feat: add option to set the cache-control header

* Update README.md

* Code review: fix go get again

README.md

@@ -1,6 +1,6 @@
 <img src="docs/guide/.vuepress/public/super-graph.png" width="250" />
 
-### Build web products faster. Secure high performance GraphQL
+### Build web products faster. Secure high-performance GraphQL
 
 [![GoDoc](https://img.shields.io/badge/godoc-reference-5272B4.svg)](https://pkg.go.dev/github.com/dosco/super-graph/core?tab=doc)
 ![Apache 2.0](https://img.shields.io/github/license/dosco/super-graph.svg?style=flat-square)
@@ -10,12 +10,12 @@
 
 ## What's Super Graph?
 
-Designed to 100x your developer productivity. Super Graph will instantly and without you writing code provide you a high performance GraphQL API for Postgres DB. GraphQL queries are compiled into a single fast SQL query. Super Graph is a GO library and a service, use it in your own code or run it as a seperate service.
+Designed to 100x your developer productivity. Super Graph will instantly, and without you writing any code, provide a high performance GraphQL API for your PostgresSQL DB. GraphQL queries are compiled into a single fast SQL query. Super Graph is a Go library and a service, use it in your own code or run it as a separate service.
 
 ## Using it as a service
 
 ```console
-get get https://github.com/dosco/super-graph 
+go get github.com/dosco/super-graph 
 super-graph new <app_name>
 ```
 
@@ -35,17 +35,12 @@ import (
 func main() {
   db, err := sql.Open("pgx", "postgres://postgrs:@localhost:5432/example_db")
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
   }
 
-  conf, err := core.ReadInConfig("./config/dev.yml")
+  sg, err := core.NewSuperGraph(nil, db)
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
-  }
-
-  sg, err := core.NewSuperGraph(conf, db)
-  if err != nil {
-    log.Fatalf(err)
   }
 
   query := `
@@ -58,7 +53,7 @@ func main() {
 
   res, err := sg.GraphQL(context.Background(), query, nil)
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
   }
 
   fmt.Println(string(res.Data))
@@ -67,7 +62,7 @@ func main() {
 
 ## About Super Graph
 
-After working on several products through my career I find that we spend way too much time on building API backends. Most APIs also require constant updating, this costs real time and money.
+After working on several products through my career I found that we spend way too much time on building API backends. Most APIs also need constant updating, and this costs time and money.
             
 It's always the same thing, figure out what the UI needs then build an endpoint for it. Most API code involves struggling with an ORM to query a database and mangle the data into a shape that the UI expects to see.
 
@@ -75,28 +70,27 @@ I didn't want to write this code anymore, I wanted the computer to do it. Enter
 
 Having worked with compilers before I saw this as a compiler problem. Why not build a compiler that converts GraphQL to highly efficient SQL.
 
-This compiler is what sits at the heart of Super Graph with layers of useful functionality around it like authentication, remote joins, rails integration, database migrations and everything else needed for you to build production ready apps with it.
+This compiler is what sits at the heart of Super Graph, with layers of useful functionality around it like authentication, remote joins, rails integration, database migrations, and everything else needed for you to build production-ready apps with it.
 
 ## Features
 
 - Complex nested queries and mutations
 - Auto learns database tables and relationships
-- Role and Attribute based access control
+- Role and Attribute-based access control
-- Opaque cursor based efficient pagination
+- Opaque cursor-based efficient pagination
-- Full text search and aggregations
+- Full-text search and aggregations
 - JWT tokens supported (Auth0, etc)
 - Join database queries with remote REST APIs
 - Also works with existing Ruby-On-Rails apps
 - Rails authentication supported (Redis, Memcache, Cookie)
 - A simple config file
-- High performance GO codebase
+- High performance Go codebase
 - Tiny docker image and low memory requirements
 - Fuzz tested for security
 - Database migrations tool
 - Database seeding tool
 - Works with Postgres and YugabyteDB
 
-
 ## Documentation
 
 [supergraph.dev](https://supergraph.dev)
@@ -116,4 +110,3 @@ Twitter or Discord.
 
