@Tech.hebdo

Guide complet — Backend GraphQL Developer

Pavel FOUJEU -

Objective: An advanced, production-grade, full-stack backend guide for mastering GraphQL . It covers architecture patterns, performance optimization, security, team conventions, scaling strategies, schema governance, multi-tenancy, federation, observability, testing, and more. Includes examples in TypeScript, both with and without NestJS, and Apollo Server setups.

Table of Contents

  1. GraphQL Deep Dive — Concepts, History, and Evolution
  2. Schema Design Principles and Anti-patterns
  3. Clean Architecture and Domain-driven Design for GraphQL
  4. Implementation Layers: Schema, Resolver, Service, Repository
  5. Apollo Server Advanced Configuration (with Plugins, Middleware, and Caching)
  6. NestJS GraphQL Deep Integration (Code-First + Federation)
  7. Schema Federation and Microservice Design (Federated Architecture Blueprint (Multi-Service Apollo Gateway))
  8. Multi-Tenant Federation Strategies
  9. Cross-Service Caching and DataLoader Integration
  10. Performance and Scaling — DataLoader, Batching, Persisted Queries, CDN, and Query Costing
  11. Security Architecture (AuthN/Z, Complexity, Depth, Rate Limits, Abuse Protection)
  12. API Governance, Versioning, and Schema Registry
  13. Advanced Pagination, Filtering, Sorting, and Cursor Design
  14. Subscriptions and Real-Time GraphQL (WebSockets, Kafka, Redis, RabbitMQ)
  15. Multi-tenancy, Sharding, and Role-based Access Control (RBAC)
  16. Testing Strategy (Unit, Integration, Contract, E2E, Snapshot Testing)
  17. Observability and Monitoring (OpenTelemetry, Tracing, Metrics, Logs)
  18. DevOps, CI/CD, and Deployment Strategies (Kubernetes, Serverless, CDN)
  19. Developer Experience: Tooling, Codegen, Linting, Type Safety, Documentation
  20. Error Handling, Logging, and Resilience Patterns
  21. Performance Benchmarks, Profiling, and Query Optimization
  22. Production Checklists and Best Practices
  23. Common Interview Scenarios, System Design Questions, and Answers
  24. Appendix: Tools, Libraries, and Resources

Introduction and Philosophy

GraphQL is not just a replacement for REST — it’s a declarative contract between clients and servers. As a lead, your responsibilities are to ensure:

  • Schema quality (easy to use, stable, evolvable)
  • Separation of concerns (thin resolvers, rich services)
  • Performance & security (DataLoader, depth limits, complexity analysis)
  • Observability (resolver-level tracing and metrics)
  • Developer experience (documentation, codegen, secure playground)

1. GraphQL Deep Dive — Concepts, History, and Evolution

GraphQL was introduced by Facebook (2012, public 2015) to replace inefficient REST endpoints with a single endpoint that allows declarative, shape-specific data fetching. Its declarative query model lets clients specify what they need, while the server defines how to fetch it.

Strengths

  • Eliminates over-fetching and under-fetching.
  • Enables schema-driven contracts.
  • Integrates perfectly with type systems like TypeScript.
  • Enables schema introspection, developer tooling, and powerful self-documentation.

Challenges

  • Performance pitfalls (N+1 problem).
  • Complexity and depth abuse.
  • Evolving schemas safely.

Key Features

  • Single endpoint, multiple entry points (Query/Mutation/Subscription)
  • Introspection for self-documentation
  • Custom Scalars for advanced types (e.g., DateTime, Email, Decimal)
  • Directives for metadata or logic control (e.g., @auth, @deprecated)

2. Schema Design Principles and Anti-patterns

A schema is the public contract of your API. Treat it like an API product.

Principles

  • Model around business capabilities, not database tables.
  • Favor composition over inheritance.
  • Avoid overloading queries — separate mutations clearly.
  • Keep inputs granular, and avoid nested mutations (complex transaction handling).

