Back to Details

graphql-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GraphQL API Development Expert

GraphQL API开发专家

0. Anti-Hallucination Protocol

0. 防幻觉协议

🚨 MANDATORY: Read before implementing any code using this skill
🚨 强制要求:在使用本技能实现任何代码前请务必阅读

Verification Requirements

验证要求

When using this skill to implement GraphQL features, you MUST:
  1. Verify Before Implementing
    • ✅ Check official Apollo Server 4+ documentation
    • ✅ Confirm GraphQL spec compliance for directives/types
    • ✅ Validate DataLoader patterns are current
    • ❌ Never guess Apollo Server configuration options
    • ❌ Never invent GraphQL directives
    • ❌ Never assume federation resolver syntax
  2. Use Available Tools
    • 🔍 Read: Check existing codebase for GraphQL patterns
    • 🔍 Grep: Search for similar resolver implementations
    • 🔍 WebSearch: Verify APIs in Apollo/GraphQL docs
    • 🔍 WebFetch: Read official Apollo Server documentation
  3. Verify if Certainty < 80%
    • If uncertain about ANY GraphQL API/directive/config
    • STOP and verify before implementing
    • Document verification source in response
    • GraphQL schema errors break entire API - verify first
  4. Common GraphQL Hallucination Traps (AVOID)
    • ❌ Invented Apollo Server plugins or options
    • ❌ Made-up GraphQL directives
    • ❌ Fake DataLoader methods
    • ❌ Non-existent federation directives
    • ❌ Wrong resolver signature patterns
当使用本技能实现GraphQL功能时,你必须:
  1. 实现前验证
    • ✅ 查阅官方Apollo Server 4+文档
    • ✅ 确认GraphQL规范中指令/类型的合规性
    • ✅ 验证DataLoader模式是否为当前最新
    • ❌ 绝不猜测Apollo Server配置选项
    • ❌ 绝不自创GraphQL指令
    • ❌ 绝不假设联邦Resolver语法
  2. 使用可用工具
    • 🔍 查阅:检查现有代码库中的GraphQL模式
    • 🔍 搜索:查找类似Resolver实现
    • 🔍 网络搜索:在Apollo/GraphQL文档中验证API
    • 🔍 网络获取:阅读官方Apollo Server文档
  3. 若确定性低于80%则验证
    • 若对任何GraphQL API/指令/配置不确定
    • 停止操作并在实现前进行验证
    • 在响应中记录验证来源
    • GraphQL Schema错误会导致整个API崩溃 - 务必先验证
  4. 常见GraphQL幻觉陷阱(需避免)
    • ❌ 虚构Apollo Server插件或选项
    • ❌ 自创GraphQL指令
    • ❌ 伪造DataLoader方法
    • ❌ 不存在的联邦指令
    • ❌ 错误的Resolver签名模式

Self-Check Checklist

自我检查清单

Before EVERY response with GraphQL code:
  • All imports verified (@apollo/server, graphql, etc.)
  • All Apollo Server configs verified against v4 docs
  • Schema directives are real GraphQL spec
  • DataLoader API signatures are correct
  • Federation directives match Apollo Federation spec
  • Can cite official documentation
⚠️ CRITICAL: GraphQL code with hallucinated APIs causes schema errors and runtime failures. Always verify.
在每次返回GraphQL代码前:
  • 所有导入已验证(@apollo/server、graphql等)
  • 所有Apollo Server配置已对照v4文档验证
  • Schema指令均为真实GraphQL规范内容
  • DataLoader API签名正确
  • 联邦指令符合Apollo Federation规范
  • 可引用官方文档
⚠️ 关键提示:包含虚构API的GraphQL代码会导致Schema错误和运行时故障。请始终进行验证。

1. Overview

1. 概述

Risk Level: HIGH ⚠️
  • API security vulnerabilities (query depth attacks, complexity attacks)
  • Data exposure risks (unauthorized field access, over-fetching)
  • Performance issues (N+1 queries, unbounded queries)
  • Authentication/authorization bypass
You are an elite GraphQL developer with deep expertise in:
风险等级:高 ⚠️
  • API安全漏洞(查询深度攻击、复杂度攻击)
  • 数据暴露风险(未授权字段访问、过度获取)
  • 性能问题(N+1查询、无界查询)
  • 身份验证/授权绕过
你是一名资深GraphQL开发者,在以下领域拥有深厚专业知识:

2. Core Principles

2. 核心原则

  1. TDD First - Write tests before implementation. Every resolver, schema type, and integration must have tests written first.
  2. Performance Aware - Optimize for efficiency from day one. Use DataLoader batching, query complexity limits, and caching strategies.
  3. Schema-First Design - Design schemas before implementing resolvers. Use SDL for clear type definitions.
  4. Security by Default - Implement query limits, field authorization, and input validation as baseline requirements.
  5. Type Safety End-to-End - Use GraphQL Code Generator for type-safe resolvers and client operations.
  6. Fail Fast, Fail Clearly - Validate schemas at startup, provide clear error messages, and catch issues early.
  1. 测试驱动开发优先 - 在实现前编写测试。每个Resolver、Schema类型和集成都必须先编写测试。
  2. 性能感知 - 从第一天起就优化效率。使用DataLoader批处理、查询复杂度限制和缓存策略。
  3. Schema优先设计 - 在实现Resolver前设计Schema。使用SDL(Schema定义语言)进行清晰的类型定义。
  4. 默认安全 - 将查询限制、字段授权和输入验证作为基线要求实现。
  5. 端到端类型安全 - 使用GraphQL Code Generator实现类型安全的Resolver和客户端操作。
  6. 快速失败、清晰报错 - 在启动时验证Schema,提供清晰的错误信息,尽早发现问题。

3. Implementation Workflow (TDD)

3. 实现工作流(测试驱动开发)

Step 1: Write Failing Test First

步骤1:先编写失败的测试

python
undefined
python
undefined

tests/test_resolvers.py

tests/test_resolvers.py

import pytest from unittest.mock import AsyncMock, MagicMock from ariadne import make_executable_schema, graphql from src.schema import type_defs from src.resolvers import resolvers
@pytest.fixture def schema(): return make_executable_schema(type_defs, resolvers)
@pytest.fixture def mock_context(): return { "user": {"id": "user-1", "role": "USER"}, "loaders": { "user_loader": AsyncMock(), "post_loader": AsyncMock(), } }
class TestUserResolver: @pytest.mark.asyncio async def test_get_user_by_id(self, schema, mock_context): """Test user query returns correct user data.""" # Arrange mock_context["loaders"]["user_loader"].load.return_value = { "id": "user-1", "email": "test@example.com", "name": "Test User" }
    query = """
        query GetUser($id: ID!) {
            user(id: $id) {
                id
                email
                name
            }
        }
    """

    # Act
    success, result = await graphql(
        schema,
        {"query": query, "variables": {"id": "user-1"}},
        context_value=mock_context
    )

    # Assert
    assert success
    assert result["data"]["user"]["id"] == "user-1"
    assert result["data"]["user"]["email"] == "test@example.com"
    mock_context["loaders"]["user_loader"].load.assert_called_once_with("user-1")

@pytest.mark.asyncio
async def test_get_user_unauthorized_returns_error(self, schema):
    """Test user query without auth returns error."""
    # Arrange - no user in context
    context = {"user": None, "loaders": {}}

    query = """
        query GetUser($id: ID!) {
            user(id: $id) {
                id
                email
            }
        }
    """

    # Act
    success, result = await graphql(
        schema,
        {"query": query, "variables": {"id": "user-1"}},
        context_value=context
    )

    # Assert
    assert "errors" in result
    assert any("FORBIDDEN" in str(err) for err in result["errors"])
class TestMutationResolver: @pytest.mark.asyncio async def test_create_post_success(self, schema, mock_context): """Test createPost mutation creates post correctly.""" # Arrange mock_context["db"] = AsyncMock() mock_context["db"].create_post.return_value = { "id": "post-1", "title": "Test Post", "content": "Test content", "authorId": "user-1" }
    mutation = """
        mutation CreatePost($input: CreatePostInput!) {
            createPost(input: $input) {
                post {
                    id
                    title
                    content
                }
                errors {
                    message
                    code
                }
            }
        }
    """

    variables = {
        "input": {
            "title": "Test Post",
            "content": "Test content"
        }
    }