 Copyright (c) 2019-present Vikram Rangnekar
 
-

config/dev.yml

@@ -45,6 +45,13 @@ cors_allowed_origins: ["*"]
 # Debug Cross Origin Resource Sharing requests
 cors_debug: true
 
+# Default API path prefix is /api you can change it if you like
+# api_path: "/data"
+
+# Cache-Control header can help cache queries if your CDN supports cache-control 
+# on POST requests (does not work with not mutations) 
+# cache_control: "public, max-age=300, s-maxage=600"
+
 # Postgres related environment Variables
 # SG_DATABASE_HOST
 # SG_DATABASE_PORT

core/api.go

@@ -16,17 +16,12 @@
 	func main() {
 		db, err := sql.Open("pgx", "postgres://postgrs:@localhost:5432/example_db")
 		if err != nil {
-			log.Fatalf(err)
+			log.Fatal(err)
 		}
 
-		conf, err := core.ReadInConfig("./config/dev.yml")
+		sg, err := core.NewSuperGraph(nil, db)
 		if err != nil {
-			log.Fatalf(err)
+			log.Fatal(err)
-		}
-
-		sg, err := core.NewSuperGraph(conf, db)
-		if err != nil {
-			log.Fatalf(err)
 		}
 
 		query := `
@@ -39,7 +34,7 @@
 
 		res, err := sg.GraphQL(context.Background(), query, nil)
 		if err != nil {
-			log.Fatalf(err)
+			log.Fatal(err)
 		}
 
 		fmt.Println(string(res.Data))

core/api_test.go

@@ -19,8 +19,8 @@ func BenchmarkGraphQL(b *testing.B) {
 	defer db.Close()
 
 	// mock.ExpectQuery(`^SELECT jsonb_build_object`).WithArgs()
-
+	c := &Config{DefaultBlock: true}
-	sg, err := newSuperGraph(nil, db, psql.GetTestDBInfo())
+	sg, err := newSuperGraph(c, db, psql.GetTestDBInfo())
 	if err != nil {
 		b.Fatal(err)
 	}

core/config.go

@@ -10,16 +10,56 @@ import (
 
 // Core struct contains core specific config value
 type Config struct {
-	SecretKey     string            `mapstructure:"secret_key"`
+	// SecretKey is used to encrypt opaque values such as
-	UseAllowList  bool              `mapstructure:"use_allow_list"`
+	// the cursor. Auto-generated if not set
-	AllowListFile string            `mapstructure:"allow_list_file"`
+	SecretKey string `mapstructure:"secret_key"`
-	SetUserID     bool              `mapstructure:"set_user_id"`
+
-	Vars          map[string]string `mapstructure:"variables"`
+	// UseAllowList (aka production mode) when set to true ensures
-	Blocklist     []string
+	// only queries lists in the allow.list file can be used. All
-	Tables        []Table
+	// queries are pre-prepared so no compiling happens and things are
-	RolesQuery    string `mapstructure:"roles_query"`
+	// very fast.
-	Roles         []Role
+	UseAllowList bool `mapstructure:"use_allow_list"`
-	Inflections   map[string]string
+
+	// AllowListFile if the path to allow list file if not set the
+	// path is assumed to tbe the same as the config path (allow.list)
+	AllowListFile string `mapstructure:"allow_list_file"`
+
+	// SetUserID forces the database session variable `user.id` to
+	// be set to the user id. This variables can be used by triggers
+	// or other database functions
+	SetUserID bool `mapstructure:"set_user_id"`
+
+	// DefaultBlock ensures only tables configured under the `anon` role
+	// config can be queries if the `anon` role. For example if the table
+	// `users` is not listed under the anon role then it will be filtered
+	// out of any unauthenticated queries that mention it.
+	DefaultBlock bool `mapstructure:"default_block"`
+
+	// Vars is a map of hardcoded variables that can be leveraged in your
+	// queries (eg variable admin_id will be $admin_id in the query)
+	Vars map[string]string `mapstructure:"variables"`
+
+	// Blocklist is a list of tables and columns that should be filtered
+	// out from any and all queries
+	Blocklist []string
+
+	// Tables contains all table specific configuration such as aliased tables
+	// creating relationships between tables, etc
+	Tables []Table
+
+	// RolesQuery if set enabled attributed based access control. This query
+	// is use to fetch the user attributes that then dynamically define the users
+	// role.
+	RolesQuery string `mapstructure:"roles_query"`
+
+	// Roles contains all the configuration for all the roles you want to support
+	// `user` and `anon` are two default roles. User role is for when a user ID is
+	// available and Anon when it's not.
+	Roles []Role
+
+	// Inflections is to add additionally singular to plural mappings
+	// to the engine (eg. sheep: sheep)
+	Inflections map[string]string `mapstructure:"inflections"`
 }
 
 // Table struct defines a database table

core/core.go

@@ -14,6 +14,11 @@ import (
 	"github.com/valyala/fasttemplate"
 )
 
+const (
+	OpQuery int = iota
+	OpMutation
+)
+
 type extensions struct {
 	Tracing *trace `json:"tracing,omitempty"`
 }
@@ -75,7 +80,8 @@ func (sg *SuperGraph) initCompilers() error {
 	}
 
 	sg.qc, err = qcode.NewCompiler(qcode.Config{
-		Blocklist: sg.conf.Blocklist,
+		DefaultBlock: sg.conf.DefaultBlock,
+		Blocklist:    sg.conf.Blocklist,
 	})
 	if err != nil {
 		return err
@@ -328,7 +334,20 @@ func (c *scontext) executeRoleQuery(tx *sql.Tx) (string, error) {
 	return role, nil
 }
 
