GraphQL for ProcessWire

[teppo]

15 minutes ago, Nurguly Ashyrov said:

Now I don't really know how to go on with this thread. Should we abandon it and start new thread in the modules section? Or maybe this thread could be moved to modules section? What @moderators think of this?

Personally I think that this thread already includes so much great content that it'd be a shame to abandon it -- not to mention that it's more than likely that folks looking for details about this module would end up here anyway.

It's your choice obviously, but if you want, I (or any other moderator here) would be more than happy to move this thread to the modules section. Just let us know when you have decided what to do with it  

[dadish]

2 hours ago, teppo said:

Personally I think that this thread already includes so much great content that it'd be a shame to abandon it -- not to mention that it's more than likely that folks looking for details about this module would end up here anyway.

It's your choice obviously, but if you want, I (or any other moderator here) would be more than happy to move this thread to the modules section. Just let us know when you have decided what to do with it  

I agree with you on that. I think it would be best if we move this thread to modules section. So, please move it to the modules section. Then after I will update my first post of this thread a bit and add a module tag I guess  

[teppo]

On 18/03/2017 at 1:29 PM, Nurguly Ashyrov said:

I agree with you on that. I think it would be best if we move this thread to modules section. So, please move it to the modules section. Then after I will update my first post of this thread a bit and add a module tag I guess  

Moved

[dadish]

50 minutes ago, teppo said:

Moved

Thank you @teppo! I knew I can count on you!

[microcipcip]

I am trying to use this module in the frontend. I added the following code:
 

<button class="graphBtn">Fetch data!</button>
<script src="<?php echo $config->urls->templates?>js/axios.js"></script>
<script>
  var $button = document.querySelector('.graphBtn');
  $button.addEventListener('click', function (e) {
    e.preventDefault();
    axios.post('/graphql/', {
      query: `
      {
        basic_page{
          list{
            title,
            summary,
            url
          }
        }
      }
      `
    })
      .then(response => {
        console.log(response.data);
      });
  });
</script>

And this is what I get back:

{
  "errors": [ { "message": "Must provide an operation." } ]
}

Do you know why? If I try the query in the GraphiQl admin I get the right data back. Do I have the wrong permissions set in the module?
 

[dadish]

1 hour ago, microcipcip said:

...

Do you know why? If I try the query in the GraphiQl admin I get the right data back. Do I have the wrong permissions set in the module?

No, it's not the permissions. You're doing everything properly.

I never tried this module with axios before, therefore this error is new to me. It turns out that axios sets the Content-Type header to application/json;charset=UTF-8 instead of application/json. That's where the problem was, because the ProcessGraphQL module would parse json payload only if Content-Type was set to just application/json. I changed the behavior and now it will look to your query in json payload if Content-Type contains application/json string in it. Please grab the latest version of the module and try again. It should work now.

Thank you for taking time to report the issue.

[microcipcip]

Now it works!! This is so cool...I wish I could like this thread twice :). Do you have any plan of adding the RepeaterField?

I don't know if it has been mentioned in this thread yet, but I found this cool GraphQL tutorial that may be useful for someone new to GraphQL. When I learn GraphQL properly I'll test this module more, as I think it has huge potential for introducing FrontEnd devs to ProcessWire.

[dadish]

19 minutes ago, microcipcip said:

Now it works!! This is so cool...I wish I could like this thread twice :). Do you have any plan of adding the RepeaterField?

I am happy it works now . The plan is to add support for all core fieldtypes. That includes RepeaterField also. I will try to keep everyone updated via this thread, and you can also keep with the changelog.

[mvdesign]

Hi, and thanks for this great module 

Can you provide an example on how to create/update a page from GraphQL API ?

Tried it without success...

 

Thank you !

[dadish]

On 3/21/2017 at 7:59 PM, mvdesign said:

Hi, and thanks for this great module 

Can you provide an example on how to create/update a page from GraphQL API ?

Hi @mvdesign. So sorry that I could not respond earlier. I decided to make an introduction video for this module to help people that are trying to use it. But then, I never made a screencast video before, and on top of that, the last time I spoke english was 2011. So I had to take dozens of try-outs till I got something watchable.

So here is the video. It shows how you would create/update pages with this module. The video is far from OK, so I will probably record another one after I get some feedback. Until then please refer to this video to learn about how the module works.

 

[adrian]

Fantastic video @Nurguly Ashyrov - really well put together and great English - I don't know how you come across so clearly given that you haven't spoken it in 6 years!

I am really excited to start using this module. The one thing I noticed which seemed a little weird to me was that by default the skyscraper-editor (or guest) user didn't have access to fields until you enabled field level access control and explicitly gave them view access (~35:10 min mark in video). By default in ProcessWire, anyone can view a field if field level access control is turned off. Only once it is turned on are any restrictions applied. Does that make sense, or did I misinterpret something?

Thanks again - this is going to be so very useful!

