Are GraphQL queries supposed to trigger controller actions in Strapi v4?

timohofmeijer · December 15, 2021, 2:28pm

System Information

Strapi Version: 4.0
Operating System:
Database:
Node Version:
NPM Version:
Yarn Version:

In Strapi 4.0, controller actions are not triggered for GraphQL queries. This is the case for both factory-controller-actions as well as custom controller actions. Controller actions work just fine for the REST API. Can anyone tell me if this is by design or if my implementation is just off?

timohofmeijer · December 15, 2021, 2:45pm

The same is true for services I just now discover.

KadlinoBIT · December 16, 2021, 10:06am

Hi Timo,
I found the same thing right after I installed the first V4 beta, since then I’ve been asking but still didn’t get an answer.
Truth is that there is no documentation or examples on customizing graphQL in v4.
Check the discussion under this Github issue that sheds some first light on gql customization:

github.com/strapi/strapi

V4 aggregation-grouping

opened 11:29AM - 01 Dec 21 UTC

violabg

issue-type: feature request source: plugin:graphql

## Feature request in V3 you had this feature https://docs-v3.strapi.io/developer-docs/latest/development/plugins/graphql.html#aggregation-grouping is this no longer possible in v4? do you have alternative? ### Why is it needed? I have a project that uses this functionality and would like to migrate in on v4 in the future.

My last comment shows how to resolve gql query using a controller - but I still don’t know how to correctly format the data (when returned the response seems empty). Maybe you will find an answer to this (if you do, please let me know).

Another github issue to watch would be this request for documentation on gql customization:

github.com/strapi/documentation

[Request]: customising graphQl

opened 11:38AM - 01 Dec 21 UTC

violabg

type: doc request

### Summary in backend-customization/ https://docs.strapi.io/developer-doc…s/latest/development/backend-customization/controllers.html#adding-a-new-controller you have this example: ```js // path: ./src/api/restaurant/controllers/restaurant.js const { createCoreController } = require('@strapi/strapi').factories; module.exports = createCoreController('api::restaurant.restaurant', ({ strapi }) => ({ // Method 1: Creating an entirely custom action async exampleAction(ctx) { try { ctx.body = 'ok'; } catch (err) { ctx.body = err; } }, // Method 2: Wrapping a core action (leaves core logic in place) async find(ctx) { // some custom logic here ctx.query = { ...ctx.query, local: 'en' } // Calling the default core action const { data, meta } = await super.find(ctx); // some more custom logic meta.date = Date.now() return { data, meta }; }, // Method 3: Replacing a core action async findOne(ctx) { const { id } = ctx.params; const { query } = ctx; const entity = await strapi.service('api::restaurant.restaurant').findOne(id, query); const sanitizedEntity = await this.sanitizeOutput(entity, ctx); return this.transformResponse(sanitizedEntity); } }); ``` how to can we do the same for GraphQL? both adding a new method (exampleAction) and extending existing ones like find and findMany ### Why is it needed? I want to use GraphQL but can't figure it out, how to extend it. in particular I'm interested in create a method to return an entity via slug with graphQL, whit a new custom method like getEntityBySlug(slug) that returns a single entity, and not using find(filters) ### Suggested solution(s) _No response_ ### Related issue(s)/PR(s) _No response_

Paolo · December 16, 2021, 4:05pm

try returning results like this,

return {
    value: yourResults
};

timohofmeijer · December 17, 2021, 9:53am

You can find the factory resolver here:

node_modules/@strapi/plugin-graphql/server/services/builders/mutations/collection-type.js

There you see the actual actions ( find , findOne , create , update , and delete) are constructed here:

node_modules/@strapi/plugin-graphql/server/services/builders/resolvers/query.js
node_modules/@strapi/plugin-graphql/server/services/builders/resolvers/mutation.js

These actions make use of the new entityService API, thus indeed do not call the controller actions nor services, so it indeed looks like this is by design.

If you’d want to, looking at the factory resolvers could help you working out how to call the controller method inside a custom resolver. To me it feels a bit to hacky and prone to break on future updates.

The fact that core controllers and services seem completely irrelevant when using GraphQL is not reflected in the documentation, nor is the designated location where to handle its business logic. My guess would be the gql resolver. It’s just very strange to go to the trouble unifying the REST and GraphQL response format while at the same time completely diverging the 2 API flavors under the hood, not just for controllers, but services, policies and middleware as well. I dont have a problem with this per se, but I’d suggest adding a big ass toggle at the top of the documentation: REST or GraphQL.

I’d really appreciate a response from a Strapi developer on what the intended approach is when it comes to business logic within a GraphQL API.

KadlinoBIT · December 21, 2021, 9:55am

Hi,
I have copy-pasted a small update from one of the Strapi team-members regarding the way of resolving gql queries / mutations is in this topic:

Long story short, controllers should not be used to resolve gql queries as one of the goals for v4 was to decouple REST & GraphQL.

timohofmeijer · December 21, 2021, 10:53am

Yes, I expected something like this . I think the documentation should more clearly reflect this though and it leaves the matter of where to put GraphQL business-logic unresolved. The problem with handling this inside a custom resolver is that you’d have to replicate the behavior of the default resolve method, since the pattern of extending the factory behavior is not implemented for GraphQL resolvers. I extracted the default behavior into utility functions myself, so I can handle business-logic inside the resolver and trigger the default behavior with a single function call. This is suboptimal though, since changes to the ‘core’ resolve methods need to be mirrored when updating Strapi.

Perhaps it can help you or someone else. Please note that I’ve only implemented the resolve methods I personally needed.

// src/utilities/core-resolvers.js
/**
 * This exports the ‘core’ resolve methods extracted/duplicated from
 * @strapi/plugin-graphql. When overwriting the resolve function to add
 * custom business-logic, these methods can be used to trigger the
 * default resolve behavior from within this overwrite.
 *
 * Please note that not all core resolve methods are extracted yet.
 * You can find and extract them from here:
 * - node_modules/@strapi/plugin-graphql/server/services/builders/mutations
 * - node_modules/@strapi/plugin-graphql/server/services/builders/queries
 *
 * I added the `contentTypeName` argument which should contain the
 * contentType identifier ("api::restaurant.restaurant").
 */

const { sanitize } = require("@strapi/utils");

const coreUpdateMutationResolve = async (
  contentTypeName,
  parent,
  args,
  context
) => {
  const { service: getService } = strapi.plugin("graphql");
  const { transformArgs } = getService("builders").utils;
  const { toEntityResponse } = getService("format").returnTypes;

  const contentType = strapi.contentTypes[contentTypeName];
  const { uid } = contentType;

  // Direct copy from here on:
  const { auth } = context.state;
  const transformedArgs = transformArgs(args, { contentType });

  // Sanitize input data
  const sanitizedInputData = await sanitize.contentAPI.input(
    transformedArgs.data,
    contentType,
    { auth }
  );

  Object.assign(transformedArgs, { data: sanitizedInputData });

  const { update } = getService("builders")
    .get("content-api")
    .buildMutationsResolvers({ contentType });

  const value = await update(parent, transformedArgs);

  return toEntityResponse(value, {
    args: transformedArgs,
    resourceUID: uid,
  });
};

const coreCreateMutationResolve = async (
  contentTypeName,
  parent,
  args,
  context
) => {
  const { service: getService } = strapi.plugin("graphql");
  const { transformArgs } = getService("builders").utils;
  const { toEntityResponse } = getService("format").returnTypes;

  const contentType = strapi.contentTypes[contentTypeName];
  const { uid } = contentType;

  // Direct copy from here on:
  const { auth } = context.state;
  const transformedArgs = transformArgs(args, { contentType });

  // Sanitize input data
  const sanitizedInputData = await sanitize.contentAPI.input(
    transformedArgs.data,
    contentType,
    { auth }
  );

