Blog
/
Education

GraphQL's @defer and @stream Directives are overkill

cover
Jens Neuse

Jens Neuse

min read

We're hiring!

We're looking for Golang (Go) Developers, DevOps Engineers and Solution Architects who want to help us shape the future of Microservices, distributed systems, and APIs.

By working at WunderGraph, you'll have the opportunity to build the next generation of API and Microservices infrastructure. Our customer base ranges from small startups to well-known enterprises, allowing you to not just have an impact at scale, but also to build a network of industry professionals.

For a very long time I was a big fan and advocate of GraphQL's @defer and @stream directives. Actually, I've implemented them in my own GraphQL server implementation in Go almost 3 years ago . At that time, I was using a stream of JSON-Patch operations to continously update the client.

Recently, I've added support for TypeScript Operations to WunderGraph, including support for Subscriptions through Async Generators. After implementing this feature and playing around with it, I've realized that @defer and @stream are complete overkill and the whole idea of incrementally loading data can be done in a much simpler way.

Before we can compare the two approaches, we need to understand how @defer and @stream work.

How the @defer and @stream Directives work

I'm using the Example from the DeferStream RFC

1
2
3
4
5
6
7
8
9
10
11
12
13
14

We're loading the person with the ID cGVvcGxlOjE=. For this person, we're loading only the name and the first two films synchronously. The HomeWorldFragment is loaded asynchronously and all films beyond the first two are loaded asynchronously.

From the example RFC, we get back the following responses:

1
2
3
4
5
6
7
8
9
10
11
12

The first response is as expected, the only notable thing is the hasNext field which indicates that there are more responses to come.

1
2
3
4
5
6
7
8
9
10

The second response is the HomeWorldFragment which is loaded asynchronously. The label field is used to identify the response. The path field is used to identify the location in the response where the data should be inserted. The hasNext field indicates that there are still more responses to come.

1
2
3
4
5
6
7
8

The third response is the first film beyond the first two films. The path field is used to identify the location in the response where the data should be inserted. The hasNext field indicates that there are no more responses to come.

According to the RFC, this approach has the following benefits :

  • Make GraphQL a great choice for applications which demand responsiveness.
  • Enable interoperability between different GraphQL clients and servers without restricting implementation.
  • Enable a strong tooling ecosystem (including GraphiQL).
  • Provide concrete guidance to implementers.
  • Provide guidance to developers evaluating whether to adopt incremental delivery.

At the same time, the RFC also lists the following Caveats :

Type Generation Supporting @defer can add complexity to type-generating clients. Separate types will need to be generated for the different deferred fragments. These clients will need to use the label field to determine which fragments have been fulfilled to ensure the application is using the correct types.

Object Consistency The GraphQL spec does not currently support object identification or consistency. It is currently possible for the same object to be returned in multiple places in a query. If that object changes while the resolvers are running, the query could return inconsistent results. @defer/@stream does not increase the likelihood of this, as the server still attempts to resolve everything as fast as it can. The only difference is some results can be returned to the client sooner. This proposal does not attempt to address this issue.

Can @defer/@stream increase risk of a denial of service attack? This is currently a risk in GraphQL servers that do not implement any kind of query limiting as arbitrarily complex queries can be sent. Adding @defer may add some overhead as the server will now send parts of the query earlier than it would have without @defer, but it does not allow for any additional resolving that was not previously possible.

Why the @defer and @stream Directives are overkill

First of all I want to say that I love the idea of incrementally loading data and I have a lot of respect for the people who came up with this idea and participated in this or any other RFC that has something to do with this topic. So please, don't take this as a personal attack on anyone. I don't criticize your work, I just want to point out that there is a much simpler way to achieve the same goal.

So what follows now is my personal opinion, which is based on years of experience working with and implementing GraphQL as well as building WunderGraph.

First of all, this RFC has been in the making for many years without getting merged into the GraphQL spec. As many library and framework authors were quite excited about this feature, they implemented it in their own way. So there are now many implementations of @defer and @stream out there. This is a nightmare because how should clients know which implementation the server is using?

Additionally, the RFC is quite complex and requires a lot of work to implement. All client and server implementations have to implement handling of @defer and @stream directives. It's a lot of work to implement this feature in a reasonable way.

Let me give you an example from GraphQL Yoga. Again, not criticizing the work of the GraphQL Yoga team, just trying to point out the complexity of this feature.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

This server allows us to stream the alphabet. We set up a repeater which publishes a letter every second. Let's assume we actually have a datasource that provides us with one letter every second. If we go back to the RFC example, it allowed us to use the initialCount argument to specify how many items we want to receive in the first response. First, this argument is missing in the Yoga implementation, but they could probably add it.

But even if they added it, we'd still have the same problem. How does the user of the API know how many items to request in the first response? If we don't have fine-grained control over the data flow, how can we implement this feature efficiently? Imagine you're building a public GraphQL API and someone asks for ridiculous initialCount values. You now have to add extra logic to validate the initialCount argument and protect your server.

What if a user applies the @defer directive to fields that are not supposed to be deferred? E.g. if you're loading a user profile from the database, we will always load the user id, name and email address using a single database query. If we now apply the @defer directive to the email address, what is supposed to happen? Should we load the email address in a separate database query? Should we load the email address in the same database query but defer it? Or should we just ignore the @defer directive and return the email address in the first response?