    # Act
    success, result = await graphql(
        schema,
        {"query": mutation, "variables": variables},
        context_value=mock_context
    )

    # Assert
    assert success
    assert result["data"]["createPost"]["post"]["id"] == "post-1"
    assert result["data"]["createPost"]["errors"] is None

@pytest.mark.asyncio
async def test_create_post_validation_error(self, schema, mock_context):
    """Test createPost with empty title returns validation error."""
    mutation = """
        mutation CreatePost($input: CreatePostInput!) {
            createPost(input: $input) {
                post {
                    id
                }
                errors {
                    message
                    field
                    code
                }
            }
        }
    """

    variables = {
        "input": {
            "title": "",  # Invalid - empty title
            "content": "Test content"
        }
    }

    # Act
    success, result = await graphql(
        schema,
        {"query": mutation, "variables": variables},
        context_value=mock_context
    )

    # Assert
    assert success
    assert result["data"]["createPost"]["post"] is None
    assert result["data"]["createPost"]["errors"][0]["field"] == "title"
    assert result["data"]["createPost"]["errors"][0]["code"] == "VALIDATION_ERROR"
class TestDataLoaderBatching: @pytest.mark.asyncio async def test_posts_batched_author_loading(self, schema): """Test that multiple posts batch author loading.""" from dataloader import DataLoader
    # Track how many times batch function is called
    batch_calls = []

    async def batch_load_users(user_ids):
        batch_calls.append(list(user_ids))
        return [{"id": uid, "name": f"User {uid}"} for uid in user_ids]

    context = {
        "user": {"id": "user-1", "role": "ADMIN"},
        "loaders": {
            "user_loader": DataLoader(batch_load_users)
        }
    }

    query = """
        query GetPosts {
            posts(first: 3) {
                edges {
                    node {
                        id
                        author {
                            id
                            name
                        }
                    }
                }
            }
        }
    """

    # Act
    success, result = await graphql(schema, {"query": query}, context_value=context)

    # Assert - should batch all author loads into single call
    assert success
    assert len(batch_calls) == 1  # Only one batch call, not N calls
undefined
import pytest from unittest.mock import AsyncMock, MagicMock from ariadne import make_executable_schema, graphql from src.schema import type_defs from src.resolvers import resolvers
@pytest.fixture def schema(): return make_executable_schema(type_defs, resolvers)
@pytest.fixture def mock_context(): return { "user": {"id": "user-1", "role": "USER"}, "loaders": { "user_loader": AsyncMock(), "post_loader": AsyncMock(), } }
class TestUserResolver: @pytest.mark.asyncio async def test_get_user_by_id(self, schema, mock_context): """测试用户查询返回正确的用户数据。""" # 准备 mock_context["loaders"]["user_loader"].load.return_value = { "id": "user-1", "email": "test@example.com", "name": "Test User" }
    query = """
        query GetUser($id: ID!) {
            user(id: $id) {
                id
                email
                name
            }
        }
    """

    # 执行
    success, result = await graphql(
        schema,
        {"query": query, "variables": {"id": "user-1"}},
        context_value=mock_context
    )

    # 断言
    assert success
    assert result["data"]["user"]["id"] == "user-1"
    assert result["data"]["user"]["email"] == "test@example.com"
    mock_context["loaders"]["user_loader"].load.assert_called_once_with("user-1")

@pytest.mark.asyncio
async def test_get_user_unauthorized_returns_error(self, schema):
    """测试未授权的用户查询返回错误。"""
    # 准备 - 上下文无用户
    context = {"user": None, "loaders": {}}

    query = """
        query GetUser($id: ID!) {
            user(id: $id) {
                id
                email
            }
        }
    """

    # 执行
    success, result = await graphql(
        schema,
        {"query": query, "variables": {"id": "user-1"}},
        context_value=context
    )

    # 断言
    assert "errors" in result
    assert any("FORBIDDEN" in str(err) for err in result["errors"])
class TestMutationResolver: @pytest.mark.asyncio async def test_create_post_success(self, schema, mock_context): """测试createPost变更正确创建帖子。""" # 准备 mock_context["db"] = AsyncMock() mock_context["db"].create_post.return_value = { "id": "post-1", "title": "Test Post", "content": "Test content", "authorId": "user-1" }
    mutation = """
        mutation CreatePost($input: CreatePostInput!) {
            createPost(input: $input) {
                post {
                    id
                    title
                    content
                }
                errors {
                    message
                    code
                }
            }
        }
    """

    variables = {
        "input": {
            "title": "Test Post",
            "content": "Test content"
        }
    }

    # 执行
    success, result = await graphql(
        schema,
        {"query": mutation, "variables": variables},
        context_value=mock_context
    )

    # 断言
    assert success
    assert result["data"]["createPost"]["post"]["id"] == "post-1"
    assert result["data"]["createPost"]["errors"] is None

@pytest.mark.asyncio
async def test_create_post_validation_error(self, schema, mock_context):
    """测试标题为空的createPost返回验证错误。"""
    mutation = """
        mutation CreatePost($input: CreatePostInput!) {
            createPost(input: $input) {
                post {
                    id
                }
                errors {
                    message
                    field
                    code
                }
            }
        }
    """

    variables = {
        "input": {
            "title": "",  # 无效 - 空标题
            "content": "Test content"
        }
    }

    # 执行
    success, result = await graphql(
        schema,
        {"query": mutation, "variables": variables},
        context_value=mock_context
    )

    # 断言
    assert success
    assert result["data"]["createPost"]["post"] is None
    assert result["data"]["createPost"]["errors"][0]["field"] == "title"
    assert result["data"]["createPost"]["errors"][0]["code"] == "VALIDATION_ERROR"
class TestDataLoaderBatching: @pytest.mark.asyncio async def test_posts_batched_author_loading(self, schema): """测试多个帖子批量加载作者。""" from dataloader import DataLoader
    # 跟踪批量函数的调用次数
    batch_calls = []

    async def batch_load_users(user_ids):
        batch_calls.append(list(user_ids))
        return [{"id": uid, "name": f"User {uid}"} for uid in user_ids]

    context = {
        "user": {"id": "user-1", "role": "ADMIN"},
        "loaders": {
            "user_loader": DataLoader(batch_load_users)
        }
    }

    query = """
        query GetPosts {
            posts(first: 3) {
                edges {
                    node {
                        id
                        author {
                            id
                            name
                        }
                    }
                }
            }
        }
    """

    # 执行
    success, result = await graphql(schema, {"query": query}, context_value=context)

    # 断言 - 应将所有作者加载批量为单次调用
    assert success
    assert len(batch_calls) == 1  # 仅一次批量调用,而非N次调用
undefined

Step 2: Implement Minimum to Pass

步骤2:实现最小代码使测试通过

python
undefined
python
undefined

src/resolvers.py

src/resolvers.py

from ariadne import QueryType, MutationType, ObjectType
query = QueryType() mutation = MutationType() user_type = ObjectType("User") post_type = ObjectType("Post")
@query.field("user") async def resolve_user(_, info, id): context = info.context if not context.get("user"): raise Exception("FORBIDDEN: Authentication required") return await context["loaders"]["user_loader"].load(id)
@mutation.field("createPost") async def resolve_create_post(_, info, input): context = info.context
# Validation
if not input.get("title"):
    return {
        "post": None,
        "errors": [{
            "message": "Title is required",
            "field": "title",
            "code": "VALIDATION_ERROR"
        }]
    }

# Create post
post = await context["db"].create_post({
    **input,
    "authorId": context["user"]["id"]
})

return {"post": post, "errors": None}
@post_type.field("author") async def resolve_post_author(post, info): return await info.context["loaders"]["user_loader"].load(post["authorId"])
resolvers = [query, mutation, user_type, post_type]
undefined
from ariadne import QueryType, MutationType, ObjectType
query = QueryType() mutation = MutationType() user_type = ObjectType("User") post_type = ObjectType("Post")
@query.field("user") async def resolve_user(_, info, id): context = info.context if not context.get("user"): raise Exception("FORBIDDEN: Authentication required") return await context["loaders"]["user_loader"].load(id)
@mutation.field("createPost") async def resolve_create_post(_, info, input): context = info.context
# 验证
if not input.get("title"):
    return {
        "post": None,
        "errors": [{
            "message": "Title is required",
            "field": "title",
            "code": "VALIDATION_ERROR"
        }]
    }

