Related reading:

Facebook/GraphQL, APIJSON full contrast parsing (a)- Basic features

 

Since APIJSON was released, users have been comparing APIJSON with GraphQL developed by Facebook, and many people even claim that APIJSON is “completely superior”.

Instead, APIJSON “blew” GraphQL!

 

APIJSON’s number is:

Back-end interface and document automation, front-end (client) customization returns JSON data and structure!

 

APIJSON:

APIJSON is a JSON network transport protocol developed for APIS. For simple add, delete, change, search, complex query, simple transaction operations to provide a fully automated API. Can greatly reduce the development and communication costs, simplify the development process, shorten the development cycle. Suitable for small and medium-sized projects with separated front and back ends, especially Internet entrepreneurship projects and enterprise self-use projects.

With automated apis, the front end can customize any data, any structure! Most HTTP request backends don’t write interfaces anymore, let alone documents! The front end no longer has to communicate with the back end about interface or documentation issues! No more documentation errors pit! The back end no longer has to write new versions of interfaces and documentation to accommodate older interfaces! Won’t be the front end at any time anywhere endless bored!

Characteristics of the function

Online analytical

  • Automatically generates documents that are legible and always up to date
  • Automatically generates request code for Android and iOS
  • Automatic generation of all JavaBean, one click download
  • Automatic management and test interface use cases, one-click sharing
  • Automatic validation and formatting of JSON, support highlighting and expansion

For the front

  • No need to push the interface back end, document
  • The data and structure are completely customized, and you can have anything you want
  • You know what you ask, you get what you ask
  • Any data, any structure, can be retrieved at once
  • It can remove duplicate data, save traffic and improve speed

For the back-end

  • Provides a common interface, most of the API no longer need to write
  • Automatic generation of documents, no need to write and maintain
  • Automatic permission verification, automatic version management
  • Open apis do not require versioning and are always compatible
  • Support to add, delete, change, fuzzy search, regular matching, remote functions

Video presentation: http://i.youku.com/apijson

 

 

 

 

 

Automated permission control(APIJSON unique) :

GraphQL [does not] provide permission control functionality, even inOfficial documentation and source codeThere are hardly any tutorials on how to do it,

It only mentions how to manually implement permissions for an owner role in your business code.

 

 

 

This line of code is highlighted

if (context.user && (context.user.id === post.authorId))
Copy the code

Add a userId to the resolve function in the postType function written manually in the back.

When querying the table corresponding to postType, only if the authorId in post is equal to the id of the visiting user, the result will be returned.

 

As a friendly reminder, don’t get stuck in a resolver function of Type.

Instead, it should be wrapped in a postReponsitory, put a getBody function inside, and implement the judgment and return internally.

This is not only logical, but also reusable when postType is used in other types (such as userType nested postType). (PS: it’s not in this document, I did it for it)

 

 

But even if you take the time to write a new class, write a new function, and do this encapsulation, that’s just postType reuse,

Other humanType, droidType, queryTypeWait for a bunch of Type is not still have to write?

https://github.com/graphql/graphql-js/blob/master/src/__tests__/starWarsSchema.js

 

 

Moreover, in today’s Internet applications, no matter websites or mobile apps, the slightly more complicated role is not just [owner].

Most of them, especially social applications, contain two roles: contact and circle of friends.

Of course, all applications with account login can be divided into [logged in] and [unlogged] roles.

 

Since GraphQL does not provide permission control, you have to write for each role yourself.

Based on the only official example above, our judgment for all characters would be:

Not login:

if (context.user == null || context.user.id == null || context.user.id <= 0) {
  return post.body;
}

return null;
Copy the code

 

Are logged in:

if (context.user && context.user.id && context.user.id > 0) {
  return post.body;
}

return null;
Copy the code

 

Friends:

var userId = context.user == null ? null : context.user.id;
var contactIdList = context.user == null ? null : context.user.contactIdList; // Contact ID list
if ((userId && userId === post.authorId) || (contactIdList && contactIdList.indexOf(post.authorId) >= 0)) {
  return post.body;
}

return null;
Copy the code

 

Contacts:

var contactIdList = context.user == null ? null : context.user.contactIdList; // Contact ID list
if (contactIdList && contactIdList.indexOf(post.authorId) >= 0) {
  return post.body;
}

return null;
Copy the code

 

Subordinate:

if (context.user && (context.user.id === post.authorId)) {
  return post.body;
}

return null;
Copy the code

  

 

onlyUse GraphQL to implement the role permission control corresponding to query postType. It is incredibly necessary to write so much judgment code!

Let’s say we have 20 tables in our database (a very lightweight application would only have so few tables) and write 20 types, that’s 20*5 = 100 judgments!!

There is at least 20*(4 + 4 + 6 + 5 + 4) = 460 lines of code just to determine the role permissions!!

 

 

APJSON provides automated permission control that can be broken down to the granularity of control per table, per row record, per role, and per operation!

And it only takes 3 lines of code per table to configure the add, delete, change and check permissions for various roles!

