rebing / graphql-laravel
Laravel wrapper for PHP GraphQL
Maintainers
Fund package maintenance!
Requires
- php: ^8.2
- ext-json: *
- illuminate/contracts: ^12.0|^13.0
- illuminate/support: ^12.0|^13.0
- laragraph/utils: ^2.0.1
- thecodingmachine/safe: ^3.0
- webonyx/graphql-php: ^15.22.1
Requires (Dev)
- ext-pdo_sqlite: *
- eliashaeussler/deep-closure-comparator: ^1.2
- fakerphp/faker: ^1.24
- friendsofphp/php-cs-fixer: ^3
- larastan/larastan: ^3
- laravel/framework: ^12.0|^13.0
- mfn/php-cs-fixer-config: ^2
- mockery/mockery: ^1.6.10
- open-telemetry/sdk: ^1.13
- open-telemetry/sem-conv: ^1.38
- orchestra/testbench: ^10.0|^11.0
- phpstan/phpstan: ^2
- phpunit/phpunit: ^11.5.3|^12.0.1|^13.0
- thecodingmachine/phpstan-safe-rule: ^1
Suggests
- mll-lab/laravel-graphiql: Easily integrate GraphiQL into your Laravel projects.
- open-telemetry/api: Required for the OpenTelemetryTracingDriver (^1.0).
- dev-master / 10.x-dev
- 10.0.0-RC2
- 10.0.0-RC1
- 9.x-dev
- 9.17.0
- 9.16.0
- 9.15.0
- 9.14.0
- 9.13.0
- 9.12.0
- 9.11.0
- 9.10.0
- 9.9.0
- 9.8.0
- 9.7.0
- 9.6.0
- 9.5.0
- 9.4.0
- 9.3.0
- 9.2.0
- 9.1.0
- 9.0.0
- 9.0.0-rc3
- 9.0.0-rc2
- 9.0.0-rc1
- 8.x-dev
- 8.6.0
- 8.5.0
- 8.4.0
- 8.3.0
- 8.2.1
- 8.2.0
- 8.1.0
- 8.0.0
- 8.0.0-rc6
- 8.0.0-rc5
- 8.0.0-rc4
- 8.0.0-rc3
- 8.0.0-rc2
- 8.0.0-rc1
- 7.2.0
- 7.1.0
- 7.0.1
- 7.0.0
- 6.5.0
- 6.4.0
- 6.3.0
- 6.2.0
- 6.1.0
- 6.1.0-rc1
- 6.0.0
- 6.0.0-rc2
- 6.0.0-rc1
- 5.1.5
- 5.1.5-rc1
- 5.1.4
- 5.1.3
- 5.1.2
- 5.1.1
- 5.1.0
- 5.0.0
- 5.0.0-rc2
- 5.0.0-rc1
- 4.0.0
- 4.0.0-rc1
- 3.1.0
- 3.0.0
- 2.1.1
- 2.1.0
- 2.0.1
- 2.0.0
- v2.0.0-RC5
- v2.0.0-RC4
- v2.0.0-RC3
- v2.0.0-RC2
- v1.24.0
- v1.23.0
- v1.22.0
- v1.21.2
- v1.20.2
- v1.20.1
- v1.19.1
- v1.18.1
- v1.18.0
- v1.17.6
- v1.17.3
- v1.16.0
- v1.14.2
- v1.13.0
- v1.12.0
- v1.11.0
- v1.10.0
- v1.9.5
- v1.8.2
- v1.7.3
- v1.7.1
- v1.6.1
- v1.5.0
- v1.4.9
- v1.4
- dev-mfn/phpstan-deprecation-rules
- dev-mfn/phpstan-phpunit
- dev-mfn/phpstan-tools
- dev-mfn/php-cs-fixer-tools
- dev-mfn/backward-compat-checker
- dev-mfn/ci-code-coverage
- dev-mfn/contributing
- dev-mfn/phpstan-fixes
- dev-mfn/paratest
- dev-mfn/composer-audit
- dev-mfn/increase-src-code-coverage
- dev-mfn/gha-improvements
- dev-mfn/phpstan-reduce-errors-in-tests
- dev-mfn/phpunit-13
- dev-mfn/phpstan
- dev-mfn/readme-revamp
- dev-mfn/fix-1184
- dev-mfn/fix-1161
- dev-mfn/fix-930
- dev-mfn/fix-900
- dev-mfn/fix-683
- dev-mfn/test-for-issue-683
- dev-mfn/test-issue-604
- dev-mfn/l-11-drop
- dev-mfn/l-13-nodev
- dev-mfn/php-cs-fixer
- dev-mfn/php-8.5
- dev-mfn/tests-mater
- dev-mfn-phpunit-config
This package is auto-updated.
Last update: 2026-03-22 20:21:46 UTC
README
This package provides a code-first integration of GraphQL for Laravel. It is based on the PHP port of GraphQL reference implementation. You define your schema entirely in PHP classes (types, queries, mutations) rather than in .graphql schema files. You can find more information about GraphQL in the Introduction to GraphQL or you can read the GraphQL specifications.
- Allows creating queries and mutations as request endpoints
- Supports multiple schemas
- per schema queries/mutations/types
- per schema HTTP middlewares
- per schema GraphQL execution middlewares
- Custom GraphQL resolver middleware can be defined for each query/mutation
- Two data loading strategies for avoiding n+1 queries:
- Dataloaders -- uses webonyx/graphql-php's built-in deferred resolution to batch field loads from any data source
SelectFields-- analyzes the GraphQL query to generate optimized Eloquentselect()and eager-loadedwith()calls
- Queries return types, which can have custom privacy settings
Note: GraphQL subscriptions are not supported by this package. If you need real-time push functionality, consider a dedicated solution like Lighthouse (which has subscription support) or implement subscriptions separately via Laravel broadcasting / WebSockets.
Table of Contents
- Requirements
- Installation
- Quick Start
- Concepts
- Data loading
- Middleware Overview
- Schemas
- Creating a query
- Creating a mutation
- Validation
- Resolve method
- Resolver middleware
- Authorization
- Privacy
- Query variables
- Custom field
- Dataloaders
- Eager loading relationships
- Type relationship query
- Pagination
- Batching
- Scalar types
- Enums
- SelectFields and abstract types
- Unions
- Interfaces
- Input Object
- OneOf Input Objects
- Type modifiers
- Field and input alias
- JSON columns
- Field deprecation
- Default field resolver
- Macros
- Automatic Persisted Queries support
- Tracing / Observability
- Security
- Error handling
- Misc features
- Configuration options
- Performance considerations
- Known limitations
- GraphQL testing clients
- Testing
- Upgrading
Requirements
| Dependency | Version |
|---|---|
| PHP | ^8.2 |
| Laravel | 12.x - 13.x |
| webonyx/graphql-php | ^15.22.1 |
Optional dependencies:
| Package | Purpose |
|---|---|
open-telemetry/api ^1.0 |
Required for the OpenTelemetry tracing driver |
mll-lab/laravel-graphiql |
Interactive in-browser GraphiQL IDE |
Installation
Require the package via Composer:
composer require rebing/graphql-laravel
Publish the configuration file via Laravel artisan:
php artisan vendor:publish --provider="Rebing\GraphQL\GraphQLServiceProvider"
Review the configuration file:
config/graphql.php
Quick Start
Get a working GraphQL endpoint in under 5 minutes -- no database required.