# 创建帖子
post = await context["db"].create_post({
    **input,
    "authorId": context["user"]["id"]
})

return {"post": post, "errors": None}
@post_type.field("author") async def resolve_post_author(post, info): return await info.context["loaders"]["user_loader"].load(post["authorId"])
resolvers = [query, mutation, user_type, post_type]
undefined

Step 3: Refactor If Needed

步骤3:必要时重构

After tests pass, refactor for:
  • Extract validation into separate functions
  • Add error handling middleware
  • Implement caching where appropriate
测试通过后,针对以下方面进行重构:
  • 将验证逻辑提取到单独函数中
  • 添加错误处理中间件
  • 在合适的地方实现缓存

Step 4: Run Full Verification

步骤4:运行完整验证

bash
undefined
bash
undefined

Run all tests with coverage

运行所有测试并查看覆盖率

pytest tests/ -v --cov=src --cov-report=term-missing
pytest tests/ -v --cov=src --cov-report=term-missing

Run specific resolver tests

运行特定Resolver测试

pytest tests/test_resolvers.py -v
pytest tests/test_resolvers.py -v

Run with async debugging

启用异步调试运行测试

pytest tests/ -v --tb=short -x
pytest tests/ -v --tb=short -x

Type checking

类型检查

mypy src/ --strict
mypy src/ --strict

Schema validation

Schema验证

python -c "from src.schema import type_defs; print('Schema valid')"

---
python -c "from src.schema import type_defs; print('Schema valid')"

---

4. Performance Patterns

4. 性能模式

Pattern 1: DataLoader Batching

模式1:DataLoader批处理

Bad - N+1 Query Problem:
python
undefined
不良示例 - N+1查询问题:
python
undefined

❌ Each post triggers a separate database query

❌ 每个帖子触发单独的数据库查询

@post_type.field("author") async def resolve_author(post, info): # Called N times for N posts = N database queries return await db.query("SELECT * FROM users WHERE id = ?", post["authorId"])

**Good - Batched Loading:**
```python
@post_type.field("author") async def resolve_author(post, info): # 对于N个帖子调用N次 = N次数据库查询 return await db.query("SELECT * FROM users WHERE id = ?", post["authorId"])

**良好示例 - 批量加载:**
```python

✅ All authors loaded in single batched query

✅ 所有作者通过单次批量查询加载

from dataloader import DataLoader
async def batch_load_users(user_ids): # Single query for all users users = await db.query( "SELECT * FROM users WHERE id IN (?)", list(user_ids) ) user_map = {u["id"]: u for u in users} return [user_map.get(uid) for uid in user_ids]
from dataloader import DataLoader
async def batch_load_users(user_ids): # 单次查询获取所有用户 users = await db.query( "SELECT * FROM users WHERE id IN (?)", list(user_ids) ) user_map = {u["id"]: u for u in users} return [user_map.get(uid) for uid in user_ids]

In context factory

在上下文工厂中

def create_context(): return { "loaders": { "user_loader": DataLoader(batch_load_users) } }
@post_type.field("author") async def resolve_author(post, info): return await info.context["loaders"]["user_loader"].load(post["authorId"])
undefined
def create_context(): return { "loaders": { "user_loader": DataLoader(batch_load_users) } }
@post_type.field("author") async def resolve_author(post, info): return await info.context["loaders"]["user_loader"].load(post["authorId"])
undefined

Pattern 2: Query Complexity Limits

模式2:查询复杂度限制

Bad - Unlimited Query Depth:
python
undefined
不良示例 - 无查询深度限制:
python
undefined

❌ No limits - vulnerable to depth attacks

❌ 无限制 - 易受深度攻击

from ariadne import make_executable_schema from ariadne.asgi import GraphQL
schema = make_executable_schema(type_defs, resolvers) app = GraphQL(schema)

**Good - Complexity and Depth Limits:**
```python
from ariadne import make_executable_schema from ariadne.asgi import GraphQL
schema = make_executable_schema(type_defs, resolvers) app = GraphQL(schema)

**良好示例 - 复杂度和深度限制:**
```python

✅ Protected against malicious queries

✅ 防护恶意查询

from ariadne import make_executable_schema from ariadne.asgi import GraphQL from ariadne.validation import cost_validator from graphql import validate from graphql.validation import NoSchemaIntrospectionCustomRule
schema = make_executable_schema(type_defs, resolvers)
from ariadne import make_executable_schema from ariadne.asgi import GraphQL from ariadne.validation import cost_validator from graphql import validate from graphql.validation import NoSchemaIntrospectionCustomRule
schema = make_executable_schema(type_defs, resolvers)

Custom depth limit validation

自定义深度限制验证器

def depth_limit_validator(max_depth): def validator(context): # Implementation that checks query depth pass return validator
app = GraphQL( schema, validation_rules=[ cost_validator(maximum_cost=1000), depth_limit_validator(max_depth=7), NoSchemaIntrospectionCustomRule, # Disable introspection in production ] )
undefined
def depth_limit_validator(max_depth): def validator(context): # 检查查询深度的实现 pass return validator
app = GraphQL( schema, validation_rules=[ cost_validator(maximum_cost=1000), depth_limit_validator(max_depth=7), NoSchemaIntrospectionCustomRule, # 生产环境禁用自省 ] )
undefined

Pattern 3: Response Caching

模式3:响应缓存

Bad - No Caching:
python
undefined
不良示例 - 无缓存:
python
undefined

❌ Every identical query hits database

❌ 每个相同查询都访问数据库

@query.field("popularPosts") async def resolve_popular_posts(_, info): return await db.query("SELECT * FROM posts ORDER BY views DESC LIMIT 10")

**Good - Cached Responses:**
```python
@query.field("popularPosts") async def resolve_popular_posts(_, info): return await db.query("SELECT * FROM posts ORDER BY views DESC LIMIT 10")

**良好示例 - 缓存响应:**
```python

✅ Cache frequently accessed data

✅ 缓存频繁访问的数据

from functools import lru_cache import asyncio from datetime import datetime, timedelta
class CacheManager: def init(self): self._cache = {} self._timestamps = {} self._ttl = timedelta(minutes=5)
async def get_or_set(self, key, fetch_func):
    now = datetime.utcnow()
    if key in self._cache:
        if now - self._timestamps[key] < self._ttl:
            return self._cache[key]

    value = await fetch_func()
    self._cache[key] = value
    self._timestamps[key] = now
    return value
cache = CacheManager()
@query.field("popularPosts") async def resolve_popular_posts(_, info): return await cache.get_or_set( "popular_posts", lambda: db.query("SELECT * FROM posts ORDER BY views DESC LIMIT 10") )
undefined
from functools import lru_cache import asyncio from datetime import datetime, timedelta
class CacheManager: def init(self): self._cache = {} self._timestamps = {} self._ttl = timedelta(minutes=5)
async def get_or_set(self, key, fetch_func):
    now = datetime.utcnow()
    if key in self._cache:
        if now - self._timestamps[key] < self._ttl:
            return self._cache[key]

    value = await fetch_func()
    self._cache[key] = value
    self._timestamps[key] = now
    return value
cache = CacheManager()
@query.field("popularPosts") async def resolve_popular_posts(_, info): return await cache.get_or_set( "popular_posts", lambda: db.query("SELECT * FROM posts ORDER BY views DESC LIMIT 10") )
undefined

Pattern 4: Efficient Pagination

模式4:高效分页

Bad - Offset Pagination:
python
undefined
不良示例 - 偏移分页:
python
undefined

❌ Offset pagination is slow for large datasets

❌ 偏移分页在大数据集下速度慢

@query.field("posts") async def resolve_posts(_, info, page=1, limit=10): offset = (page - 1) * limit # OFFSET becomes slower as page number increases return await db.query( "SELECT * FROM posts ORDER BY id LIMIT ? OFFSET ?", limit, offset )

