We will be building an API for a Blog CMS. The Blog will comprise of three concepts: Users, Posts and Tags. The CMS will handle creating and authenticating users (using JWT). Tags will be used as a taxonomy to group posts, think of it like categories in WordPress. A post can belong to many tags and a tag can have many posts. Authenticated users will be able to perform CRUD tasks like creating posts and tags.
This tutorial assumes you already have some basic understanding of GraphQL. You might want to go over GraphQL docs as a refresher.
With that said, let’s get started!
Create a New Project
We’ll start by creating a new Node.js project, we’ll call it graphql-blog-cms-api:
1mkdir graphql-blog-cms-api && cd graphql-blog-cms-api2npm init -y
Once the app is created, we need to install project’s dependencies:
1npm install graphql apollo-server-express express body-parser graphql-tools dotenv mysql2 sequelize bcrypt jsonwebtoken express-jwt slugify
We’ll go over each of package as we get to them. With the dependencies installed, let’s start fleshing out the app by creating a GraphQL server.
Create GraphQL Server
Create a new server.js file and paste the code below into it:
1// server.js23'use strict';4const express = require('express');56const bodyParser = require('body-parser');78const { graphqlExpress, graphiqlExpress } = require('apollo-server-express');910const schema = require('./data/schema');11const PORT = 3000;12// Create our express app1314const app = express();1516// Graphql endpoint1718app.use('/api', bodyParser.json(), graphqlExpress({ schema }));1920// Graphiql for testing the API out2122app.use('/graphiql', graphiqlExpress({ endpointURL: 'api' }));2324app.listen(PORT, () => {25 console.log(`GraphiQL is running on http://localhost:${PORT}/graphiql`);2627});
We import our dependencies, express is the Node.js framework of choice for this tutorial. body-parser is used to parse incoming request body. graphqlExpress is the express implementation of Apollo server which will be used to power our GraphQL server. With graphiqlExpress, we will be able to use GraphiQL which is an in-browser IDE for exploring GraphQL (we’ll use this to test out the GraphQL API). Lastly, we import our GraphQL schema which we’ll created shortly.
We define a port that the server will listen on. We then create an express app.
We define the route for our GraphQL API. We add body-parser middleware to the route. We also addgraphqlExpress passing along the GraphQL schema.
Then we define the route for GraphiQL passing to it the GraphQL endpoint we created above.
Finally, we start the server and listen on the port defined above.
Define GraphQL Schema
Let’s move on to defining our GraphQL schema. Schemas describe how data are shaped and what data on the server can be queried. GraphQL schemas are strongly typed, hence all the object defined in a schema must have types. Schemas can be of two types: Query and Mutation.
Create a folder name data and within this folder, create a new schema.js file, then paste the code below into it:
1// data/schema.js234'use strict';56const { makeExecutableSchema } = require('graphql-tools');78const resolvers = require('./resolvers');910// Define our schema using the GraphQL schema language1112const typeDefs = `13 scalar DateTime1415 type User {1617 id: Int!1819 firstName: String!2021 lastName: String2223 email: String!2425 posts: [Post]2627 createdAt: DateTime! # will be generated2829 updatedAt: DateTime! # will be generated3031 }3233 type Post {3435 id: Int!3637 title: String!3839 slug: String!4041 content: String!4243 status: Boolean!4445 user: User!4647 tags: [Tag!]!4849 createdAt: DateTime! # will be generated5051 updatedAt: DateTime! # will be generated5253 }5455 type Tag {5657 id: Int!5859 name: String!6061 slug: String!6263 description: String6465 posts: [Post]6667 createdAt: DateTime! # will be generated6869 updatedAt: DateTime! # will be generated7071 }7273 type Query {7475 allUsers: [User]7677 fetchUser(id: Int!): User7879 allPosts: [Post]8081 fetchPost(id: Int!): Post8283 allTags: [Tag]8485 fetchTag(id: Int!): Tag8687 }8889 type Mutation {9091 login (9293 email: String!,9495 password: String!9697 ): String9899 createUser (100101 firstName: String!,102103 lastName: String,104105 email: String!,106107 password: String!108109 ): User110111 updateUser (112113 id: Int!,114115 firstName: String!,116117 lastName: String,118119 email: String!,120121 password: String!122123 ): User124125 addPost (126127 title: String!,128129 content: String!,130131 status: Boolean132133 tags: [Int!]!134135 ): Post136137 updatePost (138139 id: Int!,140141 title: String!,142143 content: String!,144145 status: Boolean,146147 tags: [Int!]!148149 ): Post150151 deletePost (id: Int!): Boolean152153 addTag (154155 name: String!,156157 description: String158159 ): Tag160161 updateTag (162163 id: Int!,164165 name: String!,166167 description: String168169 ): Tag170171 deleteTag (id: Int!): Boolean172173 }174175`;176177module.exports = makeExecutableSchema({ typeDefs, resolvers });
