Hello there. I’m not so new to the overall concept of GraphQL, but I’ve never hosted my own. I came across Dgraph and Slash, and it looks amazing to me. I would like to experiment with it a bit. There are just a few questions that I cannot really find clear answers to, that I hope someone in here might answer.
Connecting to Dgraph / Slash directly from the front-end
Say I would be building a React app and I want to query some data. If I send GraphQL queries to the back-end (e.g. Slash) directly, that would expose my full schema, no? Is that considered bad practice anywhere? Is Dgraph / Slash intended to be queried directly by a front-end?
Context: With a regular GraphQL setup a front-end could use a public schema, for as far as I know, whereas trusted back-ends could use unexposed mutations (or REST calls) to do what they need to do, and the outside world will never know of their existence. Since Dgraph is fully accessed by GraphQL query language, would that mean that a front-end would possibly include only part of the schema (only the “public” part), whereas a back-end would perhaps know about the full schema? Or is it possible to query the whole schema, anyway, from some public endpoint (which would make that useless, because anyone can find out about the full schema)?
Rate limiting, max query depth, etc.
I know there are a few ways to protect the back-end from users with malicious intent. Are things like rate limiting, max query depth, etc. possible with Dgraph?
Using a authentication/authorization & other middleware proxy
To have more control over all the above, I could imagine it could be nice to write a small proxy that just forwards the requests to the actual Dgraph / Slash / GraphQL back-end. It could include authentication/authorization middleware, rate limiting, and other security checks. Would anyone deem this (un)necessary?