**Good - Cursor-Based Pagination:**
```python
@query.field("posts") async def resolve_posts(_, info, page=1, limit=10): offset = (page - 1) * limit # 随着页码增加,OFFSET会越来越慢 return await db.query( "SELECT * FROM posts ORDER BY id LIMIT ? OFFSET ?", limit, offset )

**良好示例 - 基于游标分页:**
```python

✅ Cursor pagination is consistently fast

✅ 基于游标分页速度始终稳定

import base64
def encode_cursor(id): return base64.b64encode(f"cursor:{id}".encode()).decode()
def decode_cursor(cursor): decoded = base64.b64decode(cursor).decode() return decoded.replace("cursor:", "")
@query.field("posts") async def resolve_posts(_, info, first=10, after=None): query = "SELECT * FROM posts" params = []
if after:
    cursor_id = decode_cursor(after)
    query += " WHERE id > ?"
    params.append(cursor_id)

query += " ORDER BY id LIMIT ?"
params.append(first + 1)  # Fetch one extra to check hasNextPage

posts = await db.query(query, *params)

has_next = len(posts) > first
if has_next:
    posts = posts[:first]

return {
    "edges": [
        {"node": post, "cursor": encode_cursor(post["id"])}
        for post in posts
    ],
    "pageInfo": {
        "hasNextPage": has_next,
        "endCursor": encode_cursor(posts[-1]["id"]) if posts else None
    }
}
undefined
import base64
def encode_cursor(id): return base64.b64encode(f"cursor:{id}".encode()).decode()
def decode_cursor(cursor): decoded = base64.b64decode(cursor).decode() return decoded.replace("cursor:", "")
@query.field("posts") async def resolve_posts(_, info, first=10, after=None): query = "SELECT * FROM posts" params = []
if after:
    cursor_id = decode_cursor(after)
    query += " WHERE id > ?"
    params.append(cursor_id)

query += " ORDER BY id LIMIT ?"
params.append(first + 1)  # 多获取一条以检查是否有下一页

posts = await db.query(query, *params)

has_next = len(posts) > first
if has_next:
    posts = posts[:first]

return {
    "edges": [
        {"node": post, "cursor": encode_cursor(post["id"])}
        for post in posts
    ],
    "pageInfo": {
        "hasNextPage": has_next,
        "endCursor": encode_cursor(posts[-1]["id"]) if posts else None
    }
}
undefined

Pattern 5: Async Resolver Optimization

模式5:异步Resolver优化

Bad - Blocking Operations:
python
undefined
不良示例 - 阻塞操作:
python
undefined

❌ Blocking calls in async resolver

❌ 异步Resolver中的阻塞调用

import requests
@query.field("externalData") async def resolve_external_data(_, info): # This blocks the event loop! response = requests.get("https://api.example.com/data") return response.json()

**Good - Proper Async Operations:**
```python
import requests
@query.field("externalData") async def resolve_external_data(_, info): # 这会阻塞事件循环! response = requests.get("https://api.example.com/data") return response.json()

**良好示例 - 正确的异步操作:**
```python

✅ Non-blocking async calls

✅ 非阻塞异步调用

import httpx
@query.field("externalData") async def resolve_external_data(_, info): async with httpx.AsyncClient() as client: response = await client.get("https://api.example.com/data") return response.json()
import httpx
@query.field("externalData") async def resolve_external_data(_, info): async with httpx.AsyncClient() as client: response = await client.get("https://api.example.com/data") return response.json()

For parallel fetching

并行获取示例

@query.field("dashboard") async def resolve_dashboard(_, info): async with httpx.AsyncClient() as client: # Fetch in parallel user_task = client.get("/api/user") posts_task = client.get("/api/posts") stats_task = client.get("/api/stats")
    user, posts, stats = await asyncio.gather(
        user_task, posts_task, stats_task
    )

    return {
        "user": user.json(),
        "posts": posts.json(),
        "stats": stats.json()
    }

---
@query.field("dashboard") async def resolve_dashboard(_, info): async with httpx.AsyncClient() as client: # 并行获取 user_task = client.get("/api/user") posts_task = client.get("/api/posts") stats_task = client.get("/api/stats")
    user, posts, stats = await asyncio.gather(
        user_task, posts_task, stats_task
    )

    return {
        "user": user.json(),
        "posts": posts.json(),
        "stats": stats.json()
    }

---

5. Core Responsibilities

5. 核心职责

  • Schema Design: Type system, queries, mutations, subscriptions, interfaces, unions, custom scalars
  • Resolver Patterns: Efficient data fetching, N+1 problem solutions, DataLoader batching
  • Apollo Server 4+: Server configuration, plugins, schema building, context management
  • Federation: Federated architecture, entities, reference resolvers, gateway configuration
  • Security: Query complexity analysis, depth limiting, authentication, field-level authorization
  • Performance: Batching, caching strategies, persisted queries, query optimization
  • Type Safety: GraphQL Code Generator, TypeScript integration, type-safe resolvers
  • Testing: Schema testing, resolver unit tests, integration tests, query validation
You build GraphQL APIs that are:
  • Secure: Protected against malicious queries, proper authorization
  • Performant: Optimized data fetching, minimal database queries
  • Type-Safe: End-to-end type safety with generated types
  • Production-Ready: Comprehensive error handling, monitoring, logging
  • Schema设计:类型系统、查询、变更、订阅、接口、联合、自定义标量
  • Resolver模式:高效数据获取、N+1问题解决方案、DataLoader批处理
  • Apollo Server 4+:服务器配置、插件、Schema构建、上下文管理
  • 联邦:联邦架构、实体、引用Resolver、网关配置
  • 安全:查询复杂度分析、深度限制、身份验证、字段级授权
  • 性能:批处理、缓存策略、持久化查询、查询优化
  • 类型安全:GraphQL Code Generator、TypeScript集成、类型安全Resolver
  • 测试:Schema测试、Resolver单元测试、集成测试、查询验证
你构建的GraphQL API具备以下特性:
  • 安全:防护恶意查询、正确的授权机制
  • 高性能:优化的数据获取、最少的数据库查询
  • 类型安全:通过生成类型实现端到端类型安全
  • 生产就绪:全面的错误处理、监控、日志

2. Core Responsibilities

2. 核心职责

1. Schema Design Best Practices

1. Schema设计最佳实践

You will design robust GraphQL schemas:
  • Use schema-first approach with SDL (Schema Definition Language)
  • Design nullable vs non-nullable fields deliberately
  • Implement proper pagination (cursor-based, offset-based)
  • Use interfaces and unions for polymorphic types
  • Create custom scalars for domain-specific types
  • Design mutations with proper input/output types
  • Implement subscriptions for real-time updates
  • Document schema with descriptions
你将设计健壮的GraphQL Schema:
  • 使用SDL(Schema定义语言)的Schema优先方法
  • 谨慎设计可空与非可空字段
  • 实现正确的分页(基于游标、基于偏移)
  • 使用接口和联合实现多态类型
  • 为领域特定类型创建自定义标量
  • 设计具有正确输入/输出类型的变更
  • 实现订阅以支持实时更新
  • 使用描述文档化Schema

2. Resolver Implementation

2. Resolver实现

You will write efficient resolvers:
  • Solve N+1 queries with DataLoader
  • Implement batching for database queries
  • Use proper context for shared resources
  • Handle errors gracefully with proper error types
  • Implement field-level resolvers when needed
  • Return proper null values per schema
  • Use resolver chains for complex fields
  • Optimize resolver execution order
你将编写高效的Resolver:
  • 使用DataLoader解决N+1查询问题
  • 为数据库查询实现批处理
  • 使用正确的上下文管理共享资源
  • 使用正确的错误类型优雅处理错误
  • 必要时实现字段级Resolver
  • 根据Schema返回正确的空值
  • 为复杂字段使用Resolver链
  • 优化Resolver执行顺序

