Named Queries are queries which have their form locked on the server. The reason for their existence is security. Imagine this scenario:
- You have an Admin that can see all Users
- You expose Users collection and check if he is Admin, you allow him
- You have a collection Order which is linked to an EndUser and a TeamMember (both in Users collection)
- As an EndUser when you see your order you want to see details about the assigned Team Member.
- As an EndUser you cannot directly interogate “users” end-point, because you secured it for Admin Only
- As an EndUser you cannot interogate “orders” and retrieve “teamMember” because exposures are linked
We have two options:
- Bad Way: Manipulate exposure in such a manner to see if the user is EndUser and has an Order and the ids he wants to see are linked to an Order he has. But if you do that, then you may also need to restrict the fields he has access to and so on.
- Good Way: Use named queries
- Another good way: Use exposure body
NamedQuery is not affected by exposure at all. It has it’s own firewall.
We have two ways of handling this on the server-side.
We use .clone() method to avoid making changes on the actual query (like setParams). You could do is export a factory that creates your query on the fly, however, for simplicity, we created a .clone() method, that clones the query and it is completely isolated.
This version has been designed to make it work with Grapher-Live, so you can test your queries on the fly.
In order to fetch it client-side, you need to expose this query server-side.
If you have imported the named query anywhere, then the name will be present in the store, meaning you can do:
It removes the boilerplate of you having to clone it. the reason for this was to allow it to work with Grapher-Live
You might be asking at this stage, why do we still allow “flexible” queries via Collection Exposure. And it’s a damn good question. If your database is simple and can be easily secured then it is much simpler to avoid namedQueries and it’s easier to expose an API, through which a client can request what he wants only, without having a lot of named queries.