 

[dadish]

Thanks @adrian! I rerecorded the video many times before I could make it watchable. Trust me, you wouldn't say the same thing for the very first ones  

About the field access rules. Yeah that's true. By default the behavior is the opposite to the one in ProcessWire. I think it would be better for security if the module initially treats everything private. But I get what you mean. In cases where you have dozens of fields in one template, it would be too tedious to configure access for each of them. That's why there is an option to reverse the behavior in the advanced section of the module configuration. You can learn more about it here. This option basically makes all fields without Access rules available to the public and you can restrict access by enabling rules only to couple ones.

[szabesz]

 

3 minutes ago, Nurguly Ashyrov said:

I think it would be better for security if the module initially treats everything private.

+1

Also, normally a public query interface should not serve all data by default, as that would allow for pretty easy data harvesting.

[bernhard]

awesome screencast, nurguly. easy to follow, well explained and well spoken. it helped me a lot to get a better understanding what your module does and what could be done!

i'm curious what will be built on top of this

[adrian]

19 minutes ago, Nurguly Ashyrov said:

Thanks @adrian! I rerecorded the video many times before I could make it watchable. Trust me, you wouldn't say the same thing for the very first ones  

About the field access rules. Yeah that's true. By default the behavior is the opposite to the one in ProcessWire. I think it would be better for security if the module initially treats everything private. But I get what you mean. In cases where you have dozens of fields in one template, it would be too tedious to configure access for each of them. That's why there is an option to reverse the behavior in the advanced section of the module configuration. You can learn more about it here. This option basically makes all fields without Access rules available to the public and you can restrict access by enabling rules only to couple ones.

Thanks for the explanation and for the "Grant Field Access" config option. I definitely see your logic behind treating access the other way around. I guess I was just considering the situation where you have a regular web site where you want to be able to use the PW API as well as GraphQL. In this situation I would have no problem with all fields being accessible, so great that option is available!

[Robin S]

Super-useful video and your command of English is really impressive: you are more articulate than many native speakers! 

It's very slick what the GraphQL devs have done with the GraphiQL tool - so nice having the documentation explorer right there inside the tool.

Thanks for the video, and also a separate thanks for updating the Skyscrapers profile and making the export of that available. Would it be okay to mention your repo of that over in the Skyscrapers Profile thread so people can use it until we have an official profile release by Ryan?

[Soma]

@Nurguly Ashyrov awesome cast! Thanks for making all this and taking your time to make it awesome  This is really cool stuff and opens up a lot of possibilities.

[dadish]

5 hours ago, Robin S said:

Thanks for the video, and also a separate thanks for updating the Skyscrapers profile and making the export of that available. Would it be okay to mention your repo of that over in the Skyscrapers Profile thread so people can use it until we have an official profile release by Ryan?

Sure, by all means.

5 hours ago, Soma said:

@Nurguly Ashyrov awesome cast! Thanks for making all this and taking your time to make it awesome  This is really cool stuff and opens up a lot of possibilities.

Thanks. I am glad you like it @Soma.

[Soma]

Just playing around a little with it and it's amazing having a blast. 

Just wanted to mention I got caught by a redirect scenario and language stuff. If you have multilange installed and configured to have language segments "/en/", "/de/" ...  so trying out ajax requests to "/graphql/" would redirect to "/en/graphql/ " but you get a response:

{"errors":[{"message":"Must provide an operation."}]}

So it took me a while to figure out and was looking at the query instead. Doing the request to "/en/graphql/" works flawless.

I was testing the languages and the graphql pages you create don't have alternative languages active. This also might get you caught, when graphql is installed when there is more than 1 language set up.

Permission so far seem to work. The template access setting seem no to be inherited, I guess that is intentional? I may have missed it and it was mentioned. Then I'm sorry.  – Like in a default install "home" has guest view access enabled, so all pages inherit that (unless you set it no to). But I had to give basic-page explicit guest view access to get querying. I think it's ok to not have all templates inherit access for graphQL. 

Thanks and keep up the good work!

 

[Soma]

How does the date field work? I get "Not valid resolved type for field \"datetime\"" datetime being the name of the field in my case.

Edit: Forget it I'm dumb, forgot to allow the field. It's unusual to not have access as superuser. But the error message is a little missleading

Edit: Lol hmm I added it to allowed fields and still same error. System fields "created",  "modified" work fine.

Also if you only want to get one specific page is it correct to do for example a

{
  basic_page(s: "id=1001"){ 
    list{ 
      title
    }
  }
}

or are there any other methods?

Edit:

Something else would be image Pageimage is there any support for creating sizes? I see there's something but I don't understand it yet. 

Edit: Ok I got it. I have to enable "size" for image first images the it work nicely:

... images{ size(width: 150, height: 0) { url } } ... 

