The Daily
A note a day on APIs and the realities of shipping web applications. Stuff I've actually learned across 25 years of doing the work.
PostGraphile: The Versioning Problem Nobody Warns You About
PostGraphile's magic is that your GraphQL schema lives in your database. That's also why versioning it will eventually bite you.
PostGraphile will generate a production-quality GraphQL API from your Postgres schema in about fifteen minutes. I've done it more than once and the first hour always feels like cheating. The part that feels less like cheating — and more like a trap you walked into with your eyes open — is what happens six months later…
Read the daily →Why I Stopped Reaching for Stored Procedures in App-Driven Code
Stored procedures sound like good engineering until you've debugged one at 11pm with no stack trace. Here's why I keep my logic in the app layer now.
I used to think stored procedures were a sign of seriousness. Mature engineering. The kind of thing you did when you actually cared about your database. Then I spent two days tracking down a bug in a procedure that had quietly broken a billing calculation for a print management client, and nobody noticed for six weeks…
Read the daily →Authorization in GraphQL: the field-level nightmare
GraphQL gives clients a lot of power. The authorization story for that power is, charitably, a mess you have to solve yourself.
GraphQL's authorization story is one of the most underestimated sources of production bugs I've encountered. Not because it's impossible to get right, but because the spec leaves it entirely to you — and the pit is deep enough that I've watched otherwise careful developers fall straight in. What GraphQL leaves on the…
Read the daily →Row-Level Security in PostGraphile: Powerful, Brittle, and Misunderstood
PostGraphile's RLS integration is genuinely impressive — until it silently returns empty sets instead of errors. Here's what I've learned the hard way.
PostGraphile's row-level security integration is one of the most elegant things I've seen in the GraphQL ecosystem — and one of the easiest ways to accidentally expose data you thought you'd locked down, or hide data you thought was visible. After using it on three production projects, I have opinions. What Problem…
Read the daily →Postgres VACUUM: The Maintenance Reality Tutorials Skip
Every Postgres tutorial shows you SELECT and INSERT. Almost none of them explain what happens to your table when you UPDATE a million rows.
Every Postgres tutorial shows you how to write a query. Almost none of them explain what happens to your table after you UPDATE a million rows — and why, six months later, a simple is taking four seconds on a table that should fit in RAM. That's bloat. And VACUUM is the thing standing between you and it. What Postgres…
Read the daily →