We start off by pulling in graphql-tools, a package by the Apollo team. This package allows us to define our schema using the GraphQL schema language. We also import our resolvers which we’ll create shortly. We then begin to define the schema. We start by defining a custom scalar type called DateTime because Date is part of the types GraphQL support out of the box. So we need to define it ourselves. The DateTime will be used for the createdAt and updatedAt fields respectively. The createdAt and updatedAt fields will be auto generated at the point of creating our defined types.
We define the User type. Its fields are pretty straightforward. Notice the posts field as it will be an array of all the posts a user has created. User and Post have a one-to-many relationship, that is, a user can have many posts and on the other hand, a post can only belong to one user.
We then define the Post type. Its fields are pretty straightforward The user is a required field and represent the user that created a post. The tags field is an array of tags a post belongs to. Tag!! signifies that the array can not be empty. This means a post must belong to at least one tag. Post and Tag have a belongs-to-many relationship, that is, a post can belong to many tags and on the other hand, a tag can have many posts.
Then we define the Tag type. Again, its fields are pretty straightforward. The posts field is an array of posts a tag has.
Having defined our types, we move on to define the queries that can be performed on these types. allUsers will fetch all the users created and return them in an array. fetchUser(id: Int!) will fetch a user with a specified ID. We do the same for Post and Tag respectively.
Next, we define some mutations. While queries are used for fetching data from the server, mutations are used to add/modify data on the server. We define a login mutation which takes email address and password as inputs. It is use to authenticate users. We also define mutations to create and update User, Post and Tag respectively. The update mutations in addition to the data, also accept the ID of the type (User, Post, Tag) we want to update. Lastly, we define mutations for deleting a Post and a Tag respectively.
Finally, we use makeExecutableSchema to build the schema, passing to it our schema and the resolvers.
Setting Up Database
As earlier mentioned, we’ll be using MySQL for the purpose of this tutorial. Also, we’ll be using Sequelize as our ORM. We have installed the necessary dependencies for both of these. Now, we need to install Sequelize CLI on our computer. We’ll install it globally:
1npm install –g sequelize-cli
Once it’s installed, we can then initialize Sequelize in our project. With the project’s root directory, run the command below:
1sequelize init
This will create following folders:
config: contains config file, which tells CLI how to connect with database
models: contains all models for your project, also contains an index.js file which integrates all the models together.
migrations: contains all migration files
seeders: contains all seed files
Ignore the seeders folder as we won’t be creating any seeders in this tutorial. The config folder contain a JSON file config.json. We’ll rename this file to config.js. Now, open config/config.js and paste the snippet below into it:
1// config/config.js23'use strict';4require('dotenv').config();56module.exports = {7 "development": {89 "username": process.env.DB_USERNAME,1011 "password": process.env.DB_PASSWORD,1213 "database": process.env.DB_NAME,1415 "host": process.env.DB_HOST,1617 "dialect": "mysql"1819 },2021 "production": {2223 "username": process.env.DB_USERNAME,2425 "password": process.env.DB_PASSWORD,2627 "database": process.env.DB_NAME,2829 "host": process.env.DB_HOST,3031 "dialect": "mysql"3233 }3435};
Notice we are using the dotenv package to read our database details from an .env file. Let’s create a .env file and paste the snippet below into it:
1//.env23NODE_ENV=development4DB_HOST=localhost5DB_USERNAME=root6DB_PASSWORD=7DB_NAME=graphql_blog_cms
Update accordingly with your own database details.