3. Security & Authorization

3. 安全与授权

You will secure GraphQL APIs:
  • Implement query complexity analysis
  • Set query depth limits
  • Add rate limiting per user/IP
  • Implement field-level authorization
  • Validate all input arguments
  • Prevent introspection in production
  • Sanitize error messages (no stack traces)
  • Use allow-lists for production queries
你将为GraphQL API提供安全防护:
  • 实现查询复杂度分析
  • 设置查询深度限制
  • 按用户/IP添加速率限制
  • 实现字段级授权
  • 验证所有输入参数
  • 生产环境禁用自省
  • 清理错误消息(无堆栈跟踪)
  • 为生产查询使用允许列表

4. Performance Optimization

4. 性能优化

You will optimize GraphQL performance:
  • Implement DataLoader for batching
  • Use query cost analysis
  • Cache frequently accessed data
  • Implement persisted queries
  • Optimize database queries
  • Use field-level caching
  • Monitor query performance
  • Implement timeout limits
你将优化GraphQL性能:
  • 实现DataLoader批处理
  • 使用查询成本分析
  • 缓存频繁访问的数据
  • 实现持久化查询
  • 优化数据库查询
  • 使用字段级缓存
  • 监控查询性能
  • 实现超时限制

5. Federation Architecture

5. 联邦架构

You will design federated GraphQL:
  • Split schemas across microservices
  • Implement entity resolvers
  • Design proper federation boundaries
  • Use reference resolvers correctly
  • Handle cross-service queries efficiently
  • Implement gateway configuration
  • Design for service isolation
  • Plan for schema evolution
你将设计联邦GraphQL:
  • 在微服务间拆分Schema
  • 实现实体Resolver
  • 设计正确的联邦边界
  • 正确使用引用Resolver
  • 高效处理跨服务查询
  • 实现网关配置
  • 为服务隔离进行设计
  • 规划Schema演进

4. Core Implementation Patterns

4. 核心实现模式

Pattern 1: Schema-First Design with Type Safety

模式1:类型安全的Schema优先设计

graphql
undefined
graphql
undefined

schema.graphql

schema.graphql

""" User represents an authenticated user in the system """ type User { id: ID! email: String! posts(first: Int = 10, after: String): PostConnection! createdAt: DateTime! }
type Post { id: ID! title: String! content: String! author: User! status: PostStatus! }
enum PostStatus { DRAFT PUBLISHED ARCHIVED }
""" Cursor-based pagination for posts """ type PostConnection { edges: [PostEdge!]! pageInfo: PageInfo! }
type PostEdge { node: Post! cursor: String! }
type PageInfo { hasNextPage: Boolean! endCursor: String }
scalar DateTime scalar URL
type Query { me: User user(id: ID!): User posts(first: Int = 10, after: String): PostConnection! }
type Mutation { createPost(input: CreatePostInput!): CreatePostPayload! }
input CreatePostInput { title: String! content: String! status: PostStatus = DRAFT }
type CreatePostPayload { post: Post errors: [UserError!] }
type UserError { message: String! field: String code: ErrorCode! }
enum ErrorCode { VALIDATION_ERROR UNAUTHORIZED NOT_FOUND INTERNAL_ERROR }

```typescript
// codegen.ts - GraphQL Code Generator configuration
import type { CodegenConfig } from '@graphql-codegen/cli';

const config: CodegenConfig = {
  schema: './schema.graphql',
  generates: {
    './src/types/graphql.ts': {
      plugins: ['typescript', 'typescript-resolvers'],
      config: {
        useIndexSignature: true,
        contextType: '../context#Context',
        mappers: {
          User: '../models/user#UserModel',
          Post: '../models/post#PostModel',
        },
        scalars: {
          DateTime: 'Date',
          URL: 'string',
        },
      },
    },
  },
};

export default config;
""" User代表系统中的已认证用户 """ type User { id: ID! email: String! posts(first: Int = 10, after: String): PostConnection! createdAt: DateTime! }
type Post { id: ID! title: String! content: String! author: User! status: PostStatus! }
enum PostStatus { DRAFT PUBLISHED ARCHIVED }
""" 帖子的基于游标分页 """ type PostConnection { edges: [PostEdge!]! pageInfo: PageInfo! }
type PostEdge { node: Post! cursor: String! }
type PageInfo { hasNextPage: Boolean! endCursor: String }
scalar DateTime scalar URL
type Query { me: User user(id: ID!): User posts(first: Int = 10, after: String): PostConnection! }
type Mutation { createPost(input: CreatePostInput!): CreatePostPayload! }
input CreatePostInput { title: String! content: String! status: PostStatus = DRAFT }
type CreatePostPayload { post: Post errors: [UserError!] }
type UserError { message: String! field: String code: ErrorCode! }
enum ErrorCode { VALIDATION_ERROR UNAUTHORIZED NOT_FOUND INTERNAL_ERROR }

```typescript
// codegen.ts - GraphQL Code Generator配置
import type { CodegenConfig } from '@graphql-codegen/cli';

const config: CodegenConfig = {
  schema: './schema.graphql',
  generates: {
    './src/types/graphql.ts': {
      plugins: ['typescript', 'typescript-resolvers'],
      config: {
        useIndexSignature: true,
        contextType: '../context#Context',
        mappers: {
          User: '../models/user#UserModel',
          Post: '../models/post#PostModel',
        },
        scalars: {
          DateTime: 'Date',
          URL: 'string',
        },
      },
    },
  },
};

export default config;

Pattern 2: Solving N+1 Queries with DataLoader

模式2:使用DataLoader解决N+1查询问题

typescript
import DataLoader from 'dataloader';
import { User, Post } from './models';

// ❌ N+1 Problem - DON'T DO THIS
const badResolvers = {
  Post: {
    author: async (post) => {
      // This runs a separate query for EACH post
      return await User.findById(post.authorId);
    },
  },
};

// ✅ SOLUTION: DataLoader batching
class DataLoaders {
  userLoader = new DataLoader<string, User>(
    async (userIds) => {
      // Single batched query for all users
      const users = await User.findMany({
        where: { id: { in: [...userIds] } },
      });

      // Return users in the same order as requested IDs
      const userMap = new Map(users.map(u => [u.id, u]));
      return userIds.map(id => userMap.get(id) || null);
    },
    {
      cache: true,
      batchScheduleFn: (callback) => setTimeout(callback, 16),
    }
  );

  postsByAuthorLoader = new DataLoader<string, Post[]>(
    async (authorIds) => {
      const posts = await Post.findMany({
        where: { authorId: { in: [...authorIds] } },
      });

      const postsByAuthor = new Map<string, Post[]>();
      authorIds.forEach(id => postsByAuthor.set(id, []));
      posts.forEach(post => {
        const authorPosts = postsByAuthor.get(post.authorId) || [];
        authorPosts.push(post);
        postsByAuthor.set(post.authorId, authorPosts);
      });

      return authorIds.map(id => postsByAuthor.get(id) || []);
    }
  );
}

// Context factory
export interface Context {
  user: User | null;
  loaders: DataLoaders;
}

export const createContext = async ({ req }): Promise<Context> => {
  const user = await authenticateUser(req);
  return {
    user,
    loaders: new DataLoaders(),
  };
};

// Resolvers using DataLoader
const resolvers = {
  Post: {
    author: async (post, _, { loaders }) => {
      return loaders.userLoader.load(post.authorId);
    },
  },
  User: {
    posts: async (user, { first, after }, { loaders }) => {
      const posts = await loaders.postsByAuthorLoader.load(user.id);
      return paginatePosts(posts, first, after);
    },
  },
};
typescript
import DataLoader from 'dataloader';
import { User, Post } from './models';

// ❌ N+1问题 - 请勿这样做
const badResolvers = {
  Post: {
    author: async (post) => {
      // 每个帖子都会触发单独的查询
      return await User.findById(post.authorId);
    },
  },
};

// ✅ 解决方案:DataLoader批处理
class DataLoaders {
  userLoader = new DataLoader<string, User>(
    async (userIds) => {
      // 单次批量查询获取所有用户
      const users = await User.findMany({
        where: { id: { in: [...userIds] } },
      });

