GraphQL API Support (#121)

[David-patrick-chuks]

Overview

This PR implements a GraphQL API alongside the existing REST API, leveraging Apollo Server. It introduces the foundational GraphQL schema and resolvers for the User and Transaction models, alongside robust authentication via JWTs and a hard limit on query complexity to prevent overly expensive queries from impacting server performance.

Related Issue

Closes #121

Changes

📡 GraphQL Setup & Integration

• [NEW] backend/graphql/schema.js
  • Defines the core GraphQL schema using SDL, including User and Transaction types.
  • Exposes me, myTransactions, and transaction(id: ID!) queries.
• [NEW] backend/graphql/resolvers.js
  • Implements resolver functions for all queries.
  • Integrates direct authorization checks, ensuring authenticated users can only query their own data (with admin overrides).
• [NEW] backend/graphql/apollo.js
  • Wraps the Apollo Server setup in a modular initApollo function.
  • Mounts Apollo to the /graphql endpoint via expressMiddleware.
  • Configures the request context to parse and verify JWTs from the Authorization header, resolving the current user.
  • Implements a custom AST-based field counter to calculate query complexity, enforcing a maximum complexity limit of 100 on all inbound queries (protecting the API without relying on conflicting external packages).
• [MODIFY] backend/server.js
  • Calls initApollo sequentially during server startup, passing in the HTTP server instance for graceful draining.
• [MODIFY] backend/package.json
  • Adds @apollo/server and graphql dependencies.

🧪 Testing

• [NEW] backend/tests/graphql.test.js
  • Injects a dedicated test DB instance into Apollo Server to avoid test teardown conflicts (bypassing the winston logger chain during tests).
  • Verifies unauthenticated queries immediately reject with "Not authenticated".
  • Verifies authenticated queries successfully return correct User data.
  • Constructs an intentionally large query (105+ aliased fields) to prove the query complexity limits are enforced correctly.

Verification Results

Scenario	Status
Dependency Validation	✅ Passed
Unauthenticated access blocked	✅ Verified via Jest
Authenticated access allowed	✅ Verified via Jest
Query complexity limits enforced (> 100)	✅ Verified via Jest
Tests run without tearing down issues	✅ Verified (npm test tests/graphql.test.js)

How to Test

1. Start the backend: cd backend && npm run dev
2. Obtain a valid JWT token via login or registration (POST /api/auth/login).
3. Send a POST request to http://localhost:5000/graphql with an Authorization: Bearer <token> header and a valid GraphQL query.

   {
     "query": "query { me { id email } }"
   }

4. To test complexity limits, attempt to send a query with more than 100 field aliases; it should be rejected.

Test Recording:

1. Jest Integration Tests Passing

Execution of npm run test tests/graphql.test.js showing all 3 GraphQL tests passing (Authentication block, fetching user data, and query complexity limits).

Screen.Recording.2026-02-21.at.11.57.49.mov

[vercel]

@David-patrick-chuks is attempting to deploy a commit to the llinsomoudu-gmailcom's projects Team on Vercel.

A member of the Team first needs to authorize it.

[netlify]

👷 Deploy request for taggedpay pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	c740fe3

[llinsss]

remove package-lock.json

[David-patrick-chuks]

remove package-lock.json

@llinsss Done! I've removed

package-lock.json
and resolved the merge conflicts in

package.json
by merging the latest changes from upstream/master.