1. Create a Type
Use the artisan generator to scaffold a type:
php artisan make:graphql:type BookType
Edit the generated app/GraphQL/Types/BookType.php:
declare(strict_types = 1); namespace App\GraphQL\Types; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Type as GraphQLType; class BookType extends GraphQLType { protected $attributes = [ 'name' => 'Book', 'description' => 'A book', ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The id of the book', ], 'title' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The title of the book', ], 'author' => [ 'type' => Type::string(), 'description' => 'The name of the author', ], ]; } }
2. Create a Query
php artisan make:graphql:query BooksQuery
Edit app/GraphQL/Queries/BooksQuery.php:
declare(strict_types = 1); namespace App\GraphQL\Queries; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Query; class BooksQuery extends Query { protected $attributes = [ 'name' => 'books', ]; public function type(): Type { return Type::nonNull(Type::listOf(Type::nonNull(GraphQL::type('Book')))); } public function args(): array { return [ 'title' => [ 'type' => Type::string(), 'description' => 'Filter by title', ], ]; } public function resolve($root, array $args): array { $books = [ ['id' => 1, 'title' => 'The Great Gatsby', 'author' => 'F. Scott Fitzgerald'], ['id' => 2, 'title' => '1984', 'author' => 'George Orwell'], ['id' => 3, 'title' => 'To Kill a Mockingbird', 'author' => 'Harper Lee'], ]; if (isset($args['title'])) { return array_values(array_filter($books, fn ($book) => str_contains($book['title'], $args['title']))); } return $books; } }
3. Register in config
Add the type and query to the default schema in config/graphql.php:
'schemas' => [ 'default' => [ 'query' => [ App\GraphQL\Queries\BooksQuery::class, ], 'mutation' => [], 'types' => [ App\GraphQL\Types\BookType::class, ], ], ],
4. Test it
Start the dev server and send a query:
php artisan serve
curl -X POST -H "Content-Type: application/json" \ -d '{"query": "{ books { id title author } }"}' \ http://localhost:8000/graphql
Expected response:
{
"data": {
"books": [
{"id": 1, "title": "The Great Gatsby", "author": "F. Scott Fitzgerald"},
{"id": 2, "title": "1984", "author": "George Orwell"},
{"id": 3, "title": "To Kill a Mockingbird", "author": "Harper Lee"}
]
}
}
Try filtering with an argument:
curl -X POST -H "Content-Type: application/json" \ -d '{"query": "{ books(title: \"1984\") { id title } }"}' \ http://localhost:8000/graphql
Tip: For an interactive experience, install GraphiQL (
composer require mll-lab/laravel-graphiql --dev) and visit/graphiqlin your browser.
Note: Introspection is disabled by default. To enable it during development (required for GraphiQL and IDE tooling), set
GRAPHQL_DISABLE_INTROSPECTION=falsein your.envfile.
What's next?
You now have a working GraphQL API. From here you can:
- Optimize data loading -- see Dataloaders for the recommended way to avoid n+1 queries with any data source
- Use Eloquent models -- see Creating a query for a full example with database-backed types; for Eloquent-specific column optimization see the
SelectFieldshelper - Add mutations -- see Creating a mutation to modify data
- Add validation -- see Validation for built-in Laravel validation rules on arguments
- Add authorization -- see Authorization for per-operation access control
- Explore all generators -- run
php artisan list make:graphqlto see all 12 available scaffolding commands
Concepts
Before diving head first into code, it's good to familiarize yourself with the concepts surrounding GraphQL. If you've already experience with GraphQL, feel free to skip this part.
- "schema"
A GraphQL schema defines all the queries, mutations and types associated with it. - "queries" and "mutations"
The "methods" you call in your GraphQL request (think about your REST endpoint) - "types"
Besides the primitive scalars like int and string, custom "shapes" can be defined and returned via custom types. They can map to your database models or basically any data you want to return. - "resolver"
Any time data is returned, it is "resolved". Usually in query/mutations this specifies the primary way to retrieve your data. Two common strategies are dataloaders (deferred batching) andSelectFields(Eloquent eager loading). See Data loading for a comparison.
Typically, all queries/mutations/types are defined using the $attributes
property and the args() / fields() methods as well as the resolve() method.
args/fields again return a configuration array for each field they supported. Those fields usually support these shapes
- the "key" is the name of the field
type(required): a GraphQL specifier for the type supported here
Optional keys are:
description: made available when introspecting the GraphQL schemaresolve: override the default field resolverdeprecationReason: document why something is deprecated
A word on declaring a field nonNull
It's quite common, and actually good practice, to see the gracious use of
Type::nonNull() on any kind of input and/or output fields.
The more specific the intent of your type system, the better for the consumer.
Some examples
- if you require a certain field for a query/mutation argument, declare it non null
- if you know that your (e.g. model) field can never return null (e.g. users ID, email, etc.), declare it no null
- if you return a list of something, like e.g. tags, which is a) always an array
(even empty) and b) shall not contain
nullvalues, declare the type like this:
Type::nonNull(Type::listOf(Type::nonNull(Type::string())))
There exists a lot of tooling in the GraphQL ecosystem, which benefits the more specific your type system is.
Data loading
The act of loading/retrieving your data is called "resolving" in GraphQL. GraphQL itself does not define the "how" and leaves it up to the implementor.
You can use any kind of data source you like (Eloquent, static data,
ElasticSearch results, caching, etc.) in your resolvers, but you need to be
mindful of the execution model to avoid repetitive fetches. This library
supports two strategies for optimized data loading. Dataloaders are the
recommended starting point -- they work with any data source and follow the
standard GraphQL community pattern for n+1 prevention. SelectFields is
available as an Eloquent-specific alternative that offers column-level
precision.
Dataloaders (deferred resolution)
Dataloaders take advantage of the "deferred" execution model built into webonyx/graphql-php. Instead of analyzing the query upfront, each field resolver collects the keys it needs and defers the actual fetch. Once all non-deferred fields are resolved, the deferred callbacks fire, batching all collected keys into a single query.
This is the recommended approach for most applications -- it works with any data source (Eloquent, APIs, caches, etc.) and does not require any special type configuration. See Dataloaders for usage and examples.
SelectFields (Eloquent eager loading)
If your application is heavily Eloquent-based and you want column-level query
precision, SelectFields is a built-in helper that analyzes the GraphQL query's
requested fields before execution and generates optimized Eloquent select()
and with() calls. It selects only the requested columns and eager-loads
relations to avoid n+1 problems.
This approach is Eloquent-specific and requires a model config key on your
types, along with additional field configuration (alias, selectable,
always, etc.). See Eager loading relationships
for usage and examples.
Choosing an approach
| SelectFields | Dataloaders | |
|---|---|---|
| Data source | Eloquent only | Any (Eloquent, APIs, caches, etc.) |
| N+1 strategy | Upfront eager loading via query AST analysis | Deferred batching at resolve time |
| Column precision | Selects only requested columns | Typically all columns (customizable per loader) |
| Relation scoping | Custom query callbacks on type fields |
Logic inside the loader |
| Type configuration | Requires model, alias, selectable, always, etc. |
No special type config needed |
| Setup | Type-hint SelectFields or Closure in resolver |
Create a loader class, register in the container |
| Best for | Eloquent-heavy apps needing column-level optimization | Most applications; especially mixed data sources and cross-resolver batching |
The two approaches are independent and can coexist in the same application --
use SelectFields for some resolvers and dataloaders for others.
Middleware Overview
The following middleware concepts are supported:
- HTTP middleware (i.e. from Laravel)
- GraphQL execution middleware
- GraphQL resolver middleware
Briefly said, a middleware usually is a class:
- with a
handlemethod - receiving a fixed set of parameters plus a callable for the next middleware
- is responsible for calling the "next" middleware
Usually a middleware does just that but may decide to not do that and just return - has the freedom to mutate the parameters passed on
HTTP middleware
Any Laravel compatible HTTP middleware
can be provided on a global level for all GraphQL endpoints via the config
graphql.route.middleware or on a per-schema basis via
graphql.schemas.<yourschema>.middleware. The per-schema middleware overrides
the global one.
GraphQL execution middleware
The processing of a GraphQL request, henceforth called "execution", flows through a set of middlewares.
They can be set on global level via graphql.execution_middleware or per-schema
via graphql.schemas.<yourschema>.execution_middleware.
By default, the recommended set of middlewares is provided on the global level.
Note: the execution of the GraphQL request itself is also implemented via a
middleware, which is usually expected to be called last (and does not call
further middlewares). In case you're interested in the details, please see
\Rebing\GraphQL\GraphQL::appendGraphqlExecutionMiddleware
GraphQL resolver middleware
After the HTTP middleware and the execution middleware is applied, the
"resolver middleware" is executed for the query/mutation being targeted
before the actual resolve() method is called.
See Resolver middleware for more details.