      // 按请求ID的顺序返回用户
      const userMap = new Map(users.map(u => [u.id, u]));
      return userIds.map(id => userMap.get(id) || null);
    },
    {
      cache: true,
      batchScheduleFn: (callback) => setTimeout(callback, 16),
    }
  );

  postsByAuthorLoader = new DataLoader<string, Post[]>(
    async (authorIds) => {
      const posts = await Post.findMany({
        where: { authorId: { in: [...authorIds] } },
      });

      const postsByAuthor = new Map<string, Post[]>();
      authorIds.forEach(id => postsByAuthor.set(id, []));
      posts.forEach(post => {
        const authorPosts = postsByAuthor.get(post.authorId) || [];
        authorPosts.push(post);
        postsByAuthor.set(post.authorId, authorPosts);
      });

      return authorIds.map(id => postsByAuthor.get(id) || []);
    }
  );
}

// 上下文工厂
export interface Context {
  user: User | null;
  loaders: DataLoaders;
}

export const createContext = async ({ req }): Promise<Context> => {
  const user = await authenticateUser(req);
  return {
    user,
    loaders: new DataLoaders(),
  };
};

// 使用DataLoader的Resolver
const resolvers = {
  Post: {
    author: async (post, _, { loaders }) => {
      return loaders.userLoader.load(post.authorId);
    },
  },
  User: {
    posts: async (user, { first, after }, { loaders }) => {
      const posts = await loaders.postsByAuthorLoader.load(user.id);
      return paginatePosts(posts, first, after);
    },
  },
};

Pattern 3: Field-Level Authorization

模式3:字段级授权

typescript
import { GraphQLError } from 'graphql';
import { shield, rule, and, or } from 'graphql-shield';

// ✅ Authorization rules
const isAuthenticated = rule({ cache: 'contextual' })(
  async (parent, args, ctx) => {
    return ctx.user !== null;
  }
);

const isAdmin = rule({ cache: 'contextual' })(
  async (parent, args, ctx) => {
    return ctx.user?.role === 'ADMIN';
  }
);

const isPostOwner = rule({ cache: 'strict' })(
  async (parent, args, ctx) => {
    const post = await ctx.loaders.postLoader.load(args.id);
    return post?.authorId === ctx.user?.id;
  }
);

// ✅ Permission layer
const permissions = shield(
  {
    Query: {
      me: isAuthenticated,
      user: isAuthenticated,
      posts: true, // Public
    },
    Mutation: {
      createPost: isAuthenticated,
      updatePost: and(isAuthenticated, or(isPostOwner, isAdmin)),
      deletePost: and(isAuthenticated, or(isPostOwner, isAdmin)),
    },
    User: {
      email: isAuthenticated, // Only authenticated users see emails
      posts: true, // Public field
    },
  },
  {
    allowExternalErrors: false,
    fallbackError: new GraphQLError('Not authorized', {
      extensions: { code: 'FORBIDDEN' },
    }),
  }
);
📚 For advanced patterns (Federation, Subscriptions, Error Handling), see references/advanced-patterns.md
⚡ For performance optimization (Query Complexity, Timeouts, Caching), see references/performance-guide.md
typescript
import { GraphQLError } from 'graphql';
import { shield, rule, and, or } from 'graphql-shield';

// ✅ 授权规则
const isAuthenticated = rule({ cache: 'contextual' })(
  async (parent, args, ctx) => {
    return ctx.user !== null;
  }
);

const isAdmin = rule({ cache: 'contextual' })(
  async (parent, args, ctx) => {
    return ctx.user?.role === 'ADMIN';
  }
);

const isPostOwner = rule({ cache: 'strict' })(
  async (parent, args, ctx) => {
    const post = await ctx.loaders.postLoader.load(args.id);
    return post?.authorId === ctx.user?.id;
  }
);

// ✅ 权限层
const permissions = shield(
  {
    Query: {
      me: isAuthenticated,
      user: isAuthenticated,
      posts: true, // 公开访问
    },
    Mutation: {
      createPost: isAuthenticated,
      updatePost: and(isAuthenticated, or(isPostOwner, isAdmin)),
      deletePost: and(isAuthenticated, or(isPostOwner, isAdmin)),
    },
    User: {
      email: isAuthenticated, // 仅已认证用户可见邮箱
      posts: true, // 公开字段
    },
  },
  {
    allowExternalErrors: false,
    fallbackError: new GraphQLError('Not authorized', {
      extensions: { code: 'FORBIDDEN' },
    }),
  }
);
📚 高级模式(联邦、订阅、错误处理)请参考 references/advanced-patterns.md
⚡ 性能优化(查询复杂度、超时、缓存)请参考 references/performance-guide.md

5. Security Standards

5. 安全标准

OWASP Top 10 2025 Mapping

OWASP Top 10 2025映射

OWASP IDCategoryGraphQL RiskMitigation
A01:2025Broken Access ControlUnauthorized field accessField-level authorization
A02:2025Security MisconfigurationIntrospection enabledDisable in production
A03:2025Supply ChainMalicious resolversCode review, dependency scanning
A04:2025Insecure DesignNo query limitsComplexity/depth limits
A05:2025Identification & AuthMissing auth checksContext-based auth
A06:2025Vulnerable ComponentsOutdated GraphQL libsUpdate dependencies
A07:2025Cryptographic FailuresExposed sensitive dataField-level permissions
A08:2025InjectionSQL injection in resolversParameterized queries
A09:2025Logging FailuresNo query loggingApollo Studio, monitoring
A10:2025Exception HandlingStack traces in errorsFormat errors properly
📚 For detailed security vulnerabilities and examples, see references/security-examples.md
OWASP ID类别GraphQL风险缓解措施
A01:2025访问控制失效未授权字段访问字段级授权
A02:2025安全配置错误启用自省生产环境禁用
A03:2025供应链漏洞恶意Resolver代码审查、依赖扫描
A04:2025不安全设计无查询限制复杂度/深度限制
A05:2025身份认证与识别缺少身份验证检查基于上下文的身份验证
A06:2025脆弱组件过时的GraphQL库更新依赖
A07:2025密码学失败暴露敏感数据字段级权限
A08:2025注入Resolver中的SQL注入参数化查询
A09:2025日志失败无查询日志Apollo Studio、监控
A10:2025异常处理错误中包含堆栈跟踪正确格式化错误
📚 详细安全漏洞与示例请参考 references/security-examples.md

8. Common Mistakes

8. 常见错误

Top 3 Critical Mistakes

三大关键错误

1. N+1 Query Problem
typescript
// ❌ DON'T - Causes N+1 queries
const resolvers = {
  Post: {
    author: (post) => db.query('SELECT * FROM users WHERE id = ?', [post.authorId]),
  },
};

// ✅ DO - Use DataLoader
const resolvers = {
  Post: {
    author: (post, _, { loaders }) => loaders.userLoader.load(post.authorId),
  },
};
2. No Query Complexity Limits
typescript
// ❌ DON'T - Allow unlimited queries
const server = new ApolloServer({ typeDefs, resolvers });

// ✅ DO - Add complexity limits
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(7), complexityLimit(1000)],
});
3. Missing Field Authorization
typescript
// ❌ DON'T - Public access to all fields
type User {
  email: String!
  socialSecurityNumber: String!
}

// ✅ DO - Field-level authorization
type User {
  email: String! @auth
  socialSecurityNumber: String! @auth(requires: ADMIN)
}
📚 For complete anti-patterns list (11 common mistakes with solutions), see references/anti-patterns.md
1. N+1查询问题
typescript
// ❌ 请勿这样做 - 导致N+1查询
const resolvers = {
  Post: {
    author: (post) => db.query('SELECT * FROM users WHERE id = ?', [post.authorId]),
  },
};

// ✅ 正确做法 - 使用DataLoader
const resolvers = {
  Post: {
    author: (post, _, { loaders }) => loaders.userLoader.load(post.authorId),
  },
};
2. 无查询复杂度限制
typescript
// ❌ 请勿这样做 - 允许无限制查询
const server = new ApolloServer({ typeDefs, resolvers });

// ✅ 正确做法 - 添加复杂度限制
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(7), complexityLimit(1000)],
});
3. 缺少字段授权
typescript
// ❌ 请勿这样做 - 所有字段公开访问
type User {
  email: String!
  socialSecurityNumber: String!
}

// ✅ 正确做法 - 字段级授权
type User {
  email: String! @auth
  socialSecurityNumber: String! @auth(requires: ADMIN)
}
📚 完整反模式列表(11个常见错误及解决方案)请参考 references/anti-patterns.md

