Show HN: GraphQL for Postgres

[gingerlime]

This looks great, and I love the idea of GraphQL and declaratively defining the data you need.

I understand this is alpha / proof-of-concept, and this is in no way meant as criticism, also not specific to this implementation, but just trying to figure out something:

What's the security model for GraphQL (at least as intended for javascript clients speaking to a backend)? Can we just pass the GraphQL from the client to the server and execute it? (In this case, directly on the PG database). What kind of security can be built around this?

[chrisfarms]

I've been playing with getting a Postgres/GraphQL system working recently too. I decided that the definitions of the "edges" in the schema itself should declare what the user/viewer is capable of fetching via the GraphQL.

I started a very naive implementation of A-Relay-Like-Architecture (Arla) and built todomvc with it[1].... schema.js[2] declares the schema/nodes as well as the 'calls/edges' available for each node, which allows you to limit the visible rows/columns based on the $viewer id.

It's all a bit of an experiment... but I'm liking the GraphQL pattern so far.

[1] https://github.com/kiloe/arla-todomvc [2] https://github.com/kiloe/arla-todomvc/blob/master/schema.js

[solidsnack9000]

I wonder if one could use a shape-like spec to describe permissions for a user, similar to GraphQL itself?

[michaelchisari]

I would think you'd need some kind of layer over the database for security, I think managing security at the db level would be very clunky at best.

But since the idea of GraphQL handles so much from the logic standpoint, your programming layer can just act as a gatekeeper for access.

That said, Postgres is pretty powerful. Maybe there is an elegant way to do row-level access control.