-func (r *Result) Operation() string {
+func (r *Result) Operation() int {
+	switch r.op {
+	case qcode.QTQuery:
+		return OpQuery
+
+	case qcode.QTMutation, qcode.QTInsert, qcode.QTUpdate, qcode.QTUpsert, qcode.QTDelete:
+		return OpMutation
+
+	default:
+		return -1
+	}
+}
+
+func (r *Result) OperationName() string {
 	return r.op.String()
 }
 

core/init.go

@@ -70,6 +70,16 @@ func (sg *SuperGraph) initConfig() error {
 		sg.roles["user"] = &ur
 	}
 
+	// If anon role is not defined and DefaultBlock is not then then create it
+	if _, ok := sg.roles["anon"]; !ok && !c.DefaultBlock {
+		ur := Role{
+			Name: "anon",
+			tm:   make(map[string]*RoleTable),
+		}
+		c.Roles = append(c.Roles, ur)
+		sg.roles["anon"] = &ur
+	}
+
 	// Roles: validate and sanitize
 	c.RolesQuery = sanitizeVars(c.RolesQuery)
 

core/internal/integration_tests/integration_tests.go

@@ -50,7 +50,7 @@ func DropSchema(t *testing.T, db *sql.DB) {
 }
 
 func TestSuperGraph(t *testing.T, db *sql.DB, before func(t *testing.T)) {
-	config := core.Config{}
+	config := core.Config{DefaultBlock: true}
 	config.UseAllowList = false
 	config.AllowListFile = "./allow.list"
 	config.RolesQuery = `SELECT * FROM users WHERE id = $user_id`

core/internal/qcode/config.go

@@ -7,7 +7,8 @@ import (
 )
 
 type Config struct {
-	Blocklist []string
+	Blocklist    []string
+	DefaultBlock bool
 }
 
 type QueryConfig struct {

core/internal/qcode/qcode.go

@@ -170,6 +170,7 @@ const (
 )
 
 type Compiler struct {
+	db bool // default block tables if not defined in anon role
 	tr map[string]map[string]*trval
 	bl map[string]struct{}
 }
@@ -179,7 +180,7 @@ var expPool = sync.Pool{
 }
 
 func NewCompiler(c Config) (*Compiler, error) {
-	co := &Compiler{}
+	co := &Compiler{db: c.DefaultBlock}
 	co.tr = make(map[string]map[string]*trval)
 	co.bl = make(map[string]struct{}, len(c.Blocklist))
 
@@ -413,12 +414,12 @@ func (com *Compiler) compileQuery(qc *QCode, op *Operation, role string) error {
 
 func (com *Compiler) AddFilters(qc *QCode, sel *Select, role string) {
 	var fil *Exp
-	var nu bool
+	var nu bool // user required (or not) in this filter
 
 	if trv, ok := com.tr[role][sel.Name]; ok {
 		fil, nu = trv.filter(qc.Type)
 
-	} else if role == "anon" {
+	} else if com.db && role == "anon" {
 		// Tables not defined under the anon role will not be rendered
 		sel.SkipRender = true
 	}

docs/guide/.vuepress/components/HomeLayout.vue

@@ -145,17 +145,12 @@ import (
 func main() {
   db, err := sql.Open("pgx", "postgres://postgrs:@localhost:5432/example_db")
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
   }
 
-  conf, err := config.NewConfig("./config")
+  sg, err := core.NewSuperGraph(nil, db)
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
-  }
-
-  sg, err = core.NewSuperGraph(conf, db)
-  if err != nil {
-    log.Fatalf(err)
   }
 
   graphqlQuery := `
@@ -168,7 +163,7 @@ func main() {
 
   res, err := sg.GraphQL(context.Background(), graphqlQuery, nil)
   if err != nil {
-    log.Fatalf(err)
+    log.Fatal(err)
   }
 
   fmt.Println(string(res.Data))