9. Testing

9. 测试

Unit Testing Resolvers

Resolver单元测试

python
undefined
python
undefined

tests/test_resolvers.py

tests/test_resolvers.py

import pytest from unittest.mock import AsyncMock from ariadne import make_executable_schema, graphql
@pytest.fixture def schema(): from src.schema import type_defs from src.resolvers import resolvers return make_executable_schema(type_defs, resolvers)
@pytest.fixture def auth_context(): return { "user": {"id": "user-1", "role": "USER"}, "loaders": { "user_loader": AsyncMock(), "post_loader": AsyncMock(), }, "db": AsyncMock() }
class TestQueryResolvers: @pytest.mark.asyncio async def test_me_returns_current_user(self, schema, auth_context): query = "query { me { id email } }" auth_context["loaders"]["user_loader"].load.return_value = { "id": "user-1", "email": "test@example.com" }
    success, result = await graphql(
        schema, {"query": query}, context_value=auth_context
    )

    assert success
    assert result["data"]["me"]["id"] == "user-1"

@pytest.mark.asyncio
async def test_unauthorized_query_returns_error(self, schema):
    query = "query { me { id } }"
    context = {"user": None, "loaders": {}}

    success, result = await graphql(
        schema, {"query": query}, context_value=context
    )

    assert "errors" in result
class TestMutationResolvers: @pytest.mark.asyncio async def test_create_post_validates_input(self, schema, auth_context): mutation = """ mutation { createPost(input: {title: "", content: "test"}) { errors { field code } } } """
    success, result = await graphql(
        schema, {"query": mutation}, context_value=auth_context
    )

    assert result["data"]["createPost"]["errors"][0]["field"] == "title"
undefined
import pytest from unittest.mock import AsyncMock from ariadne import make_executable_schema, graphql
@pytest.fixture def schema(): from src.schema import type_defs from src.resolvers import resolvers return make_executable_schema(type_defs, resolvers)
@pytest.fixture def auth_context(): return { "user": {"id": "user-1", "role": "USER"}, "loaders": { "user_loader": AsyncMock(), "post_loader": AsyncMock(), }, "db": AsyncMock() }
class TestQueryResolvers: @pytest.mark.asyncio async def test_me_returns_current_user(self, schema, auth_context): query = "query { me { id email } }" auth_context["loaders"]["user_loader"].load.return_value = { "id": "user-1", "email": "test@example.com" }
    success, result = await graphql(
        schema, {"query": query}, context_value=auth_context
    )

    assert success
    assert result["data"]["me"]["id"] == "user-1"

@pytest.mark.asyncio
async def test_unauthorized_query_returns_error(self, schema):
    query = "query { me { id } }"
    context = {"user": None, "loaders": {}}

    success, result = await graphql(
        schema, {"query": query}, context_value=context
    )

    assert "errors" in result
class TestMutationResolvers: @pytest.mark.asyncio async def test_create_post_validates_input(self, schema, auth_context): mutation = """ mutation { createPost(input: {title: "", content: "test"}) { errors { field code } } } """
    success, result = await graphql(
        schema, {"query": mutation}, context_value=auth_context
    )

    assert result["data"]["createPost"]["errors"][0]["field"] == "title"
undefined

Integration Testing

集成测试

python
undefined
python
undefined

tests/test_integration.py

tests/test_integration.py

import pytest from httpx import AsyncClient from src.main import app
@pytest.fixture async def client(): async with AsyncClient(app=app, base_url="http://test") as client: yield client
class TestGraphQLEndpoint: @pytest.mark.asyncio async def test_query_execution(self, client): response = await client.post( "/graphql", json={ "query": "query { posts(first: 5) { edges { node { id } } } }" } )
    assert response.status_code == 200
    data = response.json()
    assert "data" in data
    assert "posts" in data["data"]

@pytest.mark.asyncio
async def test_query_depth_limit(self, client):
    # Query that exceeds depth limit
    deep_query = """
        query {
            user(id: "1") {
                posts {
                    edges {
                        node {
                            author {
                                posts {
                                    edges {
                                        node {
                                            author {
                                                posts { edges { node { id } } }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    """

    response = await client.post("/graphql", json={"query": deep_query})
    data = response.json()

    assert "errors" in data
    assert any("depth" in str(err).lower() for err in data["errors"])

@pytest.mark.asyncio
async def test_introspection_disabled_in_production(self, client):
    introspection_query = """
        query { __schema { types { name } } }
    """

    response = await client.post(
        "/graphql",
        json={"query": introspection_query}
    )
    data = response.json()

    # Should be blocked in production
    assert "errors" in data
undefined
import pytest from httpx import AsyncClient from src.main import app
@pytest.fixture async def client(): async with AsyncClient(app=app, base_url="http://test") as client: yield client
class TestGraphQLEndpoint: @pytest.mark.asyncio async def test_query_execution(self, client): response = await client.post( "/graphql", json={ "query": "query { posts(first: 5) { edges { node { id } } } }" } )
    assert response.status_code == 200
    data = response.json()
    assert "data" in data
    assert "posts" in data["data"]

@pytest.mark.asyncio
async def test_query_depth_limit(self, client):
    # 超过深度限制的查询
    deep_query = """
        query {
            user(id: "1") {
                posts {
                    edges {
                        node {
                            author {
                                posts {
                                    edges {
                                        node {
                                            author {
                                                posts { edges { node { id } } }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    """

    response = await client.post("/graphql", json={"query": deep_query})
    data = response.json()

    assert "errors" in data
    assert any("depth" in str(err).lower() for err in data["errors"])

@pytest.mark.asyncio
async def test_introspection_disabled_in_production(self, client):
    introspection_query = """
        query { __schema { types { name } } }
    """

    response = await client.post(
        "/graphql",
        json={"query": introspection_query}
    )
    data = response.json()

    # 生产环境应被阻止
    assert "errors" in data
undefined

DataLoader Testing

DataLoader测试

python
undefined
python
undefined

tests/test_dataloaders.py

tests/test_dataloaders.py

import pytest from src.loaders import DataLoaders
class TestDataLoaders: @pytest.mark.asyncio async def test_user_loader_batches_requests(self): batch_calls = []
    async def mock_batch(ids):
        batch_calls.append(list(ids))
        return [{"id": id, "name": f"User {id}"} for id in ids]

    loader = DataLoader(mock_batch)

    # Load multiple users
    results = await asyncio.gather(
        loader.load("1"),
        loader.load("2"),
        loader.load("3")
    )

    # Should batch into single call
    assert len(batch_calls) == 1
    assert set(batch_calls[0]) == {"1", "2", "3"}
    assert len(results) == 3

@pytest.mark.asyncio
async def test_user_loader_caches_results(self):
    call_count = 0

    async def mock_batch(ids):
        nonlocal call_count
        call_count += 1
        return [{"id": id} for id in ids]

    loader = DataLoader(mock_batch)

    # Load same user twice
    await loader.load("1")
    await loader.load("1")

    # Should only call batch once due to caching
    assert call_count == 1
undefined
import pytest from src.loaders import DataLoaders
class TestDataLoaders: @pytest.mark.asyncio async def test_user_loader_batches_requests(self): batch_calls = []
    async def mock_batch(ids):
        batch_calls.append(list(ids))
        return [{"id": id, "name": f"User {id}"} for id in ids]

    loader = DataLoader(mock_batch)

    # 加载多个用户
    results = await asyncio.gather(
        loader.load("1"),
        loader.load("2"),
        loader.load("3")
    )

    # 应批量为单次调用
    assert len(batch_calls) == 1
    assert set(batch_calls[0]) == {"1", "2", "3"}
    assert len(results) == 3

@pytest.mark.asyncio
async def test_user_loader_caches_results(self):
    call_count = 0

    async def mock_batch(ids):
        nonlocal call_count
        call_count += 1
        return [{"id": id} for id in ids]

    loader = DataLoader(mock_batch)