Schemas
Schemas are required for defining GraphQL endpoints. You can define multiple schemas and assign different HTTP middleware and execution middleware to them, in addition to the global middleware. For example:
'default_schema' => 'default', 'schemas' => [ 'default' => [ 'query' => [ ExampleQuery::class, ], 'mutation' => [ ExampleMutation::class, ], 'types' => [ ], ], 'user' => [ 'query' => [ App\GraphQL\Queries\ProfileQuery::class ], 'mutation' => [ ], 'types' => [ ], 'middleware' => ['auth'], // Which HTTP methods to support; must be given in UPPERCASE! // Default is POST only; enable GET explicitly if needed 'method' => ['GET', 'POST'], 'execution_middleware' => [ \Rebing\GraphQL\Support\ExecutionMiddleware\UnusedVariablesMiddleware::class, ], // Route attributes applied to the generated HTTP route for this schema // Example: expose this schema on a dedicated subdomain 'route_attributes' => [ 'domain' => 'api.example.com', ], // Override the default controller for this schema. // Supports string ('Class@method') and array ([Class::class, 'method']) formats. // The controller method receives the same parameters as GraphQLController@query. // 'controller' => App\Http\Controllers\MyGraphQLController::class . '@query', ], ],
Together with the configuration, in a way the schema defines also the route by
which it is accessible. Per the default configuration of prefix = graphql, the
default schema is accessible via /graphql.
Route attributes
You can customize the HTTP route generated for a specific schema using the route_attributes key.
This is useful for setting parameters supported by Laravel routes, e.g. a custom domain.
The attributes are merged into the route's action array, so standard Laravel route attributes
like domain, prefix, as (route name), and where (parameter constraints) are all supported.
'schemas' => [ 'with_custom_domain' => [ 'query' => [ App\GraphQL\Queries\UsersQuery::class, ], 'middleware' => ['auth:api'], 'route_attributes' => [ 'domain' => 'api.example.com', ], ], ]
Schema classes
You may alternatively define the configuration of a schema in a class that implements ConfigConvertible.
In your config, you can reference the name of the class, rather than an array.
'schemas' => [ 'default' => DefaultSchema::class ]
declare(strict_types = 1); namespace App\GraphQL\Schemas; use Rebing\GraphQL\Support\Contracts\ConfigConvertible; class DefaultSchema implements ConfigConvertible { public function toConfig(): array { return [ 'query' => [ ExampleQuery::class, ], 'mutation' => [ ExampleMutation::class, ], 'types' => [ ], ]; } }
You can use the php artisan make:graphql:schemaConfig command to create a new schema configuration class automatically.
Creating a query
First you usually create a type you want to return from the query. The Eloquent 'model' is only required if specifying relations.
Note: The
selectablekey defaults totrue, meaningSelectFieldswill include the field in the SQLSELECT. Set it tofalsefor computed/virtual fields that don't correspond to a database column (e.g. accessors, custom resolvers).
declare(strict_types = 1); namespace App\GraphQL\Types; use App\Models\User; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Type as GraphQLType; class UserType extends GraphQLType { protected $attributes = [ 'name' => 'User', 'description' => 'A user', // Note: only necessary if you use `SelectFields` 'model' => User::class, ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user', // Use 'alias', if the database column is different from the type name. // This is supported for discrete values as well as relations. // - you can also use `DB::raw()` to solve more complex issues // - or a callback returning the value (string or `DB::raw()` result) 'alias' => 'user_id', ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user', 'resolve' => function($root, array $args) { // If you want to resolve the field yourself, // it can be done here return strtolower($root->email); } ], // Uses the 'getIsMeAttribute' function on our custom User model 'isMe' => [ 'type' => Type::boolean(), 'description' => 'True, if the queried user is the current user', 'selectable' => false, // Does not try to query this from the database ] ]; } // You can also resolve a field by declaring a method in the class // with the following format resolve[FIELD_NAME]Field() protected function resolveEmailField($root, array $args) { return strtolower($root->email); } }
The best practice is to start with your schema in config/graphql.php and add types directly to your schema (e.g. default):
'schemas' => [ 'default' => [ // ... 'types' => [ App\GraphQL\Types\UserType::class, ],
Alternatively you can:
-
add the type on the "global" level, e.g. directly in the root config:
'types' => [ App\GraphQL\Types\UserType::class, ],
Adding them on the global level allows to share them between different schemas but be aware this might make it harder to understand which types/fields are used where.
-
or add the type with the
GraphQLFacade, in a service provider for example.GraphQL::addType(\App\GraphQL\Types\UserType::class);
-
or register multiple types at once with
addTypes:GraphQL::addTypes([ \App\GraphQL\Types\UserType::class, 'CustomName' => \App\GraphQL\Types\PostType::class, ]);
Both indexed entries (class name auto-resolved) and associative entries (explicit name => class) are supported.
Then you need to define a query that returns this type (or a list). You can also specify arguments that you can use in the resolve method.
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use App\Models\User; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Query; class UsersQuery extends Query { protected $attributes = [ 'name' => 'users', ]; public function type(): Type { return Type::nonNull(Type::listOf(Type::nonNull(GraphQL::type('User')))); } public function args(): array { return [ 'id' => [ 'type' => Type::string(), ], 'email' => [ 'type' => Type::string(), ] ]; } public function resolve($root, array $args, $context, ResolveInfo $resolveInfo, Closure $getSelectFields) { if (isset($args['id'])) { return User::where('id' , $args['id'])->get(); } if (isset($args['email'])) { return User::where('email', $args['email'])->get(); } return User::all(); } }
Add the query to the config/graphql.php configuration file
'schemas' => [ 'default' => [ 'query' => [ App\GraphQL\Queries\UsersQuery::class ], // ... ] ]
And that's it. You should be able to query GraphQL with a POST request to the url /graphql (or anything you choose in your config). Try a POST request with the following query input
Note: The
resolve()method supports dependency injection for parameters beyond the first three ($root,$args,$context). You can typehintClosure $getSelectFieldsto receive a lazy factory, or typehintSelectFields $fieldsdirectly to get an eager-loaded instance. Any other class typehint will be resolved from Laravel's service container. See Resolve method for full details.
query FetchUsers { users { id email } }
For example, using curl:
curl -X POST -H "Content-Type: application/json" \ -d '{"query": "query FetchUsers { users { id email } }"}' \ http://localhost:8000/graphql
Creating a mutation
A mutation is like any other query. It accepts arguments and returns an object of a certain type. Mutations are meant to be used for operations modifying (mutating) the state on the server (which queries are not supposed to perform).
This is conventional abstraction, technically you can do anything you want in a query resolve, including mutating state.
For example, a mutation to update the password of a user. First you need to define the Mutation:
declare(strict_types = 1); namespace App\GraphQL\Mutations; use Closure; use App\Models\User; use Illuminate\Support\Facades\Hash; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\Type; use GraphQL\Type\Definition\ResolveInfo; use Rebing\GraphQL\Support\Mutation; class UpdateUserPasswordMutation extends Mutation { protected $attributes = [ 'name' => 'updateUserPassword' ]; public function type(): Type { return Type::nonNull(GraphQL::type('User')); } public function args(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), ], 'password' => [ 'type' => Type::nonNull(Type::string()), ] ]; } public function resolve($root, array $args, $context, ResolveInfo $resolveInfo, Closure $getSelectFields) { $user = User::find($args['id']); if(!$user) { return null; } $user->password = Hash::make($args['password']); $user->save(); return $user; } }
As you can see in the resolve() method, you use the arguments to update your model and return it.
You should then add the mutation to the config/graphql.php configuration file:
'schemas' => [ 'default' => [ 'mutation' => [ App\GraphQL\Mutations\UpdateUserPasswordMutation::class, ], // ... ] ]
You can then use the following query on your endpoint to do the mutation:
mutation users { updateUserPassword(id: "1", password: "newpassword") { id email } }
For example, using curl:
curl -X POST -H "Content-Type: application/json" \ -d '{"query": "mutation users { updateUserPassword(id: \"1\", password: \"newpassword\") { id email } }"}' \ http://localhost:8000/graphql
File uploads
This library uses https://github.com/laragraph/utils which is compliant with the spec at https://github.com/jaydenseric/graphql-multipart-request-spec .
You have to add the \Rebing\GraphQL\Support\UploadType first to your config/graphql schema types definition (either global or in your schema):
'types' => [ \Rebing\GraphQL\Support\UploadType::class, ],
It is important that you send the request as multipart/form-data:
WARNING: when you are uploading files, Laravel will use FormRequest - it means that middlewares which are changing request, will not have any effect.
declare(strict_types = 1); namespace App\GraphQL\Mutations; use Closure; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Mutation; class UserProfilePhotoMutation extends Mutation { protected $attributes = [ 'name' => 'userProfilePhoto', ]; public function type(): Type { return GraphQL::type('User'); } public function args(): array { return [ 'profilePicture' => [ 'type' => GraphQL::type('Upload'), 'rules' => ['required', 'image', 'max:1500'], ], ]; } public function resolve($root, array $args, $context, ResolveInfo $resolveInfo, Closure $getSelectFields) { $file = $args['profilePicture']; // Do something with file here... } }
Note: You can test your file upload implementation using Altair as explained here.
Vue.js example
<template> <div> <input type="file" ref="fileInput" @change="handleFileChange" /> <button :disabled="!file" @click="upload">Upload</button> </div> </template> <script setup> import { ref } from 'vue'; const file = ref(null); const fileInput = ref(null); function handleFileChange() { file.value = fileInput.value.files[0]; } async function upload() { if (!file.value) return; const formData = new FormData(); formData.set('operations', JSON.stringify({ query: `mutation uploadSingleFile($file: Upload!) { upload_single_file(attachment: $file) }`, variables: { attachment: null }, })); formData.set('map', JSON.stringify({ '0': ['variables.attachment'] })); formData.append('0', file.value); const response = await fetch('/graphql', { method: 'POST', body: formData, }); const result = await response.json(); if (!result.errors) { file.value = null; } } </script>
Vanilla JavaScript
<input type="file" id="fileUpload">
const fileInput = document.getElementById('fileUpload'); const file = fileInput.files[0]; const formData = new FormData(); formData.set('operations', JSON.stringify({ query: `mutation uploadSingleFile($file: Upload!) { upload_single_file(attachment: $file) }`, variables: { attachment: null }, })); formData.set('map', JSON.stringify({ '0': ['variables.attachment'] })); formData.append('0', file); const response = await fetch('/graphql', { method: 'POST', body: formData, }); const result = await response.json();
Validation
Laravel's validation is supported on queries, mutations, input types and field arguments.
Note: The support is "sugar on top" and is provided as a convenience. It may have limitations in certain cases, in which case regular Laravel validation can be used in your respective
resolve()methods, just like in regular Laravel code.
Adding validation rules is supported in the following ways:
- the field configuration key
'rules'is supported- in queries/mutations in fields declared in
function args() - in input types in fields declared in
function fields() 'args'declared for a field
- in queries/mutations in fields declared in
- Overriding
\Rebing\GraphQL\Support\Field::ruleson any query/mutation/input type - Or directly use Laravel's
Validatorin yourresolve()method
Using the configuration key 'rules' is very convenient, as it is declared in
the same location as the GraphQL type itself. However, you may hit certain
restrictions with this approach (like multi-field validation using *), in
which case you can override the rules() method.
Example defining rules in each argument
class UpdateUserEmailMutation extends Mutation { //... public function args(): array { return [ 'id' => [ 'type' => Type::string(), 'rules' => ['required'] ], 'email' => [ 'type' => Type::string(), 'rules' => ['required', 'email'] ] ]; } //... }
Example using the rules() method
declare(strict_types = 1); namespace App\GraphQL\Mutations; use Closure; use App\Models\User; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Mutation; class UpdateUserEmailMutation extends Mutation { protected $attributes = [ 'name' => 'updateUserEmail' ]; public function type(): Type { return GraphQL::type('User'); } public function args(): array { return [ 'id' => [ 'type' => Type::string(), ], 'email' => [ 'type' => Type::string(), ] ]; } protected function rules(array $args = []): array { return [ 'id' => ['required'], 'email' => ['required', 'email'], 'password' => $args['id'] !== 1337 ? ['required'] : [], ]; } public function resolve($root, array $args) { $user = User::find($args['id']); if (!$user) { return null; } $user->email = $args['email']; $user->save(); return $user; } }
Example using Laravel's validator directly
Calling validate() in the example below will throw Laravel's ValidationException
which is handed by the default error_formatter by this library:
protected function resolve($root, array $args) { \Illuminate\Support\Facades\Validator::make($args, [ 'data.*.password' => 'string|nullable|same:data.*.password_confirmation', ])->validate(); }
The format of the 'rules' configuration key, or the rules returned by the
rules() method, follows the same convention that Laravel supports, e.g.:
'rules' => 'required|string'
or'rules' => ['required', 'string']
or'rules' => function (…) { … }
etc.
For the args() method or the 'args' definition for a field, the field names
are directly used for the validation. However, for input types, which can be
nested and occur multiple times, the field names are mapped as e.g.
data.0.fieldname. This is important to understand when returning rules from
the rules() method.
Handling validation errors
Exceptions are used to communicate back in the GraphQL response that validation
errors occurred. When using the built-in support, the exception
\Rebing\GraphQL\Error\ValidationError is thrown. In your custom code or when
directly using the Laravel Validator, Laravel's built-in
\Illuminate\Validation\ValidationException is supported too. In both cases,
the GraphQL response is transformed to the error format shown below.
To support returning validation errors in a GraphQL error response, the
'extensions' are used, as there's no proper equivalent.
On the client side, you can check if message for a given error matches
'validation', you can expect the extensions.validation key which maps each
field to their respective errors:
{
"data": {
"updateUserEmail": null
},
"errors": [
{
"message": "validation",
"extensions": {
"validation": {
"email": [
"The email is invalid."
]
}
},
"locations": [
{
"line": 1,
"column": 20
}
]
}
]
}
You can customize the way this is handled by providing your own error_formatter
in the configuration, replacing the default one from this library.
Customizing error messages
The validation errors returned can be customised by overriding the
validationErrorMessages method. This method should return an array of custom
validation messages in the same way documented by Laravel's validation. For
example, to check an email argument doesn't conflict with any existing data,
you could perform the following:
Note: the keys should be in
field_name.validator_typeformat, so you can return specific errors per validation type.
public function validationErrorMessages(array $args = []): array { return [ 'name.required' => 'Please enter your full name', 'name.string' => 'Your name must be a valid string', 'email.required' => 'Please enter your email address', 'email.email' => 'Please enter a valid email address', 'email.exists' => 'Sorry, this email address is already in use', ]; }
Customizing attributes
The validation attributes can be customised by overriding the
validationAttributes method. This method should return an array of custom
attributes in the same way documented by Laravel's validation.
public function validationAttributes(array $args = []): array { return [ 'email' => 'email address', ]; }
Cross-field validation rules in nested input types
When using Laravel validation rules that reference sibling fields (like
prohibits, required_without, required_if, etc.) within an InputType, the
library automatically transforms those references into fully-qualified
dot-notation paths that Laravel's Validator can resolve correctly.
For example, given an InputType:
class RecipientInput extends InputType { protected $attributes = ['name' => 'RecipientInput']; public function fields(): array { return [ 'createParams' => [ 'type' => Type::string(), 'rules' => ['nullable', 'prohibits:mintParams'], ], 'mintParams' => [ 'type' => Type::string(), 'rules' => ['nullable', 'prohibits:createParams'], ], ]; } }
Used in a mutation as a list:
public function args(): array { return [ 'recipients' => [ 'type' => Type::nonNull(Type::listOf(Type::nonNull(GraphQL::type('RecipientInput')))), ], ]; }
The prohibits:mintParams rule on recipients.0.createParams is automatically
transformed to prohibits:recipients.0.mintParams so that Laravel's Validator
correctly resolves the sibling field reference.
