alt Hacker NewsYou're misunderstanding. In GraphQL, the server prunes the response object. That is, the resolver method can return a "fat" object, but only the object pruned down to just the requested fields is returned over the wire.
It is an important security benefit, because one common attack vector is to see if you can trick a server method into returning additional privileged data (like detailed error responses).
Replies
fastball • last Monday at 4:09 AM
"Just the requested fields" as requested by the client?
Because if so that is no security benefit at all, because I can just... request the fat fields.
I would like to remind you that in most cases the GQL is not colocated on the same hardware as the services it queries.
Therefore requests between GQL and downstream services are travelling "over the wire" (though I don't see it as an issue)
Having REST apis that return only "fat" objects is really not the most secure way of designing APIs