pontoon icon indicating copy to clipboard operation
pontoon copied to clipboard
verified publisher icon mozilla

GraphQL API improvements

Open MikkCZ opened this issue 3 years ago • 1 comments

When implementing generated client for Pontoon Add-on, I made several observation about the GQL schema of Pontoon and server implementation as well. Feel free to split this to separate issues if you consider them important enough.

  • I am no sure __debug field should be part of the schema directly. Graphql code generator does not seems to like it and its documentation says __ fields are reserved for introspection.
  • The /graphql endpoint only accepts queries in the URLs query parameter and via GET method. POST method does not work, respectively returns CSRF error.
  • All fields in GQL schema are nullable, some are even optional, which means using the generated client is not easy at all (see the code ). It would be very nice if the field types match what the server may or may not actually return.

In any case, the best approach might be actually dogfooding the API more, possibly using some generated client from Pontoon's frontend as well, like Apollo client or some other, that provides React hooks.

MikkCZ avatar May 11 '22 19:05 MikkCZ

The /graphql endpoint only accepts queries in the URLs query parameter and via GET method. POST method does not work, respectively returns CSRF error.

Note: We have restored CSP and CSRF protection in https://github.com/mozilla/pontoon/commit/deb8d6d1fb5ae7099e1a4df50c5033bb0e34d627 as a security measure. I agree we should restore the ability to make POT requests to the API.

mathjazz avatar May 12 '22 19:05 mathjazz