exposing API's. Most projects I worked on in my career needed to expose API's so we ended up using tRPC for internal API and REST for exposing endpoints externally. I'm now the techlead on a project that has grown quite a bit and I'm deeply regretting buying into your hype with tRPC, I didn't do enough research. I plan to remove it from our system eventually.
what problems are you facing?
Have you looked into options like trpc-openapi (or the newer fork, trpc-swagger)? They make it very easy to expose your tRPC procedures as REST endpoints following the openapi spec
@@John2202W I haven’t use TRPC so asking
Exposing APIs with tRPC is really easy with Next.js’s app router. Just create a route.tsx and fetch the data as you would in a page then return it. I can see how this could be annoying with a ton of endpoints though but the above comment has solutions for that.
Isn't trpc mean to be internal?
Pretty sure you can expose them with the createCaller or whatever is called, or separate the query/mutation logic and use a service approach to use them in the API.
badges are sent with the message now 🤔
It's annoying that you still try to sell GraphQL solely as an API schema solution, because it's not even the easiest way to do it.
It's very easy to set up a similar kind of type-safety around a REST API, but using swagger/openapi schemas with code generation in any languages / technology so you don't have to have your backend and front-end shared. You can also host the schema ON the API endpoint so you don't have totechnically "share code"
R u using Batik, unique clothes from Indonesia? 😊
from a software engineering perspective i get why you justifiably throw overboard a whole technology and have keep changing technologies, because of these problems. but from a language or technology design perspective i think it's really dissatisfying, because there are some deeper issues here that cut across the tech being used, whether it's tRPC, GraphQL, REST. especially caching issues and the N+1 problem
My biggest gripe of GraphQL is performance. You have to engineer a lot of stuff together to get the same level of performance of REST on the first day.
with graphql u can use one of them, code first or schema first, code first more better
@@kamalkamals Still performance sucks on day one. I have to do caching and query optimizations to make sure its okay.
@@dkchen the performance of javascript + nodejs already suck with or without graphql
How is the badges issue unique to GraphQL? It's just crappy backend work
If your app is the only consumer of your API you really don't need graphQL. If you are building an API for customers to user it's a fantastic solution.
@@zhanezar Not being a dick by why can't 2 things be good? I like NY style pizza, Chicago deep dish and classic napoleon they are all good and all satisfy me in different ways. Choose the tool that makes sense. My stack at work uses both. All are alphanumeric data is accessed from graphql where as all our file based operations use rest? Why you might ask? Because graphQL is a better fit for the complex queries our customer wants on our data sets in our databases. Why still use REST? Because serving generic files in REST is easy and stupid complicated in graphql.
@@jpegjpg Because GraphQL fucking sucks when the consumer doesn't have a direct line of communication with you, and most companies don't have the luxury of having an on-call developer answer customer service requests. Also because GraphQL is a fucking nightmare to secure and ALL consumers outside of your organization are potential threat actors. If you're building an API for customers to use, GraphQL is one of the worst solutions possible. Did you not watch the video? That was literally one of the conclusions.
Wonder what you will be “over” a few months from now, the influencer reality is so off from what devs have to work with and maintain
At the start you appear to be praising graphql, but what you're actually thankful for is strong contracts between FE and BE.
To me, the type inferencing of GraphQL is like a happy accident. The reason you should use GraphQL is if you have many different API users and you want to allow the user to decide the shape of the data they pull.
1:59 you know when you separate the front end development from back end development, the code seems to get a lot more complex. The code always seems to be simpler on apps where teams are full stack.
disagree. We collectively abandoned Visual Basic.
Code is simpler when people know what they are doing, or are led by someone who does.
@@MadsterV the reason is simple. When you develop a solution full stack, you can manage the code complexity from both ends, whereas, when you split the front end work from the backend work, each team must coordinate changes with the other, and often that’s time consuming, so instead, they implement all this complexity so they can defer communicating and coordinating with the other team. It leads to the creation of unnecessary code that could have otherwise been avoided. The better way to divide work is feature slicing. A person or team develops a feature across the entire stack. The complexity in that case is when features are interoperable…. Which is then more a design choice.
There is currently an soon-to-be RFC that is basically POST with caching, named QUERY.
It was a draft and it expired. No QUERY for you, sir.
Watching people have security problems in graphql makes me appreciate capnproto rpc even more
ClickbaitTube is so sad when "content creators" have to behave like National Enquirer and Star Magazine from the 1980's for engagement and views. 😥
I'm using GraphQL in production since 5 years, it's always one of my favorite technology ❤❤
Your issue with badges is completely unrelated to graphql. If the api is super slow then using a rest endpoint would not have sped it up.
And the rest of the points boil down to inexperience. Just because you couldn't figure it out doesn't mean others couldn't.
same goes with supabase and firebase security rules
SKILLS ISSUE
please learn how to use GraphQL before reacting to it!