This applies to all dependent rules including prohibits, required_with,
required_with_all, required_without, required_without_all, present_with,
present_with_all, missing_with, missing_with_all, exclude_with,
exclude_without, same, different, required_if, required_unless,
prohibited_if, prohibited_unless, exclude_if, exclude_unless,
accepted_if, declined_if, present_if, present_unless, missing_if,
missing_unless, required_if_accepted, required_if_declined,
prohibited_if_accepted, prohibited_if_declined, and comparison rules like
gt, gte, lt, lte, before, after, before_or_equal, after_or_equal
(when they reference a sibling field). For rules like required_if that take
both a field reference and a value (e.g. required_if:mode,advanced), only the
field reference parameter is transformed. See RulesPrefixer for the full list.
Disabling automatic prefixing: If you need to opt out of this behavior for
a specific query or mutation, override processCollectedRules():
class MyMutation extends Mutation { protected function processCollectedRules(array $rules): array { return $rules; // disable automatic cross-field rule prefixing } }
Misc notes
Certain type declarations of GraphQL may cancel our or render certain validations
unnecessary. A good example is using Type::nonNull() to ultimately declare
that an argument is required. In such a case a 'rules' => 'required'
configuration will likely never be triggered, because the GraphQL execution
engine already prevents this field from being accepted in the first place.
Or to be more clear: if a GraphQL type system violation occurs, then no Laravel validation will be even executed, as the code does not get so far.
Resolve method
The resolve method is used in both queries and mutations, and it's here that responses are created.
The first three parameters to the resolve method are hard-coded:
- The
$rootobject this resolve method belongs to (can benull) - The arguments passed as
array $args(can be an empty array) - The query specific GraphQL context
Can be customized by implementing a custom "execution middleware", see
\Rebing\GraphQL\Support\ExecutionMiddleware\AddAuthUserContextValueMiddlewarefor an example.
Arguments here after will be attempted to be injected, similar to how controller methods works in Laravel.
You can typehint any class that you will need an instance of.
There are two hardcoded classes which depend on the local data for the query:
GraphQL\Type\Definition\ResolveInfohas information useful for field resolution process.Rebing\GraphQL\Support\SelectFieldsallows eager loading of related Eloquent models, see Eager loading relationships.
Example:
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use App\Models\User; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\Type; use GraphQL\Type\Definition\ResolveInfo; use Rebing\GraphQL\Support\SelectFields; use Rebing\GraphQL\Support\Query; use SomeClassNamespace\SomeClassThatDoLogging; class UsersQuery extends Query { protected $attributes = [ 'name' => 'users', ]; public function type(): Type { return Type::listOf(GraphQL::type('User')); } public function args(): array { return [ 'id' => [ 'type' => Type::string(), ] ]; } public function resolve($root, array $args, $context, ResolveInfo $info, SelectFields $fields, SomeClassThatDoLogging $logging) { $logging->log('fetched user'); $select = $fields->getSelect(); $with = $fields->getRelations(); $users = User::select($select)->with($with); return $users->get(); } }
Resolver middleware
These are GraphQL specific resolver middlewares and are only conceptually related to Laravel's "HTTP middleware". The main difference:
- Laravel's HTTP middleware:
- works on the schema / route level
- is compatible with any regular Laravel HTTP middleware
- is the same for all queries/mutations in a schema
- Resolver middleware
- Works similar in concept
- But applies on the query/mutation level, i.e. can be different for every query/mutation
- Is technically not compatible with HTTP middleware
- Takes different arguments
Defining middleware
To create a new middleware, use the make:graphql:middleware Artisan command
php artisan make:graphql:middleware ResolvePage
This command will place a new ResolvePage class within your app/GraphQL/Middleware directory.
In this middleware, we will set the Paginator current page to the argument we accept via our PaginationType:
declare(strict_types = 1); namespace App\GraphQL\Middleware; use Closure; use GraphQL\Type\Definition\ResolveInfo; use Illuminate\Pagination\Paginator; use Rebing\GraphQL\Support\Middleware; class ResolvePage extends Middleware { public function handle($root, array $args, $context, ResolveInfo $info, Closure $next) { Paginator::currentPageResolver(function () use ($args) { return $args['pagination']['page'] ?? 1; }); return $next($root, $args, $context, $info); } }
Registering middleware
If you would like to assign middleware to specific queries/mutations,
list the middleware class in the $middleware property of your query class.
declare(strict_types = 1); namespace App\GraphQL\Queries; use App\GraphQL\Middleware; use Rebing\GraphQL\Support\Query; class UsersQuery extends Query { protected $middleware = [ Middleware\Logstash::class, Middleware\ResolvePage::class, ]; }
If you want a middleware to run during every GraphQL query/mutation to your application,
list the middleware class in the $middleware property of your base query class.
declare(strict_types = 1); namespace App\GraphQL\Queries; use App\GraphQL\Middleware; use Rebing\GraphQL\Support\Query as BaseQuery; abstract class Query extends BaseQuery { protected $middleware = [ Middleware\Logstash::class, Middleware\ResolvePage::class, ]; }
Alternatively, you can override getMiddleware to supply your own logic:
protected function getMiddleware(): array { return array_merge([...], $this->middleware); }
If you want to register middleware globally, use the resolver_middleware_append key in config/graphql.php (defaults to null, treated as an empty array):
return [ ... 'resolver_middleware_append' => [YourMiddleware::class], ];
You can also use the appendGlobalResolverMiddleware method in any ServiceProvider:
... public function boot() { ... GraphQL::appendGlobalResolverMiddleware(YourMiddleware::class); // Or with new instance GraphQL::appendGlobalResolverMiddleware(new YourMiddleware(...)); }
If your middleware needs to wrap all other resolver middleware (including
per-field middleware), use prependGlobalResolverMiddleware instead:
GraphQL::prependGlobalResolverMiddleware(YourOutermostMiddleware::class);
The resulting pipeline order is: prepended global middleware, per-field middleware, appended global middleware. This is used internally by the tracing system but is available for any middleware that must run outermost.
Terminable middleware
Sometimes a middleware may need to do some work after the response has been sent to the browser. If you define a terminate method on your middleware and your web server is using FastCGI, the terminate method will automatically be called after the response is sent to the browser:
declare(strict_types = 1); namespace App\GraphQL\Middleware; use Countable; use GraphQL\Language\Printer; use GraphQL\Type\Definition\ResolveInfo; use Illuminate\Contracts\Pagination\LengthAwarePaginator; use Illuminate\Pagination\AbstractPaginator; use Illuminate\Support\Arr; use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Log; use Illuminate\Support\Facades\Route; use Rebing\GraphQL\Support\Middleware; class Logstash extends Middleware { public function terminate($field, array $args, $context, ResolveInfo $info, $result): void { Log::channel('logstash')->info('', ( collect([ 'query' => $info->fieldName, 'operation' => $info->operation->name->value ?? null, 'type' => $info->operation->operation, 'fields' => array_keys(Arr::dot($info->getFieldSelection($depth = PHP_INT_MAX))), 'schema' => Arr::first(Route::current()->parameters()) ?? Config::get('graphql.default_schema', 'default'), 'vars' => $this->formatVariableDefinitions($info->operation->variableDefinitions), ]) ->when($result instanceof Countable, function ($metadata) use ($result) { return $metadata->put('count', $result->count()); }) ->when($result instanceof AbstractPaginator, function ($metadata) use ($result) { return $metadata->put('per_page', $result->perPage()); }) ->when($result instanceof LengthAwarePaginator, function ($metadata) use ($result) { return $metadata->put('total', $result->total()); }) ->merge($this->formatArguments($args)) ->toArray() )); } private function formatArguments(array $args): array { return collect($args) ->mapWithKeys(function ($value, $key) { return ["\${$key}" => $value]; }) ->toArray(); } private function formatVariableDefinitions(?iterable $variableDefinitions = []): array { return collect($variableDefinitions) ->map(function ($def) { return Printer::doPrint($def); }) ->toArray(); } }
The terminate method receives both the resolver arguments and the query result.
Once you have defined a terminable middleware, you should add it to the list of middleware in your queries and mutations.
Authorization
For authorization similar to Laravel's Request (or middleware) functionality, we can override the authorize() function in a Query or Mutation.
Important: The
authorize()method must return exactlytrue(strict comparison) for the request to proceed. Returning other truthy values (e.g.1,"yes") will be treated as unauthorized.
Note: Authorization is checked before validation rules are evaluated. This prevents unauthenticated users from probing validation rules to discover API structure.
