I'm a minimalist and as such I have a problem with complex solutions to simple problems. That's my whole point.
My dream ORM is a an ORM that is designed with a) an obsession on simplicty, b) simple ORM CRUD queries that cover 95% of the data mutation/retrival needs, c) allows you to write "native" (no)SQL queries directly for the 5% cases when you need more complex queries, and d) automatically takes care of migration for 90% of the cases.
The ORM should be trivial to understand, the documentation super small, and the ORM should get entirely out of your way if you want to use your database directly without the ORM. Most ORMs out there (if not all) get these things wrong.
Hasura, Prisma & other auto-generated GraphQL tools are essentially ORMs. Unfortunately, they also get the above listed things wrong. I like that they auto-generate a GraphQL schema, that's neat. That's not my problem. My problem is that they are tightly coupled with GraphQL. That's nonsense. Because (and Wildcard is a living proof of this) you don't need GraphQL for the vast majority of apps out there. People need to understand that GaphQL = generic API = third-party devS. You don't need to expose your data to third parties? You don't need GraphQL. Period. (I hear people arguing about decoupling frontend and backend by using a generic API but that's an old and out-dated idiom, which is another topic I'd be happy to elaborate if you want.)
A simple ORM with a plugin that auto-generates a GraphQL schema? Hell yeah that's awesome. You'd then use the GraphQL plugin only when you need to expose your data to third parties. That's cool.
You don't need to expose your data to third parties? Use an ORM with RPC.
RPC is fundamentally simpler than GraphQL. Why on earth should I use something inherently more complex if I can use something so much simpler?
For example, have a look at how permissions work with Hasura and compare this to Wildcard. The difference is worlds appart in simplicty.
With Wildcard, permissions are written in code:
// Node.js server
endpoints.deletePost = async function(){
// Only admins are allowed to remove a post
if( !user.isAdmin ) return;
// ...
};
This means that you don't have to understand anything to do permissions -- simply write if statements, just like you are used to while programming other sutff.
With Hasura, you have to use Hasura's custom system of role-based permissions. What I find most annoying about these is that they are not defined in code. With Wildcard all permissions are written in the code - I can simply read them while reading queries.
I hear your arguments saying that Wildcard is new and I understand that you don't want to adopt something that is the "bleeding-edge". (From my perspective; from your perspective, experimental ;-).)
I agree that my way of promoting Wildcard on the whole Hasura thread was less than ideal, I'll improve.
In code, as long as that code is JavaScript. Looking at endpoints.getPost, assuming you pass in an id, what does that result look like? "It can look like whatever query you're making" is not a good answer. Even if you're the only developer on a project, code you wrote six months ago might as well have been written by someone else.
Let's look at a GraphQL call in terms of simplicity.
That's it for a client call, and I know from the query that it'll return the id of the post (if any) that was deleted.
Using Postgraphile as an example, nothing to do on the GraphQL server side beyond starting it up. In your database:
CREATE TABLE post (
...
);
REVOKE ALL ON post FROM public;
GRANT SELECT INSERT UPDATE ON post TO public;
GRANT DELETE ON post TO app_admin;
Done. The issue with your approach is that different sections of code may invoke SQL that deletes data. Once a data model lives long enough, edge cases show up. By having the security model live with the data itself, you never have to worry about these edge cases. Set theory for the win! Security bubbles up from the data layer, through the app layer, to the client layer. Also means that if you have two apps talking to the same database, you are no longer required to keep those security restrictions in sync. Got one app in PHP with another in Ruby? No problem. Data security is still intact. Forgot to restrict deletes? Fix the data layer, and the security fix bubbles up. No worrying about all of the possible places that might be affected by this.
Data security at the app level is arguably the wrong level to be implementing it.
Now you may decry the complexity of a fully-formed solution, but honestly Postgraphile meets your requirements quite well. GraphQL really isn't complex on its basic level.
query {
post(id: 13245) {
id
subject
body
author {
id
name
email
}
}
}
Boom. That's the JSON that comes back—follows the structure of the query. Self-documenting. The generated CRUD endpoints cover 95% of needs. Native queries written with the database itself and exposed as functions. Migrations should be handled as either idempotent SQL DDL or repeatable sequence of files at the database level, not the app layer.
Performance-wise, I strongly doubt you'll be faster/more scalable that Postgraphile out of the box. And just because the browser isn't calling the endpoint doesn't mean that GraphQL or REST are useless. Far from it. It's absolutely not just for publicly accessible APIs. That is a false assumption on your part.
GraphQL really isn't as heavyweight as you seem to presume it is. It's just a spec. How someone implements that spec is what makes the difference. As far as request/response sequence, GraphQL is quite cheap computationally. Well documented. Only as complex as the queries you want to make. Hierarchy-aware.
You might as well argue that HTTP is too complex and inefficient; that raw socket calls are better. Why not set up an exokernel?
The reason most of us don't is that it violates the 80/20 rule. Premature optimization and all that. If 99% of the time is spent in the database doing queries and only 1% in your app, fixating on the "efficiency" or perceived "simplicity" of that 1% is a fool's errand.
I'm a minimalist and as such I have a problem with complex solutions to simple problems. That's my whole point.
My dream ORM is a an ORM that is designed with a) an obsession on simplicty, b) simple ORM CRUD queries that cover 95% of the data mutation/retrival needs, c) allows you to write "native" (no)SQL queries directly for the 5% cases when you need more complex queries, and d) automatically takes care of migration for 90% of the cases.
The ORM should be trivial to understand, the documentation super small, and the ORM should get entirely out of your way if you want to use your database directly without the ORM. Most ORMs out there (if not all) get these things wrong.
Hasura, Prisma & other auto-generated GraphQL tools are essentially ORMs. Unfortunately, they also get the above listed things wrong. I like that they auto-generate a GraphQL schema, that's neat. That's not my problem. My problem is that they are tightly coupled with GraphQL. That's nonsense. Because (and Wildcard is a living proof of this) you don't need GraphQL for the vast majority of apps out there. People need to understand that GaphQL = generic API = third-party devS. You don't need to expose your data to third parties? You don't need GraphQL. Period. (I hear people arguing about decoupling frontend and backend by using a generic API but that's an old and out-dated idiom, which is another topic I'd be happy to elaborate if you want.)
A simple ORM with a plugin that auto-generates a GraphQL schema? Hell yeah that's awesome. You'd then use the GraphQL plugin only when you need to expose your data to third parties. That's cool.
You don't need to expose your data to third parties? Use an ORM with RPC.
RPC is fundamentally simpler than GraphQL. Why on earth should I use something inherently more complex if I can use something so much simpler?
For example, have a look at how permissions work with Hasura and compare this to Wildcard. The difference is worlds appart in simplicty.
With Wildcard, permissions are written in code:
This means that you don't have to understand anything to do permissions -- simply write if statements, just like you are used to while programming other sutff.With Hasura, you have to use Hasura's custom system of role-based permissions. What I find most annoying about these is that they are not defined in code. With Wildcard all permissions are written in the code - I can simply read them while reading queries.
I hear your arguments saying that Wildcard is new and I understand that you don't want to adopt something that is the "bleeding-edge". (From my perspective; from your perspective, experimental ;-).)
I agree that my way of promoting Wildcard on the whole Hasura thread was less than ideal, I'll improve.