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/daaku/go.zipexe v1.0.1 // indirect
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/dlclark/regexp2 v1.2.0 // indirect
-	github.com/dop251/goja v0.0.0-20200414142002-77e84ffb8c65
+	github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0
 	github.com/fsnotify/fsnotify v1.4.9
 	github.com/garyburd/redigo v1.6.0
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect

go.sum

@@ -55,8 +55,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/dlclark/regexp2 v1.2.0 h1:8sAhBGEM0dRWogWqWyQeIJnxjWO6oIjl8FKqREDsGfk=
 github.com/dlclark/regexp2 v1.2.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
-github.com/dop251/goja v0.0.0-20200414142002-77e84ffb8c65 h1:Nud597JuGCF/MScrb6NNVDRgmuk8X7w3pFc5GvSsm5E=
+github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0 h1:EfFAcaAwGai/wlDCWwIObHBm3T2C2CCPX/SaS0fpOJ4=
-github.com/dop251/goja v0.0.0-20200414142002-77e84ffb8c65/go.mod h1:Mw6PkjjMXWbTj+nnj4s3QPXq1jaT0s5pC0iFD4+BOAA=
+github.com/dop251/goja v0.0.0-20200424152103-d0b8fda54cd0/go.mod h1:Mw6PkjjMXWbTj+nnj4s3QPXq1jaT0s5pC0iFD4+BOAA=
 github.com/friendsofgo/graphiql v0.2.2/go.mod h1:8Y2kZ36AoTGWs78+VRpvATyt3LJBx0SZXmay80ZTRWo=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=

internal/serv/api.go

@@ -45,6 +45,8 @@ type Serv struct {
 	MigrationsPath string   `mapstructure:"migrations_path"`
 	AllowedOrigins []string `mapstructure:"cors_allowed_origins"`
 	DebugCORS      bool     `mapstructure:"cors_debug"`
+	APIPath        string   `mapstructure:"api_path"`
+	CacheControl   string   `mapstructure:"cache_control"`
 
 	Auth  auth.Auth
 	Auths []auth.Auth

internal/serv/http.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"net/http"
 
+	"github.com/dosco/super-graph/core"
 	"github.com/dosco/super-graph/internal/serv/internal/auth"
 	"github.com/rs/cors"
 	"go.uber.org/zap"
@@ -84,15 +85,19 @@ func apiV1(w http.ResponseWriter, r *http.Request) {
 		log.Printf("DBG query %s: %s", res.QueryName(), res.SQL())
 	}
 
-	if err != nil {
+	if err == nil {
-		renderErr(w, err)
+		if len(conf.CacheControl) != 0 && res.Operation() == core.OpQuery {
-	} else {
+			w.Header().Set("Cache-Control", conf.CacheControl)
+		}
 		json.NewEncoder(w).Encode(res)
+
+	} else {
+		renderErr(w, err)
 	}
 
 	if doLog && logLevel >= LogLevelInfo {
 		zlog.Info("success",
-			zap.String("op", res.Operation()),
+			zap.String("op", res.OperationName()),
 			zap.String("name", res.QueryName()),
 			zap.String("role", res.Role()),
 		)

internal/serv/init.go

@@ -100,6 +100,9 @@ func initConf() (*Config, error) {
 		c.UseAllowList = true
 	}
 
+	// In anon role block all tables that are not defined in the role
+	c.DefaultBlock = true
+
 	return c, nil
 }
 

internal/serv/serv.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"path"
 	"strings"
 	"time"
 
@@ -111,9 +112,15 @@ func routeHandler() (http.Handler, error) {
 		return mux, nil
 	}
 
+	apiRoute := "/api/v1/graphql"
+
+	if len(conf.APIPath) != 0 {
+		apiRoute = path.Join("/", conf.APIPath, "/v1/graphql")
+	}
+
 	routes := map[string]http.Handler{
-		"/health":         http.HandlerFunc(health),
+		"/health": http.HandlerFunc(health),
-		"/api/v1/graphql": apiV1Handler(),
+		apiRoute:  apiV1Handler(),
 	}
 
 	if err := setActionRoutes(routes); err != nil {

internal/serv/tmpl/dev.yml

@@ -46,6 +46,13 @@ cors_allowed_origins: ["*"]
 # Debug Cross Origin Resource Sharing requests
 cors_debug: false
 
+# Default API path prefix is /api you can change it if you like
+# api_path: "/data"
+
+# Cache-Control header can help cache queries if your CDN supports cache-control 
+# on POST requests (does not work with not mutations) 
+# cache_control: "public, max-age=300, s-maxage=600"
+
 # Postgres related environment Variables
 # SG_DATABASE_HOST
 # SG_DATABASE_PORT

internal/serv/tmpl/prod.yml

@@ -49,6 +49,13 @@ reload_on_config_change: false
 # Debug Cross Origin Resource Sharing requests
 # cors_debug: false
 
+# Default API path prefix is /api you can change it if you like
+# api_path: "/data"
+
+# Cache-Control header can help cache queries if your CDN supports cache-control 
+# on POST requests (does not work with not mutations) 
+# cache_control: "public, max-age=300, s-maxage=600"
+
 # Postgres related environment Variables
 # SG_DATABASE_HOST
 # SG_DATABASE_PORT