Because we have changed the config file from JSON to JavaScript file, we need to make the Sequelize CLI aware of this. We can do that by creating a .sequelizerc file and paste the snippet below in it:
1// .sequelizerc23const path = require('path');45module.exports = {6 'config': path.resolve('config', 'config.js')7}
Now the CLI will be aware of our changes.
One last thing we need to do is update models/index.js to also reference config/config.js. Replace the line where the config file is imported with the line below:
1// models/index.js23var config = require(__dirname + '/../config/config.js')[env];
Creating Models and Migrations
With our database setup, now create our models and their corresponding migrations. For consistency, we want our models to mirror our GraphQL schema. So we are going to create 3 models (User, Post and Tag) with the corresponding fields we defined on our schema. We’ll be using the Sequelize CLI for this.
We’ll start with User, run the command below:
1sequelize model:generate --name User --attributes \ firstName:string,lastName:string,email:string
This will do following:
Create a model file user.js in models folder
Create a migration file with name like XXXXXXXXXXXXXX-create-user.js in migrations folder
Open migrations/XXXXXXXXXXXXXX-create-user.js and replace it content with:
1// migrations/XXXXXXXXXXXXXX-create-user.js234'use strict';56module.exports = {78 up: (queryInterface, Sequelize) => {910 return queryInterface.createTable('users', {1112 id: {1314 type: Sequelize.INTEGER,1516 autoIncrement: true,1718 primaryKey: true,1920 allowNull: false2122 },2324 firstName: {2526 type: Sequelize.STRING,2728 allowNull: false2930 },3132 lastName: {3334 type: Sequelize.STRING3536 },3738 email: {3940 type: Sequelize.STRING,4142 unique: true,4344 allowNull: false4546 },4748 password: {4950 type: Sequelize.STRING,5152 allowNull: false5354 },5556 createdAt: {5758 type: Sequelize.DATE,5960 allowNull: false6162 },6364 updatedAt: {6566 type: Sequelize.DATE,6768 allowNull: false6970 }7172 });7374 },7576 down: (queryInterface, Sequelize) => {7778 return queryInterface.dropTable('Users');7980 }8182};
Also, replace the content of models/user.js with:
1// models/user.js234'use strict';56module.exports = (sequelize, DataTypes) => {78 const User = sequelize.define('User', {910 id: {1112 type: DataTypes.INTEGER,1314 primaryKey: true,1516 autoIncrement: true,1718 allowNull: false1920 },2122 firstName: {2324 type: DataTypes.STRING,2526 allowNull: false2728 },2930 lastName: DataTypes.STRING,3132 email: {3334 type: DataTypes.STRING,3536 unique: true,3738 allowNull: false3940 },4142 password: {4344 type: DataTypes.STRING,4546 allowNull: false4748 }4950 });5152 User.associate = function(models) {5354 // A user can have many post5556 User.hasMany(models.Post);5758 };5960 return User;6162};
Notice we define the relationship (one-to-many) between User and Post.
