Graphql Laravel Laravel Package

Product Decisions This Supports

Build vs. Buy Decision

• Use this package (10.0.0-RC4) if:
  • You need extensible dependency injection for resolvers via ResolverParameterInjector.
  • You require OpenTelemetry tracing for distributed debugging (added in RC2).
  • You prioritize security hardening (e.g., POST-only endpoints, query depth/complexity limits by default).
  • You want modular architecture (e.g., SelectFields extracted to a separate package for granular control).
  • You need fine-grained resolver customization (e.g., field-level parameter injection).
• Consider alternatives (e.g., Lighthouse, GraphQLite) if:
  • You rely on SelectFields core functionality without wanting to manage a separate package (now optional).
  • Your team lacks bandwidth to adapt to breaking changes (e.g., Privacy::validate() signature shifts, WrapType interface requirements).
  • You need subscriptions (still unsupported) or simpler setup (this package’s learning curve increased with modularity).

Feature Enablement

• Security & Compliance:
  • Default security hardening (POST-only, introspection disabled, query depth/complexity limits) reduces misconfigurations.
  • Field-level privacy validation now runs before resolver logic, enforcing stricter access control.
  • OpenTelemetry integration enables compliance-ready observability (e.g., GDPR audits, performance SLA tracking).
• Performance:
  • Modular SelectFields allows opt-in optimization (install separately) without bloating core dependencies.
  • Batch query limits (max_batch_size) prevent abuse in high-traffic APIs.
• Developer Experience:
  • Resolver DI hooks (ResolverParameterInjector) enable framework-agnostic extensions (e.g., logging, caching).
  • Breaking changes (e.g., WrapType interface) force alignment with modern Laravel practices (e.g., interfaces over traits).
• Observability:
  • OpenTelemetry tracing correlates GraphQL queries with Laravel services (e.g., queues, HTTP clients).

Roadmap Alignment

• Phase 1 (MVP) Updates:
  • Security-first setup: Enable POST-only, disable introspection, and configure query_max_depth/max_complexity.
  • Migrate SelectFields to the standalone package (if used) and update resolver signatures.
  • Adopt OpenTelemetry for tracing critical queries (e.g., checkout flows).
• Phase 2 (Scaling) Updates:
  • Implement ResolverParameterInjector for cross-cutting concerns (e.g., audit logging, rate limiting).
  • Enforce WrapType interface on custom pagination/types to maintain SelectFields compatibility.
  • Deprecate legacy resolver patterns (e.g., Closure auto-injection) in favor of explicit DI.
• Phase 3 (Advanced) Updates:
  • Explore custom ResolverParameterInjector for domain-specific logic (e.g., tenant isolation).
  • Integrate OpenTelemetry metrics with APM tools (e.g., Datadog dashboards for query latency).

Use Cases (Updated)

When to Consider This Package

Adopt This Package If:

• You’re upgrading from v9 and can dedicate time to breaking change migrations (e.g., SelectFields split, Privacy::validate() signature).
• You need enterprise-grade security defaults (e.g., POST-only, query limits) without manual configuration.
• Your team uses OpenTelemetry or needs distributed tracing for GraphQL queries.
• You require extensible resolver DI (e.g., for caching, logging, or auth middleware).
• You’re building modular APIs and want to opt into SelectFields separately.
• You prioritize long-term maintainability over short-term convenience (e.g., embracing interfaces like WrapType).

Look Elsewhere If:

• You cannot tolerate breaking changes (e.g., SelectFields now requires a separate package).
• Your API is simple (e.g., CRUD with no complex relationships) and REST suffices.
• You need subscriptions (use Lighthouse or GraphQLite).
• Your team lacks Laravel/PHP expertise to handle resolver DI or OpenTelemetry setup.
• You prefer schema-first development (consider Lighthouse or GraphQL-YAML).

Red Flags:

• Tight deadlines: Breaking changes (e.g., WrapType interface, Privacy::validate()) require significant refactoring.
• No observability stack: OpenTelemetry integration adds complexity if you lack APM tools.
• Legacy codebase: Resolver DI hooks may conflict with existing closure-based resolvers.
• Multi-language teams: This package is PHP/Laravel-specific; schema generation for other languages requires additional tooling.

How to Pitch It (Stakeholders)

For Executives:

"Upgrade to GraphQL 10.0 for Enterprise-Grade Security and Observability"

• Problem: REST APIs struggle with over-fetching, security misconfigurations, and debugging complexity.
• Solution: rebing/graphql-laravel 10.0 delivers:
  • Default security: POST-only endpoints, query depth/complexity limits, and introspection disabled by default.
  • Compliance-ready: OpenTelemetry tracing integrates with APM tools for GDPR/HIPAA audits.
  • Cost savings: Modular SelectFields reduces database load, lowering cloud costs.
• ROI:
  • 30% faster debugging with OpenTelemetry (real-world reduction in MTTR).
  • Reduced risk of API abuse (query limits, batch size controls).
  • Future-proof architecture: Breaking changes align with modern Laravel practices.
• Migration Path:
  1. Pilot: Upgrade a non-critical API (e.g., internal tool) to test breaking changes.
  2. Secure: Enable POST-only, query limits, and OpenTelemetry in staging.
  3. Optimize: Migrate SelectFields to the standalone package and adopt resolver DI.

For Engineering Leaders:

"GraphQL 10.0: Security, Observability, and Extensibility"

• Key Improvements:
  • Security: Default POST-only, query depth/complexity limits, and stricter privacy validation.
  • Observability: OpenTelemetry tracing for distributed debugging (e.g., correlate GraphQL queries with queues/HTTP clients).
  • Extensibility: ResolverParameterInjector enables framework-agnostic resolver logic (e.g., caching, logging).
  • Modularity: SelectFields extracted to a separate package for granular control.
• Breaking Changes:
  • SelectFields: Now requires rebing/graphql-laravel-select-fields (update resolvers to remove auto-injection).
  • Privacy::validate(): Signature changed ($fieldArgs instead of $queryArgs).
  • WrapType interface: Custom pagination/types must implement this for SelectFields compatibility.
• Upgrade Steps:
  1. Backup: Test in a staging environment first.
  2. Update dependencies: composer require rebing/graphql-laravel-select-fields.
  3. Refactor resolvers: Replace Closure auto-injection with explicit DI.
  4. Enable features: Configure OpenTelemetry, query limits, and POST-only mode.

For Developers:

"GraphQL 10.0: What’s Changed and Why It Matters"

• New Features:
  • OpenTelemetry: Add tracing to resolvers with @graphql attributes:

    use Rebing\GraphQL\Support\Facades\GraphQL;
    GraphQL::addTracingMiddleware(new \OpenTelemetry\Contrib\GraphQL\TracingMiddleware());
    

  • Resolver DI: Inject dependencies explicitly:

    Field::registerParameterInjector(MyInjector::class);
    

  • Security defaults: No more forgetting to disable introspection—it’s off by default.
• Breaking Changes:
  • SelectFields: Install separately and update resolvers: