GraphQL
Characteristics
Read-only API
Public access, no authentication needed
Uses GraphQL technology:
Maximum page size (and the default) is 25 records
Maximum query depth is set at 8 levels
A maximum of two collections can be requested within the same query
Support for GET requests (query must be inside the query string) and POST requests (query must be within the body, encoded as
application/json
orapplication/graphql
)
GraphQL
The Consul Democracy API uses GraphQL http://graphql.org, the Ruby implementation, to be specific. If you're not familiar with this kind of APIs, it's recommended to make some research about GraphQL before.
One of the characteristics that differentiates a REST API from a GraphQL one is that with the last one it's possible for the client to build its own custom queries, so the server will only return information in which we're interested.
GraphQL queries are written following a standard which resembles to JSON, for example:
Responses are formatted in JSON:
Making API requests
Following the official recommendations, the Consul Democracy API supports the following kind of requests:
GET requests, with the query inside the query string.
POST requests
With the query inside the body, with
Content-Type: application/json
With the query inside the body, with
Content-Type: application/graphql
Supported clients
Because it's an API that works through HTTP, any tool capable of making this kind of requests is capable of querying the API.
This section presents a few examples about how to make requests using:
GraphiQL
Chrome extensions like Postman
Any HTTP library
GraphiQL
GraphiQL is a browser interface for making queries against a GraphQL API. It's also an additional source of documentation. It's deployed in the route /graphiql
and it's the best way to get familiar with GraphQL-based APIs.
It has three main panels:
The left panel is used to write the query.
The central panel shows the result of the request.
The right panel (occultable) shows a documentation autogenerated from the models and fields exposed in the API.
Postman
Example of GET
request, with the query as part of the query string:
Example of POST
request, with the query as part of the body and encoded as application/json
:
The query must be located inside a valid JSON document, as the value of the "query"
key:
HTTP libraries
Sure you can use any HTTP library available for most programming languages.
IMPORTANT: Due to security protocols from the Madrid City Council servers, it's necessary to include a User Agent header from a web browser so the request is not rejected. For example:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Available information
The config/api.yml file contains a complete list of all the models (and their attributes) which are currently being exposed in the API.
The models are the following:
Model | Description |
---|---|
| Users |
| Debates |
| Proposals |
| Comments on debates, proposals and other comments |
| Geozones (districts) |
| Notifications related to proposals |
| Tags on debates and proposals |
| Information related to votes |
Examples of queries
Request a single record from a collection
Response:
Request a complete collection
Response:
Pagination
The maximum (and default) number of records that each page contains is set to 25. For navigating through the different pages it's necessary to request also information relative to the endCursor
:
The response:
To retrieve the next page, you have to pass as a parameter the cursor received in the previous request, and so on:
Accessing several resources in a single request
This query requests information about several models in a single request: Proposal
, User
, Geozone
and Comment
:
Security limitations
Allowing a client to customize queries is a major risk factor. If too complex queries were allowed, it would be possible to perform a DoS attack against the server.
There are three main mechanisms to prevent such abuses:
Pagination of results
Limit the maximum depth of the queries
Limit the amount of information that is possible to request in a query
Example of too deep query
The maximum depth of queries is currently set at 8. Deeper queries (such as the following) will be rejected:
The response will look something like this:
Example of too complex query
The main risk factor is when multiple collections of resources are requested in the same query. The maximum number of collections that can appear in the same query is limited to 2. The following query requests information from the users
, debates
and proposals
collections, so it will be rejected:
The response will look something like this:
However, it is possible to request information belonging to more than two models in a single query, as long as you do not try to access the entire collection. For example, the following query that accesses the User
, Proposal
and Geozone
models is valid:
The response:
Code examples
The doc/api/examples directory contains examples of code to access the API.
Last updated