Anti-Patterns

  • “God Query”: One query returning everything.
  • “Thin Schema, Fat Resolver”: schema with poor type definitions, logic in resolvers.
  • Field explosion — too many optional fields without grouping or pagination.

Example — Correct Design

type Query {
me: User!
users(filter: UserFilter, pagination: PageInput): UserConnection!
post(id: ID!): Post
}


type Mutation {
createUser(input: CreateUserInput!): User!
updateUser(input: UpdateUserInput!): User!
}


input CreateUserInput {
email: String!
name: String
}


input UserFilter {
search: String
isActive: Boolean
}
something.ts

3. Clean Architecture and DDD for GraphQL

GraphQL is an interface layer — your business logic should live below it.

Clean Layer Separation

src/
├── domain/ # Entities, Value Objects, Repositories
├── usecases/ # Business rules
├── infra/ # DB, external services
├── graphql/ # Schema + Resolvers (presentation)
└── app.ts # Server bootstrap

Benefits

  • Framework-agnostic
  • Testable usecases
  • No direct dependency between GraphQL resolvers and persistence

Example

// domain/user.entity.ts
export class User {
    constructor(public id: string, public email: string, public name ? : string) {}
}


// usecases/create-user.usecase.ts

export class CreateUserUsecase {
    constructor(private userRepo: UserRepo) {}
    async execute(input: CreateUserInput): Promise < User > {
        const existing = await this.userRepo.findByEmail(input.email);
        if (existing) throw new Error('Email exists');
        return this.userRepo.create(new User(uuid(), input.email, input.name));
    }
}
user.ts

4. Implementation Layers

Each resolver should delegate logic to a service/usecase layer.

Resolver Layer: handles arguments, context, and orchestration. Service Layer: handles core business logic. Repository Layer: interacts with DB.

Example — Apollo + Prisma

const resolvers = {
  Query: {
    user: (_, { id }, { prisma }) =>
      prisma.user.findUnique({
        where: {
          id,
        },
      }),
  },
  Mutation: {
    createUser: async (_, { input }, { prisma }) => {
      const user = await prisma.user.create({
        data: input,
      });
      return user;
    },
  },
};
user.ts

5. Apollo Server Advanced Configuration

import {
    ApolloServer
} from 'apollo-server';
import responseCachePlugin from 'apollo-server-plugin-response-cache';
import {
    ApolloServerPluginLandingPageGraphQLPlayground
} from 'apollo-server-core';


const server = new ApolloServer({
    schema,
    plugins: [responseCachePlugin(), ApolloServerPluginLandingPageGraphQLPlayground()],
    context: ({
        req
    }) => ({
        user: authenticate(req),
        prisma,
    }),
    persistedQueries: {
        ttl: 3600
    },
    introspection: process.env.NODE_ENV !== 'production',
    formatError: (err) => ({
        message: err.message,
        code: err.extensions?.code
    })
});
server.ts

6. NestJS GraphQL Deep Integration

Modular GraphQL in NestJS

@Module({
    imports: [GraphQLModule.forRoot({
        autoSchemaFile: true,
        context: ({
            req
        }) => ({
            user: req.user
        }),
        fieldResolverEnhancers: ['guards'],
    })],
    providers: [UsersResolver, UsersService],
})
export class UsersModule {}
module.ts

Federation Support

GraphQLFederationModule.forRoot({
    autoSchemaFile: true,
    gateway: {
        serviceList: [{
            name: 'users',
            url: 'http://users:4001/graphql'
        }]
    }
});
federation.ts

7. Schema Federation and Microservice Design

Apollo Federation enables multiple microservices (subgraphs) to provide portions of a unified GraphQL schema, combined via an Apollo Gateway. This allows:

  • Independent deployments per service
  • Service-level ownership of entities
  • Schema evolution without breaking other teams
  • Efficient modular development
  • Each service defines a subgraph.
  • Apollo Gateway composes schemas.
  • Use entity references with @key directive.