We do the same for Post:
1sequelize model:generate --name Post --attributes title:string,content:string
Open migrations/XXXXXXXXXXXXXX-create-post.js and replace it content with:
1// migrations/XXXXXXXXXXXXXX-create-post.js234'use strict';56module.exports = {78 up: (queryInterface, Sequelize) => {910 return queryInterface.createTable('posts', {1112 id: {1314 type: Sequelize.INTEGER,1516 autoIncrement: true,1718 primaryKey: true,1920 allowNull: false2122 },2324 userId: {2526 type: Sequelize.INTEGER.UNSIGNED,2728 allowNull: false2930 },3132 title: {3334 type: Sequelize.STRING,3536 allowNull: false3738 },3940 slug: {4142 type: Sequelize.STRING,4344 unique: true,4546 allowNull: false4748 },4950 content: {5152 type: Sequelize.STRING,5354 allowNull: false5556 },5758 status: {5960 type: Sequelize.BOOLEAN,6162 allowNull: false,6364 defaultValue: false6566 },6768 createdAt: {6970 type: Sequelize.DATE,7172 allowNull: false7374 },7576 updatedAt: {7778 type: Sequelize.DATE,7980 allowNull: false8182 }8384 });8586 },8788 down: (queryInterface, Sequelize) => {8990 return queryInterface.dropTable('posts');9192 }9394};
Also, replace the content of models/post.js with:
1// models/post.js234'use strict';56module.exports = (sequelize, DataTypes) => {78 const Post = sequelize.define('Post', {910 id: {1112 type: DataTypes.INTEGER,1314 primaryKey: true,1516 autoIncrement: true,1718 allowNull: false1920 },2122 userId: {2324 type: DataTypes.INTEGER.UNSIGNED,2526 allowNull: false2728 },2930 title: {3132 type: DataTypes.STRING,3334 allowNull: false3536 },3738 slug: {3940 type: DataTypes.STRING,4142 allowNull: false,4344 unique: true4546 },4748 content: {4950 type: DataTypes.STRING,5152 allowNull: false5354 },5556 status: {5758 type: DataTypes.BOOLEAN,5960 allowNull: false,6162 defaultValue: false6364 }6566 });6768 Post.associate = function(models) {6970 // A post belongs to a user7172 Post.belongsTo(models.User);7374 // A post can belong to many tags7576 Post.belongsToMany(models.Tag, { through: 'post_tag' });7778 };7980 return Post;8182};
We define the inverse relationship between Post and User. Also, we define the relationship (belongs-to-many) between Post and Tag.
We do the same for Tag:
1sequelize model:generate --name Tag --attributes \ name:string,description:string
Open migrations/XXXXXXXXXXXXXX-create-tag.js and replace it content with:
1// migrations/XXXXXXXXXXXXXX-create-tag.js234'use strict';56module.exports = {78 up: (queryInterface, Sequelize) => {910 return queryInterface.createTable('tags', {1112 id: {1314 type: Sequelize.INTEGER,1516 autoIncrement: true,1718 primaryKey: true,1920 allowNull: false2122 },2324 name: {2526 type: Sequelize.STRING,2728 unique: true,2930 allowNull: false3132 },3334 slug: {3536 type: Sequelize.STRING,3738 unique: true,3940 allowNull: false4142 },4344 description: {4546 type: Sequelize.STRING,4748 },4950 createdAt: {5152 type: Sequelize.DATE,5354 allowNull: false5556 },5758 updatedAt: {5960 type: Sequelize.DATE,6162 allowNull: false6364 }6566 });6768 },6970 down: (queryInterface, Sequelize) => {7172 return queryInterface.dropTable('tags');7374 }7576};
Also, replace the content of models/tag.js with:
1// models/tag.js234'use strict';56module.exports = (sequelize, DataTypes) => {78 const Tag = sequelize.define('Tag', {910 id: {1112 type: DataTypes.INTEGER,1314 primaryKey: true,1516 autoIncrement: true,1718 allowNull: false1920 },2122 name: {2324 type: DataTypes.STRING,2526 unique: true,2728 allowNull: false2930 },3132 slug: {3334 type: DataTypes.STRING,3536 allowNull: false,3738 unique: true3940 },4142 description: DataTypes.STRING4344 });4546 Tag.associate = function(models) {4748 // A tag can have to many posts4950 Tag.belongsToMany(models.Post, { through: 'post_tag' });5152 };5354 return Tag;5556};
Also, we define the relationship (belongs-to-many)between Tag and Post.
We need to define one more model/migration for the pivot table for the belongs-to-many relationship between Tag and Post.
