Software Engineering Daily

The End of GraphQL with Matt Bessey

Oct 16, 2024

Matt Bessey, a Principal Engineer and Software Architect, shares his frustrations with GraphQL after six years of experience. He discusses the complexities of GraphQL, including its security vulnerabilities and performance issues compared to traditional REST APIs. The conversation highlights the nuances of authorization in GraphQL and the risks associated with query parsing. Bessey also explores the future of API design, advocating for a user-centric approach and critiquing the trend towards superficial programming education.

45:18

Creator website

Episode guests

Matt Bessey

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

GraphQL, despite its ability to minimize over-fetching and under-fetching, introduces significant incidental complexity and security challenges for backend engineers.

The discussion highlights OpenAPI 3.0+ as a favorable alternative to GraphQL, providing a simpler, more manageable structure for API design and security.

Deep dives

Introduction to GraphQL and Its Origin

GraphQL is an innovative query language for APIs created by Facebook to minimize issues of overfetching and underfetching common with traditional REST APIs. It allows clients to request exactly the information they need from a single endpoint, thereby enhancing efficiency in data retrieval. However, the technology comes with its own complexities and challenges for backend developers, particularly regarding performance and security. Matt Bessie, a principal engineer, and software architect, articulates these frustrations in his viral blog post that critiques GraphQL and its practical limitations based on his six years of experience.

Access Requires Clear Boundaries

01:33

Intro

2min

Navigating the Complexities of GraphQL

18min

Exploring GraphQL Security and Access Management

3min

Addressing GraphQL Query Vulnerabilities

8min

Understanding API Versioning and its Challenges

2min

The Future of API Design and Development

11min

GraphQL is an open-source query language for APIs and a runtime for executing those queries. It was developed by Facebook to address the problem of over-fetching or under-fetching data, which is a common issue with traditional REST APIs.

Matt Bessey is a Principal Engineer and Software Architect. Earlier this year Matt wrote a blog post titled “Why, after 6 years, I’m over GraphQL”. The post put words to many users’ frustrations with the technology, and it went viral on Hacker News.

Matt joins the show today to talk about GraphQL, the problems it solves, its security vulnerabilities, and why it might not be a good fit for backend engineering today.

You can find a link to Matt’s blog posts here.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.