Components

  1. Gateway: Central schema composition, query planning, and routing
  2. Subgraph Services: Each service exposes its portion of the schema
  3. Shared Entities: Entities are resolved across services using @key and @requires
  4. Data Sources: Each service may use its own database, cache, or API

Example Setup

graphqld-federation-project/
├── gateway/
│ └── index.ts
├── services/
│ ├── users/
│ │ ├── src/
│ │ │ ├── user.entity.ts
│ │ │ ├── users.resolver.ts
│ │ │ └── users.module.ts
│ ├── posts/
│ │ ├── src/
│ │ │ ├── post.entity.ts
│ │ │ ├── posts.resolver.ts
│ │ │ └── posts.module.ts
│ └── comments/
│ ├── src/
│ │ ├── comment.entity.ts
│ │ ├── comments.resolver.ts
│ │ └── comments.module.ts
file.ts

User Service (Subgraph)

// users/user.entity.ts
import {
    ObjectType,
    Field,
    ID
} from '@nestjs/graphql';
import {
    Directive,
    Key
} from '@apollo/federation';


@ObjectType()
@Key(fields: 'id')
export class UserEntity {
    @Field(() => ID)
    id: string;


    @Field()
    email: string;
    @Field({
        nullable: true
    })
    name ? : string;
}


// users/users.resolver.ts
@Resolver(() => UserEntity)
export class UsersResolver {
    constructor(private usersService: UsersService) {}


    @Query(() => UserEntity)
    user(@Args('id') id: string) {
        return this.usersService.findOneById(id);
    }


    @ResolveReference()
    resolveReference(reference: {
        __typename: string;id: string
    }) {
        return this.usersService.findOneById(reference.id);
    }
}
user-service.ts

Posts Service (Subgraph)

@ObjectType()
@Key(fields: 'id')
export class PostEntity {
    @Field(() => ID)
    id: string;


    @Field()
    title: string;


    @Field(() => UserEntity)
    @Directive('@provides(fields: "email")')
    author: UserEntity;
}
post-service.ts

Apollo Gateway (Central Schema Composition)

import {
    ApolloGateway
} from '@apollo/gateway';
import {
    ApolloServer
} from 'apollo-server';


const gateway = new ApolloGateway({
    serviceList: [{
            name: 'users',
            url: 'http://localhost:4001/graphql'
        },
        {
            name: 'posts',
            url: 'http://localhost:4002/graphql'
        },
        {
            name: 'comments',
            url: 'http://localhost:4003/graphql'
        },
    ],
});


const server = new ApolloServer({
    gateway,
    subscriptions: false,
    context: ({
        req
    }) => ({
        user: authenticate(req)
    }),
});


server.listen({
    port: 4000
}).then(({
    url
}) => console.log(`Gateway running at ${url}`));
server.ts

Key Federation Patterns

  • @key: marks unique identifier for entity across services
  • @extends: extend entity from another service
  • @provides: service can provide additional fields to other services
  • @requires: request fields from another service to resolve entity

Deployment Considerations

  • Each subgraph deploys independently; updates do not break gateway if backwards-compatible
  • Use service discovery (DNS, Consul, or Kubernetes services)
  • Horizontal scaling at service-level
  • Cache entity resolutions for high-demand queries
  • Monitor per-service metrics (latency, error rate, throughput)

Advanced Features

  • Partial Schema Ownership: each team owns one subgraph
  • Versioning per Subgraph: independent release cycles
  • Federated Tracing: trace resolution across services
  • Security per Subgraph: JWT validation, field-level authorization
  • Subscription Federation: use shared pubsub (Redis/Kafka) for real-time updates

This allow you to build microservice-based GraphQL backends with Apollo Federation, ensuring modularity, scalability, and maintainability.