1sequelize model:generate --name PostTag --attributes postId:integer
Open migrations/XXXXXXXXXXXXXX-create-post-tag.js and replace it content with:
1// migrations/XXXXXXXXXXXXXX-create-post-tag.js234'use strict';56module.exports = {78 up: (queryInterface, Sequelize) => {910 return queryInterface.createTable('post_tag', {1112 id: {1314 type: Sequelize.INTEGER,1516 autoIncrement: true,1718 primaryKey: true,1920 allowNull: false2122 },2324 postId: {2526 type: Sequelize.INTEGER,2728 allowNull: false2930 },3132 tagId: {3334 type: Sequelize.INTEGER,3536 allowNull: false3738 },3940 createdAt: {4142 allowNull: false,4344 type: Sequelize.DATE4546 },4748 updatedAt: {4950 allowNull: false,5152 type: Sequelize.DATE5354 }5556 });5758 },5960 down: (queryInterface, Sequelize) => {6162 return queryInterface.dropTable('post_tag');6364 }6566};
Also, replace the content of models/posttag.js with:
1// models/posttag.js234'use strict';5module.exports = (sequelize, DataTypes) => {67 const PostTag = sequelize.define('PostTag', {89 id: {1011 type: DataTypes.INTEGER,1213 primaryKey: true,1415 autoIncrement: true,1617 allowNull: false1819 },2021 postId:{2223 type: DataTypes.INTEGER.UNSIGNED,2425 allowNull: false2627 },2829 tagId:{3031 type: DataTypes.INTEGER.UNSIGNED,3233 allowNull: false3435 }3637 });38 return PostTag;3940};
Now, let’s run our migrations:
1sequelize db:migrate
Writing Resolvers
Our schema is nothing without resolvers. A resolver is a function that defines how a field in a schema is executed. Now, let’s we define our resolvers. Within the data folder, create a new resolvers.js file and paste following code into it:
1// data/resolvers.js23'use strict';456const { GraphQLScalarType } = require('graphql');78const { Kind } = require('graphql/language');910const { User, Post, Tag } = require('../models');1112const bcrypt = require('bcrypt');1314const jwt = require('jsonwebtoken');1516const slugify = require('slugify');1718require('dotenv').config();
We start off by importing the necessary packages as well as our models. Because we’ll be defining a custom scalar DateTime type, we import GraphQLScalarType and kind. bcrypt will be used for hashing users password, jsonwebtoken will be used to generate a JSON Web Token (JWT) which will be used to authenticate users. slugify will be used to create slugs. We also import our models. Finally, import dotenv so we can read from our .env file.
Now let’s start defining our resolver functions. We’ll start by defining resolver functions for our queries. Add the code below inside resolvers.js:
1// data/resolvers.js234// Define resolvers56const resolvers = {78 Query: {910 // Fetch all users1112 async allUsers() {1314 return await User.all();1516 },171819 // Get a user by it ID2021 async fetchUser(_, { id }) {2223 return await User.findById(id);2425 },2627 // Fetch all posts2829 async allPosts() {3031 return await Post.all();3233 },3435 // Get a post by it ID3637 async fetchPost(_, { id }) {3839 return await Post.findById(id);4041 },4243 // Fetch all tags4445 async allTags(_, args, { user }) {46 return await Tag.all();4748 },4950 // Get a tag by it ID5152 async fetchTag(_, { id }) {5354 return await Tag.findById(id);5556 },5758 },59}6061module.exports = resolvers;
Our resolver functions makes use of JavaScript new features like object destructuring and async/await. The resolvers for queries are pretty straightforward as they simply retrieve data from the database.