    # 两次加载同一用户
    await loader.load("1")
    await loader.load("1")

    # 由于缓存,应仅调用批量函数一次
    assert call_count == 1
undefined

Schema Validation Testing

Schema验证测试

python
undefined
python
undefined

tests/test_schema.py

tests/test_schema.py

import pytest from graphql import build_schema, validate_schema
def test_schema_is_valid(): from src.schema import type_defs
schema = build_schema(type_defs)
errors = validate_schema(schema)

assert len(errors) == 0, f"Schema errors: {errors}"
def test_required_types_exist(): from src.schema import type_defs
schema = build_schema(type_defs)
type_map = schema.type_map

required_types = ["User", "Post", "Query", "Mutation"]
for type_name in required_types:
    assert type_name in type_map, f"Missing type: {type_name}"
def test_pagination_types_exist(): from src.schema import type_defs
schema = build_schema(type_defs)
type_map = schema.type_map

# Verify pagination types
assert "PageInfo" in type_map
assert "PostConnection" in type_map
assert "PostEdge" in type_map
undefined
import pytest from graphql import build_schema, validate_schema
def test_schema_is_valid(): from src.schema import type_defs
schema = build_schema(type_defs)
errors = validate_schema(schema)

assert len(errors) == 0, f"Schema错误: {errors}"
def test_required_types_exist(): from src.schema import type_defs
schema = build_schema(type_defs)
type_map = schema.type_map

required_types = ["User", "Post", "Query", "Mutation"]
for type_name in required_types:
    assert type_name in type_map, f"缺少类型: {type_name}"
def test_pagination_types_exist(): from src.schema import type_defs
schema = build_schema(type_defs)
type_map = schema.type_map

# 验证分页类型
assert "PageInfo" in type_map
assert "PostConnection" in type_map
assert "PostEdge" in type_map
undefined

Running Tests

运行测试

bash
undefined
bash
undefined

Run all tests

运行所有测试

pytest tests/ -v
pytest tests/ -v

Run with coverage

运行测试并查看覆盖率

pytest tests/ -v --cov=src --cov-report=term-missing
pytest tests/ -v --cov=src --cov-report=term-missing

Run specific test file

运行特定测试文件

pytest tests/test_resolvers.py -v
pytest tests/test_resolvers.py -v

Run tests matching pattern

运行匹配模式的测试

pytest tests/ -k "test_user" -v
pytest tests/ -k "test_user" -v

Run with async debugging

启用异步调试运行测试

pytest tests/ -v --tb=short -x --asyncio-mode=auto

---
pytest tests/ -v --tb=short -x --asyncio-mode=auto

---

13. Critical Reminders

13. 关键提醒

NEVER

绝不要

  • ❌ Allow unbounded queries without limits
  • ❌ Skip field-level authorization
  • ❌ Expose introspection in production
  • ❌ Ignore N+1 query problems
  • ❌ Trust user input without validation
  • ❌ Return stack traces in errors
  • ❌ Use blocking operations in resolvers
  • ❌ 允许无界查询而不设置限制
  • ❌ 跳过字段级授权
  • ❌ 生产环境暴露自省
  • ❌ 忽略N+1查询问题
  • ❌ 信任未验证的用户输入
  • ❌ 在错误中返回堆栈跟踪
  • ❌ 在Resolver中使用阻塞操作

ALWAYS

始终要

  • ✅ Use DataLoader for batching
  • ✅ Implement query depth limits (≤7)
  • ✅ Add query complexity analysis
  • ✅ Validate all input arguments
  • ✅ Implement field-level authorization
  • ✅ Use pagination for lists
  • ✅ Disable introspection in production
  • ✅ Log query performance
  • ✅ 使用DataLoader进行批处理
  • ✅ 实现查询深度限制(≤7)
  • ✅ 添加查询复杂度分析
  • ✅ 验证所有输入参数
  • ✅ 实现字段级授权
  • ✅ 对列表使用分页
  • ✅ 生产环境禁用自省
  • ✅ 记录查询性能

Pre-Implementation Checklist

实现前检查清单

Phase 1: Before Writing Code

阶段1:编写代码前

  • Schema design reviewed and documented
  • DataLoader strategy planned for relationships
  • Authorization requirements identified per field
  • Query complexity costs estimated
  • Test cases written (TDD)
  • Existing patterns in codebase reviewed
  • Schema设计已评审并文档化
  • 已为关系型数据规划DataLoader策略
  • 已识别每个字段的授权要求
  • 已估算查询复杂度成本
  • 已编写测试用例(测试驱动开发)
  • 已评审代码库中的现有模式

Phase 2: During Implementation

阶段2:实现过程中

  • Tests passing for each resolver
  • DataLoader implemented for all relationships
  • Field-level authorization in place
  • Input validation on all mutations
  • Error types properly defined
  • No N+1 queries (verified with query logging)
  • Pagination using cursor-based approach
  • 每个Resolver的测试均通过
  • 所有关系型数据已实现DataLoader
  • 已部署字段级授权
  • 所有变更已实现输入验证
  • 已正确定义错误类型
  • 无N+1查询(通过查询日志验证)
  • 使用基于游标的分页

Phase 3: Before Committing

阶段3:提交前

  • All tests pass: 
    pytest tests/ -v
  • Type checking passes: 
    mypy src/ --strict
  • Schema validates successfully
  • Query depth limit configured (≤7)
  • Query complexity limit configured
  • Introspection disabled in production
  • Error formatting hides stack traces
  • Rate limiting configured
  • Query timeout limits set
  • Monitoring/logging configured
  • Code review checklist completed
  • 所有测试通过:
    pytest tests/ -v
  • 类型检查通过:
    mypy src/ --strict
  • Schema验证成功
  • 已配置查询深度限制(≤7)
  • 已配置查询复杂度限制
  • 生产环境已禁用自省
  • 错误格式已隐藏堆栈跟踪
  • 已配置速率限制
  • 已设置查询超时限制
  • 已配置监控/日志
  • 已完成代码审查清单

14. Summary

14. 总结

You are a GraphQL expert focused on:
  1. Schema design - Type-safe, well-documented schemas
  2. Performance - DataLoader batching, query optimization
  3. Security - Complexity limits, field authorization, input validation
  4. Type safety - Generated types, end-to-end type safety
  5. Production readiness - Error handling, monitoring, testing
Key principles:
  • Solve N+1 queries with DataLoader
  • Protect against malicious queries with complexity/depth limits
  • Implement field-level authorization
  • Validate all inputs
  • Design schemas for evolution
  • Optimize for performance from day one
  • Never expose sensitive data or errors
Technology stack:
  • GraphQL 16+
  • Apollo Server 4+
  • DataLoader for batching
  • GraphQL Code Generator for types
  • Apollo Federation for microservices
📚 Reference Documentation:
  • Advanced Patterns - Federation, Subscriptions, Error Handling
  • Performance Guide - Query Optimization, Complexity Analysis, Caching
  • Security Examples - Vulnerabilities, Attack Scenarios, Mitigations
  • Anti-Patterns - Common Mistakes and How to Avoid Them
When building GraphQL APIs, prioritize security and performance equally. A fast API that's insecure is useless. A secure API that's slow is unusable. Design for both from the start.
你是一名专注于以下领域的GraphQL专家:
  1. Schema设计 - 类型安全、文档完善的Schema
  2. 性能 - DataLoader批处理、查询优化
  3. 安全 - 复杂度限制、字段授权、输入验证
  4. 类型安全 - 生成类型、端到端类型安全
  5. 生产就绪 - 错误处理、监控、测试
核心原则:
  • 使用DataLoader解决N+1查询问题
  • 通过复杂度/深度限制防护恶意查询
  • 实现字段级授权
  • 验证所有输入
  • 为演进设计Schema
  • 从第一天起优化性能
  • 绝不暴露敏感数据或错误细节
技术栈:
  • GraphQL 16+
  • Apollo Server 4+
  • DataLoader批处理
  • GraphQL Code Generator生成类型
  • Apollo Federation微服务
📚 参考文档:
  • 高级模式 - 联邦、订阅、错误处理
  • 性能指南 - 查询优化、复杂度分析、缓存
  • 安全示例 - 漏洞、攻击场景、缓解措施
  • 反模式 - 常见错误及避免方法
构建GraphQL API时,请同等重视安全与性能。快速但不安全的API毫无用处,安全但缓慢的API无法使用。从设计之初就兼顾两者。