JWT in GraphQL GET Request via AJAX

I have a SPA application that receives and updates information about the logged in user from the API using an AJAX request. However, the requests are authorized using a JWT that is passed via the URL query.

For example: GET /graphql?token=$ {token}

This request is done over HTTPS but I’ve read that this can still be a potential security issue as URL requests can end up in server logs or proxy logs. Is it really any better if I were to pass through a request body or header ?

No class ‘App\User’ en Graphql con Laravel

Estoy comenzando con graphql y no logro hacer funcionar mi servidor. Me da un error 500 y un mensaje en playground que dice: Server cannot be reached tras ver la sección de Network de mi navegador para encontrar algún error me doy cuenta que graphql me entrega el siguiente mensaje:

message: “No class ‘App\User’ was found for directive ‘find'”

Supongo que es el motivo de que mi servidor no pueda iniciar correctamente, el problema es que no logro entender donde se llama al modelo User.

Actualmente tengo un proyecto de laravel limpio con un par de migraciones y modelos creados, he cambiado el nombre de mi aplicación y con ello ha cambiado el namespace.

Luego he seguido la guia entregada por Lighthouse ejecutando los siguientes comandos:

composer require nuwave/lighthouse  php artisan vendor:publish --provider="Nuwave\Lighthouse\LighthouseServiceProvider" --tag=schema  composer require mll-lab/laravel-graphql-playground 

Esto me ha generado un schema en (graphql/schema.graphql) con el siguiente contenido:

"A datetime string with format `Y-m-d H:i:s`, e.g. `2018-01-01 13:00:00`." scalar DateTime @scalar(class:  "Nuwave\Lighthouse\Schema\Types\Scalars\DateTime")  "A date string with format `Y-m-d`, e.g. `2011-05-23`." scalar Date @scalar(class:  "Nuwave\Lighthouse\Schema\Types\Scalars\Date")  type Query { users: [User!]! @paginate(type: "paginator" model: "App\User") user(id: ID @eq): User @find(model: "App\User") }  type User { id: ID! names: String! email: String! created_at: DateTime! updated_at: DateTime! } 

Mientras que mi modelo User luce así:

<?php  namespace bin\Models;  use Illuminate\Notifications\Notifiable; use Illuminate\Contracts\Auth\MustVerifyEmail; use Illuminate\Foundation\Auth\User as Authenticatable;  class User extends Authenticatable { use Notifiable; protected $  table = 'users'; protected $  fillable = [     'names', 'first_lastname', 'second_lastname', 'email',  'password','commune_fk' ];  protected $  hidden = [     'deleted', 'active',  'verify_account','verify_account_code','alternative_password',     'alternative_password_expire','secret_answer','password' ];  // protected $  casts = [ //     'email_verified_at' => 'datetime', // ];  public function commune(){     return $  this->belongsTo('bin\Commune','commune_fk','id'); }  public function history_access(){     return $  this->hasMany('bin\HistoryAccess', 'user_fk', 'id'); } } 

He intentado reemplazar el modelo en la linea de Query con lo siguiente, sin embargo el mensaje de error no cambia (Por lo que supongo que la llamada a User puede estar en otro lado que desconozco).

users: [User!]! @paginate(type: "paginator" model: "App\Models\User") users: [User!]! @paginate(type: "paginator" model: "bin\Models\User") 

Inclusive he comentado todo el schema y el mensaje de error sigue apareciendo.

Namespace: bin

Directorio modelo: app/Models/User.php

GraphQL – Should I expose link tables?

I am experimenting with converting an API to GraphQL, and I have a database that has many-to-many relationships that are stored via link tables; something like this:

CREATE TABLE accounts (   id int,   last_name varchar,   first_name varchar );  CREATE TABLE files (   id int,   content varchar,   name varchar );  CREATE TABLE account_file_links (   id int,   account_id varchar,   file_id varchar,   can_edit tinyint,   FOREIGN KEY (account_id) REFERENCES accounts(id)   FOREIGN KEY (file_id) REFERENCES files(id) ); 

I am wondering if I should be exposing these links as they’re own types in the GraphQL schema or not. When I think of my database as a graph, the nodes are the accounts and the reports, while the edges would be the account_file_links. There are attributes present on the link (in this example, the can_edit property) that need to be presented to the API consumers.

What architecture layer does GraphQL is part of?

I’m currently dealing with a GraphQL project with poor architecture. I read about where to put AuthZ checks and they refer to the “business layer” as to be called from a GraphQL resolver.

Up till now, I thought GraphQL belong in the Data Access Layer (or at least, JUST BEFORE the DAL), but it now looks like it belongs in the most outside layer, similar to a “controller”.

What layer does it belongs to?

Are REST Resources and GraphQL Object Types conceptually equal?

