Skip to content

Comments

GraphQL API Support (#121)#165

Open
David-patrick-chuks wants to merge 3 commits intollinsss:masterfrom
David-patrick-chuks:feat/graphql-api-support-121
Open

GraphQL API Support (#121)#165
David-patrick-chuks wants to merge 3 commits intollinsss:masterfrom
David-patrick-chuks:feat/graphql-api-support-121

Conversation

@David-patrick-chuks
Copy link
Contributor

@David-patrick-chuks David-patrick-chuks commented Feb 21, 2026

Overview

This PR implements a GraphQL API alongside the existing REST API, leveraging Apollo Server. It introduces the foundational GraphQL schema and resolvers for the User and Transaction models, alongside robust authentication via JWTs and a hard limit on query complexity to prevent overly expensive queries from impacting server performance.

Related Issue

Closes #121

Changes

📡 GraphQL Setup & Integration

  • [NEW] backend/graphql/schema.js
    • Defines the core GraphQL schema using SDL, including User and Transaction types.
    • Exposes me, myTransactions, and transaction(id: ID!) queries.
  • [NEW] backend/graphql/resolvers.js
    • Implements resolver functions for all queries.
    • Integrates direct authorization checks, ensuring authenticated users can only query their own data (with admin overrides).
  • [NEW] backend/graphql/apollo.js
    • Wraps the Apollo Server setup in a modular initApollo function.
    • Mounts Apollo to the /graphql endpoint via expressMiddleware.
    • Configures the request context to parse and verify JWTs from the Authorization header, resolving the current user.
    • Implements a custom AST-based field counter to calculate query complexity, enforcing a maximum complexity limit of 100 on all inbound queries (protecting the API without relying on conflicting external packages).
  • [MODIFY] backend/server.js
    • Calls initApollo sequentially during server startup, passing in the HTTP server instance for graceful draining.
  • [MODIFY] backend/package.json
    • Adds @apollo/server and graphql dependencies.

🧪 Testing

  • [NEW] backend/tests/graphql.test.js
    • Injects a dedicated test DB instance into Apollo Server to avoid test teardown conflicts (bypassing the winston logger chain during tests).
    • Verifies unauthenticated queries immediately reject with "Not authenticated".
    • Verifies authenticated queries successfully return correct User data.
    • Constructs an intentionally large query (105+ aliased fields) to prove the query complexity limits are enforced correctly.

Verification Results

Scenario Status
Dependency Validation ✅ Passed
Unauthenticated access blocked ✅ Verified via Jest
Authenticated access allowed ✅ Verified via Jest
Query complexity limits enforced (> 100) ✅ Verified via Jest
Tests run without tearing down issues ✅ Verified (npm test tests/graphql.test.js)

How to Test

  1. Start the backend: cd backend && npm run dev
  2. Obtain a valid JWT token via login or registration (POST /api/auth/login).
  3. Send a POST request to http://localhost:5000/graphql with an Authorization: Bearer <token> header and a valid GraphQL query.
    {
      "query": "query { me { id email } }"
    }
  4. To test complexity limits, attempt to send a query with more than 100 field aliases; it should be rejected.

Test Recording:

1. Jest Integration Tests Passing

Execution of npm run test tests/graphql.test.js showing all 3 GraphQL tests passing (Authentication block, fetching user data, and query complexity limits).

Screen.Recording.2026-02-21.at.11.57.49.mov

@vercel
Copy link

vercel bot commented Feb 21, 2026

@David-patrick-chuks is attempting to deploy a commit to the llinsomoudu-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

@netlify
Copy link

netlify bot commented Feb 21, 2026

👷 Deploy request for taggedpay pending review.

Visit the deploys page to approve it

Name Link
🔨 Latest commit c740fe3

Copy link
Owner

@llinsss llinsss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove package-lock.json

@David-patrick-chuks
Copy link
Contributor Author

remove package-lock.json

@llinsss Done! I've removed

package-lock.json
and resolved the merge conflicts in

package.json
by merging the latest changes from upstream/master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add GraphQL API Support

2 participants