8. Multi-Tenant Federation Strategies

Overview

In a multi-tenant environment, each client (tenant) requires isolated data while sharing the same federated GraphQL schema. Strategies include:

  1. Context-Based Tenant Resolution: Inject tenant info into context per request.
  2. Schema Partitioning: Optional, separate schema per tenant if strict isolation is required.
  3. Database Scoping: Single DB with tenant_id column or schema-per-tenant pattern.
  4. Field-Level RBAC: Restrict sensitive fields using directives or middleware

Implementation Example (Context-Based)

const server = new ApolloServer({
    gateway,
    context: ({
        req
    }) => {
        const tenantId = req.headers['x-tenant-id'];
        const user = authenticate(req);
        return {
            tenantId,
            user
        };
    },
});
server.ts

Subgraph Considerations

  • Each service must enforce tenant scoping at repository or ORM level.
  • Use shared middleware to validate tenant consistency across services.
  • Optional: per-tenant caching to improve isolation and performance.

9. Cross-Service Caching and DataLoader Integration

Cross-Service DataLoader

  • Each service may reference entities from other services (via federation).
  • Use DataLoader per request to batch and cache requests.
// loaders/user.loader.ts
import DataLoader from 'dataloader';
export const createUserLoader = (fetchUsers) => new DataLoader(async (ids) => {
    const users = await fetchUsers(ids);
    return ids.map(id => users.find(u => u.id === id) || null);
});
user-loader.ts

Gateway-Level Loader Integration

  • Inject per-request loaders in context.
  • Optimize entity resolution across services.
const server = new ApolloServer({
    gateway,
    context: ({
        req
    }) => ({
        loaders: {
            userLoader: createUserLoader(fetchUsersFromUserService),
        },
    }),
});
server.ts

Caching Strategies

  • Response Caching: Cache full query results at gateway.
  • Entity Caching: Cache entities fetched by DataLoader.
  • Redis or in-memory: Use TTL for cache invalidation.
const cache = new InMemoryLRUCache({
    maxSize: 1000,
    ttl: 300
});
const server = new ApolloServer({
    cache
});
server.ts

10. Security Architecture

  • Use DataLoader for N+1 batching.
  • Enable Response Caching.
  • Use query cost analysis.
  • Add a CDN layer (Akamai, Cloudflare) for persisted queries.
import {
    createComplexityLimitRule
} from 'graphql-validation-complexity';
const validationRules = [createComplexityLimitRule(1000)];
import.ts

11. Security Architecture

  • Depth & complexity limits.
  • Disable introspection in production.
  • Enforce Auth via context (JWT, OAuth, session).
  • Use auth directives (@auth) or Nest guards.
directive @auth(role: Role!) on FIELD_DEFINITION

const server = new ApolloServer({
    schema: applyMiddleware(schema, authMiddleware),
});
server.ts

12. API Governance and Versioning

  • Register schema in a registry (Apollo Studio, GraphQL Hive).
  • Use CI to validate schema compatibility.
  • Deprecate fields gracefully.

13. Pagination, Filtering, Sorting

Prefer cursor-based pagination for consistent results.

14. Subscriptions and Real-time GraphQL

Leverage graphql-ws or graphql-transport-ws. Use Redis PubSub for horizontal scalability.

15. Multi-tenancy and RBAC

Inject tenant context. Use separate schemas or tenant_id scoping.

16. Testing Strategy

  • Unit: Test services.
  • Integration: Run resolvers with in-memory schema.
  • E2E: Test full API + DB.
  • Contract: Validate schema compatibility.

17. Observability

  • Use OpenTelemetry instrumentation.
  • Add tracing IDs in logs.
  • Expose Prometheus metrics: latency per resolver.

18 — Example CI/CD Pipeline for Federated GraphQL

Goals

  • Automate build, test, and deploy for gateway and subgraphs.
  • Validate schema compatibility before deployment.
  • Ensure rollback in case of failed federation compatibility.