Now, let’s define resolver functions for our mutations. Add the code below inside resolvers.js just after the Query object:
1// data/resolvers.js234Mutation: {56 // Handles user login78 async login(_, { email, password }) {910 const user = await User.findOne({ where: { email } });1112 if (!user) {1314 throw new Error('No user with that email');1516 }1718 const valid = await bcrypt.compare(password, user.password);1920 if (!valid) {2122 throw new Error('Incorrect password');2324 }2526 // Return json web token2728 return jwt.sign({2930 id: user.id,3132 email: user.email3334 }, process.env.JWT_SECRET, { expiresIn: '1y' });3536 },3738 // Create new user3940 async createUser(_, { firstName, lastName, email, password }) {4142 return await User.create({4344 firstName,4546 lastName,4748 email,4950 password: await bcrypt.hash(password, 10)5152 });5354 },5556 // Update a particular user5758 async updateUser(_, { id, firstName, lastName, email, password }, { authUser }) {5960 // Make sure user is logged in6162 if (!authUser) {6364 throw new Error('You must log in to continue!')6566 }6768 // fetch the user by it ID6970 const user = await User.findById(id);7172 // Update the user7374 await user.update({7576 firstName,7778 lastName,7980 email,8182 password: await bcrypt.hash(password, 10)8384 });8586 return user;8788 },8990 // Add a new post9192 async addPost(_, { title, content, status, tags }, { authUser }) {9394 // Make sure user is logged in9596 if (!authUser) {9798 throw new Error('You must log in to continue!')99100 }101102 const user = await User.findOne({ where: { id: authUser.id } });103 const post = await Post.create({104105 userId: user.id,106107 title,108109 slug: slugify(title, { lower: true }),110111 content,112113 status114115 });116117 // Assign tags to post118119 await post.setTags(tags);120121 return post;122123 },124125 // Update a particular post126127 async updatePost(_, { id, title, content, status, tags }, { authUser }) {128129 // Make sure user is logged in130131 if (!authUser) {132133 throw new Error('You must log in to continue!')134135 }136137 // fetch the post by it ID138139 const post = await Post.findById(id);140141 // Update the post142143 await post.update({144145 title,146147 slug: slugify(title, { lower: true }),148149 content,150151 status152153 });154155 // Assign tags to post156157 await post.setTags(tags);158159 return post;160161 },162163 // Delete a specified post164165 async deletePost(_, { id }, { authUser }) {166167 // Make sure user is logged in168169 if (!authUser) {170171 throw new Error('You must log in to continue!')172173 }174175 // fetch the post by it ID176177 const post = await Post.findById(id);178179 return await post.destroy();180181 },182183 // Add a new tag184185 async addTag(_, { name, description }, { authUser }) {186187 // Make sure user is logged in188189 if (!authUser) {190191 throw new Error('You must log in to continue!')192193 }194195 return await Tag.create({196197 name,198199 slug: slugify(name, { lower: true }),200201 description202203 });204205 },206207 // Update a particular tag208209 async updateTag(_, { id, name, description }, { authUser }) {210211 // Make sure user is logged in212213 if (!authUser) {214215 throw new Error('You must log in to continue!')216217 }218219 // fetch the tag by it ID220221 const tag = await Tag.findById(id);222223 // Update the tag224225 await tag.update({226227 name,228229 slug: slugify(name, { lower: true }),230231 description232233 });234235 return tag;236237 },238239 // Delete a specified tag240241 async deleteTag(_, { id }, { authUser }) {242243 // Make sure user is logged in244245 if (!authUser) {246247 throw new Error('You must log in to continue!')248249 }250251 // fetch the tag by it ID252253 const tag = await Tag.findById(id);254255 return await tag.destroy();256257 }258259},
Let’s go over the mutations. login checks if a user with the email and password supplied exists in the database. We use bcrypt to compare the password supplied with the password hash generated while creating the user. If the user exist, we generate a JWT. createUser simply adds a new user to the database with the data passed to it. As you can see we hash the user password with bcrypt. For the other mutations, we first check to make sure the user is actually logged in before allowing to go on and carry out the intended tasks. addPost and updatePost after adding/updating a post to the database uses setTags() to assign tags to the post. setTags() is available on the model due to the belongs-to-many relationship between Post and Tag. We also define resolvers to add, update and delete a tag respectively.