What happens if an attacker intentionally sends queries with endless numbers of @defer directives? Should we now rate limit the use of @defer directives? Technically possible, but it just adds more complexity to the implementation.

Keep in mind that every single implementation of @defer and @stream has to implement all of this logic.

Last but not least, and that's what I'm afraid of the most, we could just hide all of this complexity from the user and swallow the performance penalty in the framework. This would mean that resolvers would not be aware of the @defer and @stream directives. However, this would lead to very inefficient implementations. Load all the data from the database, then apply the @defer and @stream directives and then return the data to the client, what's the point?

Let's put an end to this rant and talk about a much simpler solution. What problem are we trying to solve here?

What problem are we solving with the @defer and @stream directives in GraphQL?

We need a blob of data in the user interface, but loading it all at once would be too slow. This can have multiple reasons:

  • The data is too big to load all at once (e.g. a list of 1000 items)
  • We need to load the data from multiple sources, one of which is slow

How does WunderGraph solve this problem?

WunderGraph compiles GraphQL Operations into JSON-RPC requests. E.g. a GraphQL Subscription is turned into a stream of newline delimited JSON objects.

Up until recently, you've had to implement Subscriptions in your GraphQL server, plug this server as a data source into WunderGraph, allowing you to expose the Subscription as a JSON-RPC stream.

As I've said above, we've recently added support to implement JSON-RPC Operations directly in WunderGraph using TypeScript, supporting Queries, Mutations and Subscriptions.

Let's take a look at how we could implement the example from the RFC using a WunderGraph Subscription / JSON-RPC stream.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

The createOperation.subscription function allows us to implement a JSON-RPC Stream using an async generator function. Compared to an async function, an async generator function can yield multiple values. So, instead of returning a single value, like an async function, we can yield multiple values.

Most importantly, we have exact control over the data flow. We're not limited to implementing a resolver that returns a stream of values. As we can yield multiple times, we can easily achieve the same result as the @defer and @stream directives.

On the client side, you can use the generated type-safe client to subscribe to the stream. When there's no more yield statements in the generator function (when it returns), the stream will be closed.

Here's how the client code would look like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

The client code is quite simple, and it's type-safe. This is because WunderGraph infers the response type from the operation definition. We can define the response shape in the operation definition by creating a zod schema. The generated client will use this schema to infer the response type. However, defining the response shape is optional. If we don't define it, the client will infer the response type from the operation handler, so it's up to the developer to either define the shape themselves or infer it from the operation handler.

How WunderGraph reduces the amound of data that needs to be transferred

As you can see in the example above, we've successfully implemented the @defer and @stream directives with a simple TypeScript function. So, from a developers' perspective, the problem seems to be solved.

However, there's still one problem left. It seems like with every yield statement, we're sending the entire response object to the client. This means that we're sending the same data over and over again, only to add a single field or append to an array.

GraphQL Subscriptions suffer from the same problem. If you're using Subscriptions in your GraphQL server, and only a single field changes between two updates, you're still sending the entire response object to the client.

WunderGraph solves this problem elegantly by using a technique called JSON Patch . Instead of re-inventing the wheel and building our own implementation of incrementally loading data, we're using the JSON Patch standard to describe the changes between two updates.

JSON Patch (RFC 6902) is a standard for describing changes to a JSON document. It's a format for expressing a sequence of operations to apply to a JSON document. Here's an example:

1
2
3
4
5
6

The JSON Patch above describes the following changes:

  • Replace the homePlanet field with a new object
  • Add three new films to the films array

The WunderGraph Server calculates the list of JSON Patch operations for each update. If the JSON Patch is smaller than sending the entire response object, the WunderGraph Server will send the JSON Patch to the client. In some cases, especially when the initial response is small, the JSON Patch will be larger than the entire response object. In this case, the WunderGraph Server will send the entire response object to the client instead of the JSON Patch.

All WunderGraph clients support handling JSON Patch operations out of the box, but it's opt-in, so a client can choose if they want to use JSON Patch or not.

Here's a curl command that shows how to subscribe to a Subscription Operation without using JSON Patch:

1

If you want to use JSON Patch, use the following command:

1

Additionally, you can also combine this with SSE (Server-Sent Events) by using the following command:

1

Conclusion

I think that in 90% of the cases, you don't need @defer and @stream at all. For those rare cases where you want to micro-optimize a page, WunderGraph gives you all the tools you need to efficiently load data incrementally.

More importantly, we're building on top of existing standards. As I said earlier, I was a big fan of the @defer and @stream directives. However, I think that there's a much simpler solution to the problem without having to introduce new directives to the GraphQL spec and without having to implement a new protocol.

Streaming JSON Patch is a simple solution that works beyond just GraphQL. That said, WunderGraph also applies the same technique to GraphQL Subscriptions and Live Queries. So, if you're using GraphQL Subscriptions in your application already, you can easily switch to WunderGraph and the generated client & server will transparently use JSON Patch to reduce the amount of data that needs to be transferred.

The @defer and @stream directives put control over the data flow in the hands of the API consumer, who not necessarily has the required knowledge to apply them in the most efficient way.

Micro-optimizations should be avoided in most cases, but if you really need them, control over the data flow should be in the hands of the API provider.

Try it our for yourself

If you'd like to try out this feature for yourself, check out the WunderGraph Mono Repo on GitHub and try out one of the examples.