  Object.assign(transformedArgs, { data: sanitizedInputData });

  const { create } = getService("builders")
    .get("content-api")
    .buildMutationsResolvers({ contentType });

  const value = await create(parent, transformedArgs);

  return toEntityResponse(value, { args: transformedArgs, resourceUID: uid });
};

module.exports = {
  coreUpdateMutationResolve,
  coreCreateMutationResolve,
};

You can use it like this:

// src/index.js

const { coreUpdateMutationResolve } = require("./utilities/core-resolvers.js");

module.exports = {
  register({ strapi }) {
    const extensionService = strapi.plugin("graphql").service("extension");

    extensionService.use({
      resolvers: {
        Mutation: {
          updateRestaurant: {
            resolve: async (parent, args, context) => {
              // Handle business logic here ...
              return await coreUpdateMutationResolve(
                "api::restaurant.restaurant",
                parent,
                args,
                context
              );
            }
          }
        }
      }
    })
  }
}

timohofmeijer · December 27, 2021, 4:07pm

From the Graphql website:

Where should you define the actual business logic? Where should you perform validation and authorization checks? The answer: inside a dedicated business logic layer. Your business logic layer should act as the single source of truth for enforcing business domain rules.

(https://graphql.org/learn/thinking-in-graphs/#business-logic-layer)

So by definition of the GraphQL specification, the resolver is not a desirable place for business logic. I’d love to hear from a Strapi dev why they choose to bypass the controller in the GraphQL API, and what they envisioned to be the place to handle its business logic…

Laurens_Kling · January 2, 2023, 1:45pm

I ended up here while looking an answer why my Graphql queries weren’t being handled by my controllers, as they did in v3. So this is by design? yikes…

Laurens_Kling · January 3, 2023, 9:01am

It’s baked into the GraphQL plugin that mutations go to the entityService, not to the controllers:

github.com

strapi/strapi/blob/main/packages/plugins/graphql/server/services/builders/resolvers/mutation.js#L17

    
      
          module.exports = ({ strapi }) => ({
            buildMutationsResolvers({ contentType }) {
              const { uid } = contentType;
          
          
    return {
                async create(parent, args) {
                  // todo[v4]: Might be interesting to generate dynamic yup schema to validate payloads with more complex checks (on top of graphql validation)
                  const params = pickCreateArgs(args);
          
          
        // todo[v4]: Sanitize args to only keep params / data / files (or do it in the base resolver)
                  return strapi.entityService.create(uid, params);
                },
          
          
      async update(parent, args) {
                  const { id, data } = args;
          
          
        return strapi.entityService.update(uid, id, { data });
                },
          
          
      async delete(parent, args) {
                  const { id, ...rest } = args;

Dev_Ewu · March 5, 2023, 6:14pm

Wow. ok. So basically GraphQL is totally useless as it steps over validation and business logic. It is like a wire directly to the database? This is a real security issue. So best practice should be then turning it off or removing it completely as it is just usable for really simple public websites. Is there somewhere a guide on how to remove it completely from the api?

The thing is that Strapi is not really flexible when it comes to the ability to define conditional authorization logics via the admin ui. Things like

const subscriptionActive = (... service logic to define subscription state)
if(workflowState === "approval" && role === "paidUser" && subscriptionActive === true ){
return true
}
return false;

must be possible. I do not expect and also do not believe it would be a good idea to handle that via the UI. Instead there should be an mvc or event driven business logic layer - exactly as the one which is in place. - The one that is bypassed.
… why Strapi devs … why?

Boegie19 · March 6, 2023, 1:25am

This is done since the ctx object strapi and appolo use are different still they should have called the services and not the entity service that is why it skips policies and controllers/middleware since they all depend on the ctx being the same as strapis one

Dev_Ewu · March 6, 2023, 1:33am

I understand. Thanks for clarifying. I will avoid to use GraphQl in this case.