Hasura and Neo4j have made awesome integrations with graphql that i think it's high time to start using graphql
absolutely nobody:
THEO: *AND I TOOK THAT PERSONALLY*
I get the feeling that Theo has never actually implemented/architected a good GraphQL pipeline. Only then would he understand the real value of it.
For small and simple projects, he is correct. GraphQL is an overkill for those scenarios. However, for data intensive apps, GraphQL cannot be beat. For example our webapp has data tables that need to show large amounts of data. Thousands of rows. They need to be paginated, filtered, and sorted among other things. And we have several dozen tables that need to do this. This is the sort of thing where GraphQL really really shines. GraphQL libraries in the frontend and also at the backend do most of the work. They provide type safety, performance and so much more.
Also, if you are not using Relay in the frontend, you are doing GraphQL wrong.
What's wrong with Apollo client?
...until you start using it.
Here's something funny - I wanted to learn graphQL, so I followed a bit of random advice online and tried to make a clone - sineQL works, but is unweildy to use.
I still don't understand graphQL.
if you have $10 to waste, there are some decent courses on Udemy. I'm sure some youtube has a good course but I haven't found any myself.
I think GraphQL shines the most when you expose it to the public. Of course, you have to be careful with security, throttling, and N+1 problems, but you are giving the best experience to the people consuming the API. They can get the schema, and query whatever they need
What is the big difficult related to authorization? I mean on REST we need to do the same thing, it's not like GraphQL introduce it as issue.
@@victor95pc All the problems described for GraphQL are not inherent to GraphQL. You can also have N+1 problems in your REST API if you suck at making queries. I even think GraphQL makes it easier to dismantle these problems in smaller portions and reduce complexity like that. Even the badge issue that Theo describes could have happend in rest or gRPC or whatever.
@@LucasLuengo Most of the issues in that post seems like a skill issue, even the one about re-running authorization checks, if you use Pundit the authorization result is cached by session, so even you run "authorize record, :update?" 10 times it will run only once... Also not that hard to save the result in the global object
Not sure it was intentional, but I don't think I understood WHY the badges-field was that big of an issue/why it was that heavy
yeah. it sounded like company politics was the main issue there
I understood it was not a persisted field, meaning they had to run lots of calculations to compute each badge on every request. In short: bad database and API designs
it was hogging the resources of the payments db, so payments werent able to go through quickly anymore
@@danhorus it sounded like a technically fixable problem
I always said k8s is overrated. It’s a great and powerful tool (we use it as well) but not everyone should employ it because not every system needs it.
what about a laaaaarge file of schema graphql !!!
aren't we all
is graphql a dsl?
its in the name
Protobuf?!
The absolute funniest thing for me is that in a world where postgresql exists graphql is useless; if youre really at a point where you need graphql for some odd reason you might as well expose your db since it has all the security for doing that if you set it up (hello supabase) but for some reason reimplementing a slower (thanks to n+1 instead of letting the db handle internal re-queries) and less secure version is seen as a win but just doing the simple thing of using your db query language as the query language is seen as bad.
What? Expose the database? What are you on.
@@PanosPitsi PostgreSQL has fine grain permission xD I'm on firebase and supebase and all these backend as a service things exist universe, what universe are you in?
I thought everyone knew about this already (except for the GraphQL fanboys)
And ... tRPC
Just dont listen to theo. You will solve most your problem 😂😂😂😂😂
Super agree
Why so many of Theo's haters watch his videos? I don't get it.
@@jay-cm Man is literally just reading an interesting blog post and they come out the woodwork lmao
@@jay-cm TH-cam autoplay some video in the background while I do stuff
It was a terrible idea from day zero. For all the reasons I was telling my coworkers that thought it was this silver bullet to get front end devs to leave them alone. Dozens of projects ripped it all out in less than a year for all the reasons I told them would happen.
GraphQL is network masturbation - REST works with any backend technology lol 😂 or the web would be broken!!!
Theo please, you gotta get rid of these stupid thumbnails. And that mustache, it just doesn't fit you as well as it does on Prime
I don't think I've ever been this early to a Theo video...
Yikes
Whoa
Entertaining content, but mostly bullshit.
"You can't have a body in GET". Lol. Theo exposing himself in each video. 😂
No one does that, so technically it's incorrect, but practically is
@@valerysmirnov9535 I wouldn't say none. Elasticseach's apis for getting documents are all GET apis(atleast they used to be last time i checked)
Elasticseach has got a big userbase too.
But i do get your point.
My overarching point basically here is that Theo keeps getting things wrong.
Sometimes because he wants paid promotions. Sometimes he just don't know stuff but acts like he does
Some servers will actually reject your request if you do.
@@jimiscott but it doesn't mean that this is a correct behavior. You can define a body for GET requests, this is not forbidden by HTTP specification.
@@valerysmirnov9535 Defining a body for GET request is not forbidden by HTTP protocol, so you can define it. That's the point. ElasticSearch uses it, OpenSearch uses it.
This is correct technically and practically, Google and Amazon cloud services use it. There were event requests from community to add support for GET requests with body in Apolo Client for some optimization purposes. So, you are just wrong...