An example of Laravel's 'auth' middleware:
declare(strict_types = 1); namespace App\GraphQL\Queries; use Illuminate\Support\Facades\Auth; use Closure; use GraphQL\Type\Definition\ResolveInfo; class UsersQuery extends Query { public function authorize($root, array $args, $ctx, ResolveInfo $resolveInfo = null, Closure $getSelectFields = null): bool { // true, if logged in return ! Auth::guest(); } // ... }
Or we can make use of arguments passed via the GraphQL query:
declare(strict_types = 1); namespace App\GraphQL\Queries; use Illuminate\Support\Facades\Auth; use Closure; use GraphQL\Type\Definition\ResolveInfo; class UsersQuery extends Query { public function authorize($root, array $args, $ctx, ResolveInfo $resolveInfo = null, Closure $getSelectFields = null): bool { if (isset($args['id'])) { return Auth::id() == $args['id']; } return true; } // ... }
You can also provide a custom error message when the authorization fails (defaults to Unauthorized):
declare(strict_types = 1); namespace App\GraphQL\Queries; use Illuminate\Support\Facades\Auth; use Closure; use GraphQL\Type\Definition\ResolveInfo; class UsersQuery extends Query { public function authorize($root, array $args, $ctx, ResolveInfo $resolveInfo = null, Closure $getSelectFields = null): bool { if (isset($args['id'])) { return Auth::id() == $args['id']; } return true; } public function getAuthorizationMessage(): string { return 'You are not authorized to perform this action'; } // ... }
Privacy
You can set custom privacy attributes for every Type's Field. If a field is not
allowed, null will be returned. Privacy is enforced at the field resolver
level, so it works universally - whether the type is a root query result, a
nested sub-type, or accessed via SelectFields.
The privacy callback receives two arguments: the field's own arguments
($args) and the query context ($ctx).
Using a closure:
use Illuminate\Support\Facades\Auth; class UserType extends GraphQLType { // ... public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user', ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user', 'privacy' => function (array $args, $ctx): bool { // Only the authenticated user can see their own email. // $ctx is the query context value (see notes below). // By default, AddAuthUserContextValueMiddleware sets // $ctx to the authenticated user model directly. return $ctx && $ctx->id === Auth::id(); }, ], ]; } // ... }
Using a Privacy class:
You can also create a class that extends the abstract Privacy class:
use Illuminate\Support\Facades\Auth; use Rebing\GraphQL\Support\Privacy; class MePrivacy extends Privacy { public function validate(array $fieldArgs, $queryContext = null): bool { return $queryContext && $queryContext->id === Auth::id(); } }
Then reference it by class name on the field:
use MePrivacy; class UserType extends GraphQLType { // ... public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user', ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user', 'privacy' => MePrivacy::class, ], ]; } // ... }
Using field arguments in a privacy check:
If the field declares its own args, they are available in $args:
'ssn' => [ 'type' => Type::string(), 'args' => [ 'reason' => [ 'type' => Type::nonNull(Type::string()), ], ], 'privacy' => function (array $args, $ctx): bool { // Only allow access when a valid reason is provided. return in_array($args['reason'] ?? '', ['legal', 'compliance']); }, ],
$args- field arguments, not query arguments. The$argsparameter contains the arguments declared on the field itself (via theargskey). If the field declares no arguments,$argswill be an empty array. These are not the root query/mutation arguments.
$ctx- the query context value. This is the context value passed to the GraphQL execution. By default, the built-inAddAuthUserContextValueMiddlewareexecution middleware sets this directly to the authenticated user model (i.e.Auth::user()), ornullif no user is authenticated. You can customize the context via your own execution middleware.
Privacy vs Authorization.
authorize()on a Query or Mutation gates the entire operation - if it fails, the whole request is rejected with an error.privacyon a Type field gates individual fields and silently returnsnullwhen denied. Useauthorize()for access control on operations andprivacyfor field-level visibility within types.
Caution with non-null fields. When privacy denies access, the field resolver returns
null. If the field is typed asType::nonNull(...), thisnullviolates the GraphQL non-null contract and causes an error that propagates up to the nearest nullable parent. Always use nullable types for privacy-protected fields.
Query variables
GraphQL offers you the possibility to use variables in your query so you don't need to "hardcode" value. This is done like that:
query FetchUserByID($id: String) { user(id: $id) { id email } }
When you query the GraphQL endpoint, you can pass a JSON encoded variables parameter.
For example, using curl:
curl -X POST -H "Content-Type: application/json" \ -d '{"query": "query FetchUserByID($id: Int) { user(id: $id) { id email } }", "variables": {"id": 123}}' \ http://localhost:8000/graphql
Custom field
You can also define a field as a class if you want to reuse it in multiple types.
declare(strict_types = 1); namespace App\GraphQL\Fields; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Field; class PictureField extends Field { protected $attributes = [ 'description' => 'A picture', ]; public function type(): Type { return Type::string(); } public function args(): array { return [ 'width' => [ 'type' => Type::int(), 'description' => 'The width of the picture' ], 'height' => [ 'type' => Type::int(), 'description' => 'The height of the picture' ] ]; } protected function resolve($root, array $args) { $width = isset($args['width']) ? $args['width']:100; $height = isset($args['height']) ? $args['height']:100; return 'https://placehold.co/'.$width.'x'.$height; } }
You can then use it in your type declaration
declare(strict_types = 1); namespace App\GraphQL\Types; use App\GraphQL\Fields\PictureField; use App\Models\User; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Type as GraphQLType; class UserType extends GraphQLType { protected $attributes = [ 'name' => 'User', 'description' => 'A user', 'model' => User::class, ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user' ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user' ], //Instead of passing an array, you pass a class path to your custom field 'picture' => PictureField::class ]; } }
Even better reusable fields
Instead of using the class name, you can also supply an actual instance of the Field. This allows you to not only re-use the field, but will also open up the possibility to re-use the resolver.
Let's imagine we want a field type that can output dates formatted in all sorts of ways.
declare(strict_types = 1); namespace App\GraphQL\Fields; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Field; class FormattableDate extends Field { protected $attributes = [ 'description' => 'A field that can output a date in all sorts of ways.', ]; public function __construct(array $settings = []) { $this->attributes = \array_merge($this->attributes, $settings); } public function type(): Type { return Type::string(); } public function args(): array { return [ 'format' => [ 'type' => Type::string(), 'defaultValue' => 'Y-m-d H:i', 'description' => 'Defaults to Y-m-d H:i', ], 'relative' => [ 'type' => Type::boolean(), 'defaultValue' => false, ], ]; } protected function resolve($root, array $args): ?string { $date = $root->{$this->getProperty()}; if (!$date instanceof Carbon) { return null; } if ($args['relative']) { return $date->diffForHumans(); } return $date->format($args['format']); } protected function getProperty(): string { return $this->attributes['alias'] ?? $this->attributes['name']; } }
You can use this field in your type as follows:
declare(strict_types = 1); namespace App\GraphQL\Types; use App\GraphQL\Fields\FormattableDate; use App\Models\User; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Type as GraphQLType; class UserType extends GraphQLType { protected $attributes = [ 'name' => 'User', 'description' => 'A user', 'model' => User::class, ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user' ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user' ], // You can simply supply an instance of the class 'dateOfBirth' => new FormattableDate, // Because the constructor of `FormattableDate` accepts our the array of parameters, // we can override them very easily. // Imagine we want our field to be called `createdAt`, but our database column // is called `created_at`: 'createdAt' => new FormattableDate([ 'alias' => 'created_at', ]) ]; } }
Dataloaders
Dataloaders are the standard GraphQL pattern for solving n+1 problems and are
the recommended default data loading strategy. They use deferred resolution
-- a mechanism built into
webonyx/graphql-php,
the GraphQL engine this library is built on. Unlike
SelectFields, dataloaders do not require
Eloquent models or special type configuration, and they work with any data
source.
The pattern has two phases:
- Collect -- each field resolver registers the key it needs (e.g. a user ID)
and returns a
GraphQL\Deferredinstead of a value. - Batch -- once all non-deferred fields are resolved, the deferred callbacks fire. The first callback triggers a bulk fetch for all collected keys; the rest read from the already-loaded result.
