Go to the profile of Michael Long
Michael Long
Have you ever wondered why we need a server acting as a middleman between the client and the database?
Coding Is Over
Lauren Mendoza
2.2K20

Security? Security? And, oh yeah, security.

Seriously, download the GraphQL specification and search the document for the word “security”. The result? “Not found.”

You do not want to expose your database directly to the world at large. In software engineering terms, this is considered to be a “bad thing”.

And actually, to pick on one point, GraphQL doesn’t eliminate the need for backend coding as it’s not entirely driven from the client-side query. Someone had to define the GraphQL query types available and map the fields each one has the potential to return.

This does provide a level of security, in that the type system will, hopefully, make sure that that the fields: username, email, and password are not available for a given query and thus prevent a massive security breach by someone hacking a client-side query.

And, just to pick up on the example on page one, hopefully there’s a security and authentication system in place somewhere to prevent a bad actor from changing the user id from 3500401 to 3500402 and 3500403 and 3500404 and thus start surfing the database for information they’re not authorized to access.

GraphQL is also a query system, used to access data. It’s not a full implementation of a REST API, and in particular has no means to add or update information. (Another area where security and validation is even more important.) It’s also an area where complex systems implement the business logic needed to make things work and ensure that everything happens as a result of the change (order entered, logged, paid, and invoice sent to user).

I might also mention that if you’re talking about using GraphQL to talk to “the database”, then it would appear that most of the problems you’re trying to solve are indeed in the trivial category. A financial app I’m responsible for talks to a backend API that in turn, manages the information flow to and fro from over two dozen other databases and backend systems. None of which the client wants to have directly facing the internet.

In short, GraphQL can make some things easier, but as with most things in software engineering, it’s not a panacea and it’s not going to totally change all backend interfaces forever.