Example (GitHub Actions)

name: Federated GraphQL CI / CD

on:
    push:
    branches: [main]

jobs:
    test:
    runs - on: ubuntu - latest
strategy:
    matrix:
    service: [users, posts, comments]
steps:
    -uses: actions / checkout @v3 -
    name: Set up Node
uses: actions / setup - node @v3
with:
    node - version: '18' -
    run: npm ci -
    run: npm run test


validate - schema:
    runs - on: ubuntu - latest
needs: test
steps:
    -uses: actions / checkout @v3 -
    name: Validate Federation
run: |
    npx apollo service: check--endpoint = http: //gateway:4000/graphql


    deploy:
    runs - on: ubuntu - latest
needs: [test, validate - schema]
steps:
    -uses: actions / checkout @v3 -
    name: Build and Deploy Users Service
run: |
    docker build - t users - service. / services / users
docker push myregistry / users - service: latest
kubectl apply - f k8s / users - deployment.yaml -
    name: Deploy Gateway
run: |
    docker build - t gateway. / gateway
docker push myregistry / gateway: latest
kubectl apply - f k8s / gateway - deployment.yaml
ci.yaml

Notes

  • Schema validation ensures federation compatibility across services.
  • Deploy subgraphs independently; gateway deploy last or with rolling updates.
  • Rollback on schema validation failure prevents breaking clients.

19. Deployment Strategies

  • Apollo Gateway in Kubernetes.
  • Federation services as independent pods.
  • Use horizontal pod autoscaling.
  • Cache persisted queries at CDN level.

20. Developer Experience

  • GraphQL Code Generator → type safety.
  • ESLint + Prettier + Husky.
  • Doc generation via GraphQL Voyager or GraphiQL Explorer.

21. Error Handling & Logging

  • Standardize error codes.
  • Hide internal errors in production.
  • Log context and userId.

22. Performance Benchmarks

Use tools like Apollo studio, graphql-bench and Artillery.

23. Production Checklist

✅ Schema registry + versioning
✅ Query complexity limits
✅ Dataloader cache
✅ Persisted queries
✅ Structured logging
✅ Observability stack
✅ CI/CD validation

24. Tools & Resources

  • Apollo Server: A spec-compliant GraphQL server compatible with any GraphQL client, including Apollo Client. It's a production-ready solution for building self-documenting GraphQL APIs that can use data from any source. apollographql.com
  • Apollo Federation: An architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. apollographql.com
  • Apollo Gateway: The gateway sits in front of subgraphs, executing operations across them. It processes the supergraph schema and creates query plans for incoming requests. apollographql.com
  • NestJS GraphQL: A progressive Node.js framework that provides a simple and flexible way to build GraphQL APIs using the @nestjs/graphql module. docs.nestjs.com

Data Access & ORM

Prisma: A next-generation Node.js and TypeScript ORM for PostgreSQL, MySQL, SQL Server, SQLite, MongoDB, and CockroachDB. It provides type-safety, auto-completion, and a powerful query engine. Prisma

TypeORM: An ORM for TypeScript and JavaScript that supports MySQL, PostgreSQL, MariaDB, SQLite, MS SQL Server, Oracle, SAP Hana, and WebSQL databases. Works in NodeJS, Browser, Ionic, Cordova, and Electron platforms. typeorm.io

MikroORM: A TypeScript ORM for Node.js based on Data Mapper, Unit of Work, and Identity Map patterns. mikro-orm.io

Developer Tools

GraphQL Code Generator: A plugin-based tool that helps you get the best out of your GraphQL stack. From back-end to front-end, it automates the generation of typed Queries, Mutations, and Subscriptions for React, Vue, Angular, Next.js, Svelte, whether you are using Apollo Client, URQL, or React Query. The Guild

GraphQL Shield: A library for creating permission layers for your GraphQL schema using a functional approach.

GraphQL Depth Limit: A middleware for limiting the depth of queries to prevent malicious or accidental deep queries.

GraphQL Query Complexity: A utility to calculate the complexity of a GraphQL query to prevent overly expensive operations.

Observability & Monitoring

OpenTelemetry: An open-source project that provides APIs, libraries, agents, and instrumentation to enable observability for applications.

Prometheus: An open-source system monitoring and alerting toolkit designed for reliability and scalability.

Jaeger: An open-source, end-to-end distributed tracing system.

Integration & Ecosystem

GraphQL Mesh: A tool that allows you to access any data source as GraphQL, including REST APIs, SOAP, gRPC, and more.

Apollo Studio: A platform for building, testing, and managing GraphQL APIs.