Creating a loader
A loader is a plain PHP class that accumulates keys and performs a single bulk query when triggered. Registering it as a scoped singleton ensures a fresh instance per request (safe for Laravel Octane and queue workers).
declare(strict_types = 1); namespace App\GraphQL\Loaders; use App\Models\User; use GraphQL\Deferred; class UserLoader { /** @var list<int> */ private array $pendingIds = []; /** @var array<int,User> */ private array $loaded = []; /** * Register a key to be loaded and return a deferred resolver. */ public function load(int $id): Deferred { $this->pendingIds[] = $id; return new Deferred(function () use ($id): ?User { $this->loadPending(); return $this->loaded[$id] ?? null; }); } /** * Bulk-fetch all pending keys in a single query. */ private function loadPending(): void { $ids = array_diff(array_unique($this->pendingIds), array_keys($this->loaded)); $this->pendingIds = []; if ($ids === []) { return; } $users = User::whereIn('id', $ids)->get()->keyBy('id'); foreach ($users as $id => $user) { $this->loaded[$id] = $user; } } }
Register it in a service provider:
// AppServiceProvider::register() $this->app->scoped(\App\GraphQL\Loaders\UserLoader::class);
Using a loader in a type
Resolve the loader from the container and call load() with the key. The
returned Deferred is handled transparently by the GraphQL execution engine --
no changes to your schema, middleware, or controller are required.
declare(strict_types = 1); namespace App\GraphQL\Types; use App\GraphQL\Loaders\UserLoader; use App\Models\Post; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Type as GraphQLType; class PostType extends GraphQLType { protected $attributes = [ 'name' => 'Post', 'description' => 'A blog post', ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::int()), ], 'title' => [ 'type' => Type::nonNull(Type::string()), ], 'author' => [ 'type' => GraphQL::type('User'), 'description' => 'The post author, loaded via dataloader', 'resolve' => function (Post $post) { return app(UserLoader::class)->load($post->author_id); }, ], ]; } }
If a query requests 50 posts, the author resolver is called 50 times -- but
only one SELECT * FROM users WHERE id IN (...) query is executed, because all
50 IDs are collected during the "collect" phase and fetched together when the
first Deferred callback fires.
How it works
GraphQL\Deferred is a synchronous promise provided by webonyx/graphql-php. When
a resolver returns a Deferred, the executor sets the value aside and continues
resolving other fields. Once no more immediate fields remain, it drains the
deferred queue: each callback runs, and if any callback returns another
Deferred, that is queued too. This continues until all values are fully resolved.
Because this library's execution middleware calls GraphQL::executeQuery() (which
uses the built-in SyncPromiseAdapter internally), Deferred works out of the
box with no additional configuration.
Using a DataLoader library
For applications with many loaders, the
overblog/dataloader-php library
provides a higher-level DataLoader class with automatic request batching,
per-request memoization, and cache priming. It ships with a webonyx/graphql-php
sync promise adapter. For most Laravel applications the simple loader pattern
shown above is sufficient, but overblog/dataloader-php can reduce boilerplate
when you have dozens of entity types to batch-load.
Eager loading relationships
The Rebing\GraphQL\Support\SelectFields class allows to eager load related Eloquent models.
Only the required fields will be queried from the database.
The class can be instantiated by typehinting SelectFields $selectField in your resolve method.
You can also construct the class by typehinting a Closure.
The Closure accepts an optional parameter for the depth of the query to analyse.
Your Query would look like:
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use App\Models\User; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\Type; use GraphQL\Type\Definition\ResolveInfo; use Rebing\GraphQL\Support\SelectFields; use Rebing\GraphQL\Support\Query; class UsersQuery extends Query { protected $attributes = [ 'name' => 'users', ]; public function type(): Type { return Type::listOf(GraphQL::type('User')); } public function args(): array { return [ 'id' => [ 'type' => Type::string(), ], 'email' => [ 'type' => Type::string(), ] ]; } public function resolve($root, array $args, $context, ResolveInfo $info, Closure $getSelectFields) { /** @var SelectFields $fields */ $fields = $getSelectFields(); $select = $fields->getSelect(); $with = $fields->getRelations(); $users = User::select($select)->with($with); return $users->get(); } }
Your Type for User might look like shown below. The profile and posts
relations must also exist in the UserModel's relations. If some fields are
required for the relation to load or validation etc, then you can define an
always attribute that will add the given attributes to select.
The attribute can be a comma separated string or an array of attributes to always include.
// Array form: 'always' => ['title', 'body'], // String form (comma-separated): 'always' => 'title,body',
declare(strict_types = 1); namespace App\GraphQL\Types; use App\Models\User; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Type as GraphQLType; class UserType extends GraphQLType { protected $attributes = [ 'name' => 'User', 'description' => 'A user', 'model' => User::class, ]; public function fields(): array { return [ 'uuid' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The uuid of the user' ], 'email' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The email of user' ], 'profile' => [ 'type' => GraphQL::type('Profile'), 'description' => 'The user profile', ], 'posts' => [ 'type' => Type::listOf(GraphQL::type('Post')), 'description' => 'The user posts', // Can also be defined as a string 'always' => ['title', 'body'], ] ]; } }
At this point we have a profile and a post type as expected for any model
class ProfileType extends GraphQLType { protected $attributes = [ 'name' => 'Profile', 'description' => 'A user profile', 'model' => UserProfileModel::class, ]; public function fields(): array { return [ 'name' => [ 'type' => Type::string(), 'description' => 'The name of user' ] ]; } }
class PostType extends GraphQLType { protected $attributes = [ 'name' => 'Post', 'description' => 'A post', 'model' => PostModel::class, ]; public function fields(): array { return [ 'title' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The title of the post' ], 'body' => [ 'type' => Type::string(), 'description' => 'The body the post' ] ]; } }
Type relationship query
Note: this only applies when making use of the
SelectFieldsclass to query Eloquent models!
You can also specify the query that will be included with a relationship via Eloquent's query builder:
class UserType extends GraphQLType { // ... public function fields(): array { return [ // ... // Relation 'posts' => [ 'type' => Type::listOf(GraphQL::type('Post')), 'description' => 'A list of posts written by the user', 'args' => [ 'date_from' => [ 'type' => Type::string(), ], ], // $args are the local arguments passed to the relation // $query is the relation builder object // $ctx is the GraphQL context (customizable via execution middleware) // The return value should be the query builder or void 'query' => function (array $args, $query, $ctx): void { $query->addSelect('some_column') ->where('posts.created_at', '>', $args['date_from']); } ] ]; } }
Pagination
Pagination will be used, if a query or mutation returns a PaginationType.
Note that unless you use resolver middleware, you will have to manually supply both the limit and page values:
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Query; class PostsQuery extends Query { public function type(): Type { return GraphQL::paginate('posts'); } // ... public function resolve($root, array $args, $context, ResolveInfo $info, Closure $getSelectFields) { $fields = $getSelectFields(); return Post::with($fields->getRelations()) ->select($fields->getSelect()) ->paginate($args['limit'], ['*'], 'page', $args['page']); } }
Query posts(limit:10,page:1){data{id},total,per_page} might return
{
"data": {
"posts": {
"data": [
{"id": 3},
{"id": 5}
],
"total": 21,
"per_page": 10
}
}
}
Note that you need to add in the extra 'data' object when you request paginated resources as the returned data gives you the paginated resources in a data object at the same level as the returned pagination metadata.
Simple Pagination will be used, if a query or mutation returns a SimplePaginationType.
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Query; class PostsQuery extends Query { public function type(): Type { return GraphQL::simplePaginate('posts'); } // ... public function resolve($root, array $args, $context, ResolveInfo $info, Closure $getSelectFields) { $fields = $getSelectFields(); return Post::with($fields->getRelations()) ->select($fields->getSelect()) ->simplePaginate($args['limit'], ['*'], 'page', $args['page']); } }
SimplePaginationType exposes the following fields: data (the paginated items),
per_page, current_page, from, to, and has_more_pages. Unlike full
pagination, total and last_page are not available.
