GraphQL Is for Client Developers, Not Client Applications
Tuesday, September 10 / 03:40p.m. PDT - 04:10p.m. PDT
Many of the most common issues developers run into when building GraphQL APIs (N+1 queries, difficult authorization logic, protecting against arbitrary query complexity) come down to a single problem: when an untrusted client can construct arbitrary queries, lots can go wrong. So what if they just couldn't? The wins of GraphQL aren't in letting *clients* build their own queries but in letting *client developers* build their own queries. When Firebase chose GraphQL as the basis for its new Data Connect product, we introduced "Connectors", a new resource type that bundles a group of predefined GraphQL queries and mutations and exposes them at an endpoint. While trusted servers can execute arbitrary queries, untrusted clients can only use predefined queries and mutations. This approach substantially simplifies the security model of building with GraphQL. Rather than worrying about every possible query, you can build authorization and complexity mechanics around well-known predefined queries. Learn the how, the why, and the possible future of "Connectors" for GraphQL in Firebase and beyond.