So we can request a size that doesn't exist and it will create it if we have rights to do so. Thats would be pretty cool. Would be crazy to allow some stranger creating 1million sizes through public API . But still if one has write access it is possible, but maybe thats no real issue. 

I'm still trying to grasp the concept of graphQL and your implementation in PW. So every new Fieldtype and InputfieldType would have to be implemented to work with graphQL?

[microcipcip]

I think I have found a possible solution for @bernhard  and @LostKobrakai  concerns about the ability to perform queries in the frontend.

You could use the persisted queries technique, basically you can install this npm package (there's also this webpack plugin) that will scan your code and remove the graphQL client side queries and save them to an external JSON file. Then in the PHP side you could load this JSON file and give GraphQL the right query based on the query id sent from the client side (I think you can also send variables along the query id, so the query is not "static").

I guess that if a malicious user sends a standard graphQL query you could just intercept that, so if it is not a valid id from the generated JSON file you won't execute graphQL.

[dadish]

On 3/31/2017 at 6:31 PM, Soma said:

Just wanted to mention I got caught by a redirect scenario and language stuff. If you have multilange installed and configured to have language segments "/en/", "/de/" ...  so trying out ajax requests to "/graphql/" would redirect to "/en/graphql/ " but you get a response:

{"errors":[{"message":"Must provide an operation."}]}

So it took me a while to figure out and was looking at the query instead. Doing the request to "/en/graphql/" works flawless.

Yeah, I had my nightmares with this situation too. There are lots of scenarios when ProcessWire could redirect your ajax requests and the graphql will not receive the query. The ones that I had encountered were:

• If the url ends without slash: ...website.com/graphql ==> ...website.com/graphql/
• If there is now www prefix: website.com/graphql/ ==> www.website.com/graphq/

And now I guess when languages are enabled you also gotta make sure ProcessWire is not redirecting you to the respective language url of the graphql api. I haven't tested the module with the languages enabled yet, but I am sure there would be some additional caveats.

On 3/31/2017 at 6:31 PM, Soma said:

Permission so far seem to work. The template access setting seem no to be inherited, I guess that is intentional? I may have missed it and it was mentioned. Then I'm sorry.  – Like in a default install "home" has guest view access enabled, so all pages inherit that (unless you set it no to). But I had to give basic-page explicit guest view access to get querying. I think it's ok to not have all templates inherit access for graphQL. 

Yes, that's the expected behavior. Unfortunately to support permission inheritance would be too expensive. Because it means to check template permissions of each ancestor of each returned page. I think the module is already slow and supporting permission inheritance would make it even slower. I guess I have to mention about not supporting permission inheritance somewhere in the documentation of the module.

23 hours ago, Soma said:

... Lol hmm I added it to allowed fields and still same error. System fields "created",  "modified" work fine.

That's right, it turns out there was a bug. I pushed an update regarding the datetime field. Grab the latest version of the module and it should work properly.

23 hours ago, Soma said:

Also if you only want to get one specific page is it correct to do for example a

{
  basic_page(s: "id=1001"){ 
    list{ 
      title
    }
  }
}

or are there any other methods?

Yep. That's the way. I know, it's ugly. But I can't think of a less verbose way to return a single page from the api. We could, of course introduce an additional field for each template like basic_page_single or something. But I don't think it's worth it, plus it will make the schema bigger for very little gain.

23 hours ago, Soma said:

So we can request a size that doesn't exist and it will create it if we have rights to do so. Thats would be pretty cool. Would be crazy to allow some stranger creating 1million sizes through public API . But still if one has write access it is possible, but maybe thats no real issue. 

I'm still trying to grasp the concept of graphQL and your implementation in PW. So every new Fieldtype and InputfieldType would have to be implemented to work with graphQL?

I totally agree. We can't allow everyone to create images. The size field of the image type creates images only if the user has an edit permission on that image field. It is still available to the users who do not have edit permission, but only for getting existing variations, and it should return null if there isn't an image variation with the requested size.

Edit: By the way, thanks a lot for the feedback.

[mvdesign]

@Nurguly Ashyrov Thanks for the video ! i'm using your module with Vue.js for a web application, really nice. I'm juste facing a problem right now, i get an error when trying to get checkboxes : Not valid resolved type for field \"checkbox_name\" (the field access is allowed in graphql settings). Any idea ?

 

[dadish]

18 minutes ago, mvdesign said:

@Nurguly Ashyrov Thanks for the video ! i'm using your module with Vue.js for a web application, really nice. I'm juste facing a problem right now, i get an error when trying to get checkboxes : Not valid resolved type for field \"checkbox_name\" (the field access is allowed in graphql settings). Any idea ?

Yes. It was my bad. I did not make sure the FieldtypeCheckbox always returned a boolean. I think it returns 0/1 in ProcessWire. Anyways, just patched it. Update to the latest version and it should work.

Edit: As always, thanks for the feedback.

[mvdesign]

@Nurguly Ashyrov Perfect  Thanks a lot !