I’m in the process of outlining the intended business logic of a web service. At this point, I’m not too concerned with implementation details. On the contrary, I’m looking for ways to abstract them away in order to describe the business logic and data exposed by the web service in an implementation-agnostic manner.

I’ve read a little about the fundamental principles behind REST and GraphQL. RESTful services expose resources. GraphQL exposes data using Object Types.

These concepts share some core characteristics:

  • they describe ‘things’ (entities) with attributes
  • ‘things’ can be related to other ‘things’
  • ‘things’ support a uniform interface to interact with them: retrieval, insertion, mutation and deletion (at least to some degree; I’m not familiar with mutations in GraphQL)

I might be mixing up some terms, but am I overall correct in thinking both are conceptually equal or at least very similar?

Is the omission of implementation details from the documentation an adequate means of ‘bridging the gap’ between the two (and possible future variations)?

Are there standards for documenting the ‘things’ and the behaviour of their supported operations in an implementation agnostic manner?

CQRS and GraphQL



I have a CQRS domain with requests, authorizers, handlers, response objects, entities, filters, pagination.

It only depends on:

  • external services (email, other APIs, etc…)
  • a database/persistence layer
  • a way to retrieve the current domain user logged in


This CQRS domain is called from a web API that exposes 2 things:

  • endpoints for reading files
  • an endpoint to access a GraphQL schema


The GraphQL resolvers and controller actions only send requests to the CQRS domain. Each request represents an atomic use case (e.g. “I want to get the invoice PDF” or “I want to create a new invoice”).

So my controllers and GraphQL resolvers are very thin. Great.

The problem

Many problems arise though:

  • I’ve created a bloated code base because almost every GraphQL type has a corresponding domain type and its corresponding mapping profile (assuming Automapper)
  • The code has increased of about 30% – 40% overall and it’s difficult to follow the flow of data
  • All this mapping is extremely error prone
  • I often need to map back from CQRS requests to GraphQL inputs to determine the original input field path of the error that was returned by the CQRS handler/validator


On the one hand it’s great to have a common request -> handler -> response pipeline for all of your use cases so that you can implement cross cutting concerns and enforce them at the beginning of the pipeline, on the other hand I’ve lost the ability to clearly follow through the flow of control.

What am I missing? How is a bloated and complex code base better than a simple straightforward “business logic in controllers / graphql resolvers” logic? Isn’t all this mapping a violation of DRY (for example adding a field to an entity requires at least 3 classes to be modified)?

“REST Vs GraphQL” is it a correect comparison?

I saw in many sites that compare REST with GraphQL. after investigating this concern (actually my concern) that, “is it a correct comparison?”, I being more confused. Since the REST has a different definition against GraphQL, this question busies my mind that, why we’ll be able to compare two different concepts together.

actually, it seems to me that the comparison is something like this:

IDE Vs Compiler !??! or BMW x6 Vs ISO 18541-5 (Road vehicles)

from wiki:

Rest definition:

Representational State Transfer (REST) is a software architectural style that defines a set of constraints to be used for creating Web services.

GraphQl definition:

GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data.

please brighten my mind with your answers. thanks

Drupal GraphQL query not returning data

I have 5 different content types and I’ve added content / nodes. I’m using graphQL to fetch the data, however in 1 of the content types the data is not being returned. This is the latest content type I’ve added, so I can query data from all 4 other content types and get the data I expect without any problems using fragments.

My query for the new content type is simple:

{   nodeQuery {     entities {       ...on NodeGlobalContent {         title         body {           value         }       }     }   } } 

The empty result is:

{   "data": {     "nodeQuery": {       "entities": [         {},         {},         {},         {},         {},         {},         {},         {},         {},         {}       ]     }   } } 

If I query the node by ID, I get the data:

query {   nodeById(id: "20") {     entityLabel     entityBundle   } } 
{   "data": {     "nodeById": {       "entityLabel": "test",       "entityBundle": "global_content"     }   } } 

Any idea why I can’t retrieve the data using a fragment?

View GraphQL queries in browser network developer tools [on hold]

We recently migrated our API to graphql, and it’s been working very well for us. However I did come across one inconvenience during development that I couldn’t find any information on. When using the browser developer tools to inspect network requests, all our requests which used to have specifically named endpoints like inventory?id=1234 are now just listed as graphql.

I understand why this is the case, but was hoping for a way to include some of the POST information in the list of requests. It is cumbersome to click through a dozen POSTs to try to find the one I am looking for.

It seems likely that different browsers may have different methods of approaching this. Maybe a plugin that extends the developer tools? I mention graphql since that’s the context of my question, although I suppose this problem isn’t graphql specific

In browser developer tools, is there a way to add content from each POST request to the row?