 

We use APIJSON to manipulate a table, such as the User table, in 3 lines:

// Add permissions to the registry using the default Settings
@MethodAccess
public class User {
  // The content is only used for table field description and Android App development.
}

// Add permission inside DemoVerifier
ACCESS_MAP.put(User.class.getSimpleName(), getAccessMap(User.class.getAnnotation(MethodAccess.class)));
Copy the code

Or you can customize the role permissions for POST requests:

@MethodAccess(
  POST = {UNKNOWN, ADMIN} // Only logged-in roles and administrator roles can be added with users. The default configuration is {LOGIN, ADMIN}.
)
public class User {}
Copy the code

  

Then run the Server project to request:

URL: http://apijson.cn:8080/get

Request:

{
    "User": {
        "id": 82001}}Copy the code

Returns:

{
    "User": {
        "id": 82001."sex": 0."name": "Test"."tag": "APIJSON User"."head": "http://static.oschina.net/uploads/user/19/39085_50.jpg"."contactIdList": [
            82004.82021.70793]."pictureList": [
            "http://common.cnblogs.com/images/icon_weibo_24.png"]."date": "The 2017-02-01 19:21:50. 0"
    },
    "code": 200."msg": "success"
}
Copy the code

 Copy the code

Let’s see if APIJSON’s automated permission controls live up to expectations and are bypassed.

 

User: /get/{“User”:{“id”:38710}}

Request successful:

{
    "User": {
        "id": 38710."sex": 0."name": "TommyLemon"."tag": "Android& Java"."head": "http://static.oschina.net/uploads/user/1218/2437072_100.jpg?t=1461076033000"."contactIdList": [
            82003.82005.90814.82004.82009.82002.82044.93793.70793]."pictureList": [
            "http://static.oschina.net/uploads/user/1218/2437072_100.jpg?t=1461076033000"."http://common.cnblogs.com/images/icon_weibo_24.png"]."date": "The 2017-02-01 19:21:50. 0"
    },
    "code": 200."msg": "success"
}
Copy the code

  

Querying user Privacy information Privacy: /get/{“Privacy”:{“id”:38710}}

Request failed with GET permission:

{
    "Privacy": {
        "id": 38710
    },
    "code": 401."msg": Privacy does not allow GET requests from UNKNOWN users!
}
Copy the code

  

Take a look at the source:

@MethodAccess(
  GET = {},
  GETS = {OWNER, ADMIN}
)
public class Privacy {}
Copy the code

Get is obviously not allowed. You can use gets, but you must be either OWNER or ADMIN.

 

URL: http://apijson.cn:8080/gets/ request:

{
    "Privacy": {
        "id": 38710
    },
    "tag": "Privacy"
}
Copy the code

Still failed because the user is not logged in. UNKNOWN user is not logged in.

{
    "Privacy": {
        "id": 38710
    },
    "tag": "Privacy"."code": 407."msg": "No login, please login again!"
}
Copy the code

 

So can we fake a character to fool APIJSON? Give it a try:

{
    "Privacy": {
        "id": 38710."@role": "circle"
    },
    "tag": "Privacy"
}
Copy the code

Same error: not logged in.

{
    "Privacy": {
        "id": 38710."@role": "circle"
    },
    "tag": "Privacy"."code": 407."msg": "No login, please login again!"
}
Copy the code

  

Ok, I will try again after login, new error:

{
    "Privacy": {
        "id": 38710."@role": "circle"
    },
    "code": 401."msg": "Privacy does not allow CIRCLE users to request GETS!"
}
Copy the code

Why is that? The role does not match either of the OWNER or ADMIN roles.

What about the OWNER role?

{
    "Privacy": {
        "id": 38710."@role": "owner"
    },
    "tag": "Privacy"
}
Copy the code

Continue error:

{
    "Privacy": {
        "id": 38710."@role": "owner"
    },
    "code": 401."msg": Privacy with ID = 38710 does not allow OWNER user GETS requests!
}
Copy the code

  

What about roles that don’t exist on the back end?

{
    "Privacy": {
        "id": 38710."@role": "test"
    },
    "tag": "Privacy"
}
Copy the code

Error: Role does not exist:

{
    "Privacy":  {
        "id": 38710 ,
        "@role": "test"
    },
    "code": 406 ,
    "msg": "Role Test does not exist! Can only be [UNKNOWN, LOGIN, CONTACT, CIRCLE, the OWNER, the ADMIN] one of!"
}
Copy the code

 

Try “@role”: “admin” :

{
    "Privacy": {
        "id": 38710."@role": "admin"
    },
    "tag": "Privacy"
}
Copy the code

Error still reported:

{
    "Privacy": {
        "id": 38710."@role": "admin"
    },
    "code": 406."msg": "Wrong role Settings! Privacy:{@role:admin}!"
}
Copy the code

The administrator role can only be set inside the server.

 

Therefore, according to the Privacy permission configuration, the front-end can only use the OWNER role to check the Privacy of the currently logged account (ID =82001) :

{
    "Privacy": {
        "id": 82001."@role": "owner" // Automatic completion is configured in the Request table
    },
    "tag": "Privacy"
}
Copy the code

Will return the correct result:

{
    "Privacy": {
        "id": 82001."certified": 1."phone": 13000082001."balance": 8781.46
    },
    "code": 200."msg": "success"
}
Copy the code

 

Note: All of the above APIJSON requests can be tested at http://apijson.cn online tool

 

 

 

conclusion

GraphQL does not provide the function of permission control, so the back-end needs to write a large number of judgment codes for various roles according to the Type corresponding to each table!

APJSON provides automated permission control that can be broken down to the granularity of control per table, per row record, per role, and per operation!

And it only takes 3 lines of code per table to configure the add, delete, change and check permissions for various roles! The above test cases also show that it is not only simple to configure but also very reliable!

 

 

APIJSON, let backend interface and document automation, front-end (client) custom return JSON data and structure!

 

Creation is not easy, click Star in the upper right corner to support it, thank you so much

Github.com/TommyLemon/…