undefined | Better HN

0 pointsjondubois9y ago0 comments

GraphQL and REST solutions will almost certainly be much faster than any CRDT solution. I think that the REST solution should be more efficient than the GraphQL solution but it probably won't be a drastic difference.

The essence of the REST philosophy is to deal with data as small atomic building blocks - I think that this is one of the most important and well-tested ideas in software engineering so on that basis, I would go with REST. Though you could also argue that the idea of querying (which is what GraphQL essentially is) is also well tested.

CRDTs are bad with bandwidth and they require very heavy/complex clients that are difficult to implement - Once implemented, they make life easier for many use cases but take away flexibility and customizability.

I think the main challenge with GraphQL actually might be doing access control on the back-end. If you have a GraphQL query that fetches many different resource types, it's a lot more difficult to establish whether or not a user is allowed to access all these resources at once (GraphQL approach) vs just a single resource at a time (REST Approach).

With GraphQL you may have to deal with partial access rights - where the user is only allowed to see part of the query's result. With REST, each request can only have a single allowed/blocked response.

0 comments

3 comments · 2 top-level

dragonwriter9y ago· 1 in thread

> The essence of the REST philosophy is to deal with data as small atomic building blocks

It's actually not; that seems to be something imposed after the fact by association of REST with a thin layer over a normalized DB model.

REST is neutral about both the size and atomicity of resources.

jonduboisOP9y ago

Only when you read a filtered list of resources but not for CRUD operations (CRUD operations make sure you deal with a single resource at once). My main point is that writes are atomic.

ruslan_talpa9y ago

GraphQL should not deal with that at all imo (authorization). the underlying service (rest/database) should be responsible for that. What GraphQL implementation should do is "tell" the underlying service who is making the request and let it handle authorization. And endpoints/fields in GraphQL schema should not be "hidden" based on who is currently logged in.

Just like in sql you are free to see all the available tables in the databases and do "select * from secret_table" it does not mean you will get back any data. The same way you should be able to query any field in graphql but get an error in case you are trying to access data that you are not supposed to.

j / k navigate · click thread line to collapse