Next, we define resolvers to retrieve the fields on our User, Post and Tag type respectively. Add the code below inside resolvers.js just after the Mutation object:
1// data/resolvers.js234User: {56 // Fetch all posts created by a user78 async posts(user) {910 return await user.getPosts();1112 }1314},1516Post: {1718 // Fetch the author of a particular post1920 async user(post) {2122 return await post.getUser();2324 },2526 // Fetch alls tags that a post belongs to2728 async tags(post) {2930 return await post.getTags();3132 }3334},3536Tag: {3738 // Fetch all posts belonging to a tag3940 async posts(tag) {4142 return await tag.getPosts();4344 }4546},
These uses the methods (getPosts(), getUser(), getTags(), getPosts()) made available on the models due to the relationships we defined.
Let’s define our custom scalar type. Add the code below inside resolvers.js just after the Tag object:
1// data/resolvers.js234DateTime: new GraphQLScalarType({56 name: 'DateTime',78 description: 'DateTime type',910 parseValue(value) {1112 // value from the client1314 return new Date(value);1516 },1718 serialize(value) {1920 const date = new Date(value);2122 // value sent to the client2324 return date.toISOString();2526 },2728 parseLiteral(ast) {2930 if (ast.kind === Kind.INT) {3132 // ast value is always in string format3334 return parseInt(ast.value, 10);3536 }3738 return null;3940 }4142})
We define our custom scalar DateTime type. parseValue() accepts a value from the client and convert it to a Date object which will be inserted into the database. serialize() also accepts a value, but this time value is coming from the database. The value converted to a Date object and a date in ISO format is returned to the client.
That’s all for our resolvers. Noticed we use JWT_SECRET from the environment variable which we are yet to define. Add the line below to .env:
1// .env23JWT_SECRET=somereallylongsecretkey
One last thing to do before we test out the API is to update server.js as below:
1// server.js234'use strict';56const express = require('express');78const bodyParser = require('body-parser');910const { graphqlExpress, graphiqlExpress } = require('apollo-server-express');1112const schema = require('./data/schema');1314**const jwt = require('express-jwt');**1516**require('dotenv').config();**1718const PORT = 3000;1920// Create our express app2122const app = express();2324// Graphql endpoint2526app.use('/api', bodyParser.json(), **jwt({**2728** secret: process.env.JWT_SECRET,**2930** credentialsRequired: false,**3132** })**, graphqlExpress( **req => ({**3334** schema,**3536** context: {**3738** authUser: req.user**3940** }**4142**})**));4344// Graphiql for testing the API out4546app.use('/graphiql', graphiqlExpress({ endpointURL: 'api' }));4748app.listen(PORT, () => {4950 console.log(`GraphiQL is running on http://localhost:${PORT}/graphiql`);5152});
We simply add the express-jwt middleware to the API route. This makes the route secured as it will check to see if there is an Authorization header with a JWT on the request before granting access to the route. We set credentialsRequired to false because we users to be able to at least login and register first. express-jwt adds the details of the authenticated user to the request body which we turn pass as context to graphqlExpress.
Testing It Out
Now, we can test out the API. We’ll use GraphiQL to testing out the API. First, we need to start the server with:
1node server.js
and we can access it on http://localhost:3000/graphiql. Try creating a new user with createUser mutation. You should get a response a s in the image below:
Create new user
We can now login:
Login a user
You can see the JWT returned on successful login.
For the purpose of testing out the other secured aspects of the API, we need to find a way to add the JWT generated above to the request headers. To do that, we’ll use a Chrome extension called ModHeader to modify the request headers and define the Authorization header. Once the Authorization header contains a JWT, this signifies that the user making the request is authenticated, hence will be able to carry out authenticated users only activities.
Enter the Authorization as the name of the header and Bearer YOUR_JSON_WEB_TOKEN as its value:
Add JWT to header
Now, try adding a new post:
Add a new post
Fetch a particular post
Conclusion
We’ve established an API to power our own blog with GraphQL interface and can make authenticated calls to create and retrieve data, now what can you do?
The complete code for our API is available on GitHub and can be used as a starting point.
Check out Deploying Apollo GQL API to Zeit which shows how to take your local implementation of an API and making it accessible on the web using Zeit Now.
Then read about pairing graphql fragments with UI components in GraphQL Fragments are the Best Match for UI Components and start building the interface of your blog.
