GraphQL
Characteristics
Read-only API
Public access, no authentication needed
Uses GraphQL technology:
Maximum page size (and the default) is 25 records
Maximum query depth is set at 8 levels
A maximum of two collections can be requested within the same query
Support for GET requests (query must be inside the query string) and POST requests (query must be within the body, encoded as
application/json
orapplication/graphql
)
GraphQL
The Consul Democracy API uses GraphQL, specifically the Ruby implementation. If you're not familiar with this kind of APIs, we recommended you to check the GraphQL official documentation.
One of the characteristics that differentiates a REST API from a GraphQL one is that with the latter one it's possible for the client to build its own custom queries, so the server will only return information in which we're interested.
GraphQL queries are written following a format which resembles JSON. For example:
Responses are formatted in JSON:
Making API requests
Following the official recommendations, the Consul Democracy API supports the following kind of requests:
GET requests, with the query inside the query string.
POST requests
With the query inside the body, with
Content-Type: application/json
With the query inside the body, with
Content-Type: application/graphql
Supported clients
Since this is an API that works through HTTP, any tool capable of making this kind of requests is capable of querying the API.
This section presents a few examples about how to make requests using:
GraphiQL
Chrome extensions like Postman
Any HTTP library
GraphiQL
GraphiQL is a browser interface for making queries against a GraphQL API. It's also an additional source of documentation. Consul Democracy uses the graphiql-rails to access this interface at /graphiql
; it's the best way to get familiar with GraphQL-based APIs.
It's got three main panels:
The left panel is used to write the query.
The central panel shows the result of the request.
The right panel (hideable) shows a documentation autogenerated from the models and fields exposed in the API.
Postman
Here's an example of a GET
request, with the query as part of the query string:
And here's an example of a POST
request, with the query as part of the body and encoded as application/json
:
The query must be located inside a valid JSON document, as the value of the "query"
key:
HTTP libraries
You can use any of the HTTP libraries available for most programming languages.
IMPORTANT: Some servers might use security protocols that will make it necessary to include a User Agent header from a web browser so the request is not rejected. For example:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0
Available information
The app/graphql/types/
folder contains a complete list of all the models (and their attributes) which are currently being exposed in the API.
The models are the following:
User
Users
Debate
Debates
Proposal
Proposals
Budget
Participatory budgets
Budget::Investment
Budget investments
Comment
Comments on debates, proposals and other comments
Milestone
Proposals, investments and processes milestones
Geozone
Geozones (districts)
ProposalNotification
Notifications related to proposals
Tag
Tags on debates and proposals
Vote
Information related to votes
Examples of queries
Request a single record from a collection
Response:
Request a complete collection
Response:
Pagination
The maximum (and default) number of records that each page contains is set to 25. In order to navigate through the different pages, it's necessary to request endCursor
information:
The response:
To retrieve the next page, pass the cursor received in the previous request as a parameter:
Accessing several resources in a single request
This query requests information about several models in a single request: Proposal
, User
, Geozone
and Comment
:
Security limitations
Allowing a client to customize queries is a major risk factor. If queries that are too complex were allowed, it would be possible to perform a DoS attack against the server.
There are three main mechanisms to prevent such abuses:
Pagination of results
Limit the maximum depth of the queries
Limit the amount of information that is possible to request in a query
Example of a query which is too deep
The maximum depth of queries is currently set at 8. Deeper queries (such as the following) will be rejected:
The response will look something like this:
Example of a query which is too complex
The main risk factor is the option to request multiple collections of resources in the same query. The maximum number of collections that can appear in the same query is limited to 2. The following query requests information from the users
, debates
and proposals
collections, so it will be rejected:
The response will look something like this:
However, it is possible to request information belonging to more than two models in a single query, as long as you do not try to access the entire collection. For example, the following query that accesses the User
, Proposal
and Geozone
models is valid:
The response:
Code examples
Simple example
Here's a simple example of code accessing the Consul Democracy demo API:
Example with pagination
And here is a more complex example using pagination, once again accessing the Consul Democracy demo API:
Last updated