Cursor Pagination will be used, if a query or mutation returns a CursorPaginationType.
declare(strict_types = 1); namespace App\GraphQL\Queries; use Closure; use GraphQL\Type\Definition\ResolveInfo; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Query; class PostsQuery extends Query { public function type(): Type { return GraphQL::cursorPaginate('posts'); } // ... public function resolve($root, array $args, $context, ResolveInfo $info, Closure $getSelectFields) { $fields = $getSelectFields(); return Post::with($fields->getRelations()) ->select($fields->getSelect()) ->cursorPaginate($args['limit'], ['*'], 'cursorName', $args['cursor']); } }
CursorPaginationType exposes the following fields: data (the paginated
items), per_page, previous_cursor (String, nullable), and next_cursor
(String, nullable).
Note: If you use a custom pagination class via the
pagination_type,simple_pagination_type, orcursor_pagination_typeconfig keys, your class must implement\Rebing\GraphQL\Support\Contracts\WrapTypeforSelectFieldsto work correctly. The built-in pagination types already implement this interface. See Wrap Types for more details.
Batching
Batched requests are required to be sent via a POST request.
You can send multiple queries (or mutations) at once by grouping them together. Therefore, instead of creating two HTTP requests:
POST
{
query: "query postsQuery { posts { id, comment, author_id } }"
}
POST
{
query: "mutation storePostMutation($comment: String!) { store_post(comment: $comment) { id } }",
variables: { "comment": "Hi there!" }
}
you could batch it as one
POST
[
{
query: "query postsQuery { posts { id, comment, author_id } }"
},
{
query: "mutation storePostMutation($comment: String!) { store_post(comment: $comment) { id } }",
variables: { "comment": "Hi there!" }
}
]
For systems sending multiple requests at once, this can help performance by batching together queries that will be made within a certain interval of time.
There are tools that help with this and can handle the batching for you, e.g. Apollo
A note on query batching: whilst it may look like an "only win" situations, there are possible downsides using batching:
All queries/mutations are executed in the same "process execution context".
If your code has side-effects which might not show up in the usual FastCGI environment (single request/response), it may cause issues here.The "HTTP middleware" is only executed for the whole batch once
In case you would expect it being triggered for each query/mutation included. This may be especially relevant for logging or rate limiting.
OTOH with "resolver middleware" this will work as expected (though the solve different problems).Batch size limits
By default, a maximum of 10 operations per batch is enforced via thebatching.max_batch_sizeconfig option. Set tonullfor no limit.
Support for batching can be enabled by setting the config batching.enable to true (disabled by default).
The maximum number of operations per batch is controlled by batching.max_batch_size (default: 10). Requests exceeding this limit will receive an error response. Set to null to allow unlimited operations (not recommended).
Scalar types
GraphQL comes with built-in scalar types for string, int, boolean, etc. It's possible to create custom scalar types to special purpose fields.
An example could be a link: instead of using Type::string() you could create a scalar type Link and reference it with GraphQL::type('Link').
The benefits would be:
- a dedicated description so you can give more meaning/purpose to a field than just call it a string type
- explicit conversion logic for the following steps:
- converting from the internal logic to the serialized GraphQL output (
serialize) - query/field input argument conversion (
parseLiteral) - when passed as variables to your query (
parseValue)
- converting from the internal logic to the serialized GraphQL output (
This also means validation logic can be added within these methods to ensure that the value delivered/received is e.g. a true link.
A scalar type has to implement all the methods; you can quick start this with artisan make:graphql:scalar <typename>. Then just add the scalar to your existing types in the schema.
For more advanced use, please refer to the official documentation regarding scalar types.
A note on performance: be mindful of the code you include in your scalar types methods. If you return a large number of fields making use of custom scalars which includes complex logic to validate field, it might impact your response times.
Enums
Enumeration types are a special kind of scalar that is restricted to a particular set of allowed values. Read more about Enums here
First create an Enum as an extension of the GraphQLType class:
declare(strict_types = 1); namespace App\GraphQL\Enums; use Rebing\GraphQL\Support\EnumType; class EpisodeEnum extends EnumType { protected $attributes = [ 'name' => 'episode', 'description' => 'The types of demographic elements', 'values' => [ 'NEWHOPE' => 'NEWHOPE', 'EMPIRE' => 'EMPIRE', 'JEDI' => 'JEDI', ], ]; }
Note: within the
$attributes['values']array the key is enum value the GraphQL client will be able to choose from, while the value is what will your server receive (what will enum be resolved to).
The Enum will be registered like any other type in your schema in config/graphql.php:
'schemas' => [ 'default' => [ 'types' => [ EpisodeEnum::class, ],
Then use it like:
declare(strict_types = 1); namespace App\GraphQL\Types; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Type as GraphQLType; class TestType extends GraphQLType { public function fields(): array { return [ 'episode_type' => [ 'type' => GraphQL::type('episode') ] ]; } }
SelectFields and abstract types
When using SelectFields with union or interface types, custom query
callbacks on relation fields defined in member/concrete types are supported.
SelectFields will match the concrete type at eager-load time and apply the
callback automatically.
Note: When a query includes inline fragments on multiple member types that
each request different relations, SelectFields will merge all requested
relations into the eager-load set. This is a known limitation of how
SelectFields handles abstract types.
Unions
A Union is an abstract type that simply enumerates other Object Types. The value of Union Type is actually a value of one of included Object Types.
It's useful if you need to return unrelated types in the same Query. For example when implementing a search for multiple different entities.
Example for defining a UnionType:
declare(strict_types = 1); namespace App\GraphQL\Unions; use App\Post; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\UnionType; class SearchResultUnion extends UnionType { protected $attributes = [ 'name' => 'searchResult', ]; public function types(): array { return [ GraphQL::type('Post'), GraphQL::type('Episode'), ]; } public function resolveType($value) { if ($value instanceof Post) { return GraphQL::type('Post'); } elseif ($value instanceof Episode) { return GraphQL::type('Episode'); } } }
Interfaces
You can use interfaces to abstract a set of fields. Read more about Interfaces here
An implementation of an interface:
declare(strict_types = 1); namespace App\GraphQL\Interfaces; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\InterfaceType; class CharacterInterface extends InterfaceType { protected $attributes = [ 'name' => 'character', 'description' => 'Character interface.', ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The id of the character.' ], 'name' => Type::string(), 'appearsIn' => [ 'type' => Type::nonNull(Type::listOf(GraphQL::type('Episode'))), 'description' => 'A list of episodes in which the character has an appearance.' ], ]; } public function resolveType($root) { // Use the resolveType to resolve the Type which is implemented trough this interface $type = $root['type']; if ($type === 'human') { return GraphQL::type('Human'); } elseif ($type === 'droid') { return GraphQL::type('Droid'); } } }
A Type that implements an interface:
declare(strict_types = 1); namespace App\GraphQL\Types; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Type as GraphQLType; use GraphQL\Type\Definition\Type; class HumanType extends GraphQLType { protected $attributes = [ 'name' => 'human', 'description' => 'A human.' ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The id of the human.', ], 'name' => Type::string(), 'appearsIn' => [ 'type' => Type::nonNull(Type::listOf(GraphQL::type('Episode'))), 'description' => 'A list of episodes in which the human has an appearance.' ], 'totalCredits' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The total amount of credits this human owns.' ] ]; } public function interfaces(): array { return [ GraphQL::type('Character') ]; } }
Supporting custom queries on interface relations
If an interface contains a relation with a custom query, it's required to implement public function types() returning an array of GraphQL::type(), i.e. all the possible types it may resolve to (quite similar as it works for unions) so that it works correctly with SelectFields.
Additionally, if your query uses inline fragments to select fields that only exist on concrete types (e.g. ...on Post { created_at }), implementing types() is required so that SelectFields can look up those fields from the concrete types.
Based on the previous code example, the method would look like:
public function types(): array { return[ GraphQL::type('Human'), GraphQL::type('Droid'), ]; }
Sharing interface fields
Since you often have to repeat many of the field definitions of the Interface in the concrete types, it makes sense to share the definitions of the Interface.
You can access and reuse specific interface fields with the method getField(string fieldName): FieldDefinition. To get all fields as an array use getFields(): array
With this you could write the fields method of your HumanType class like this:
public function fields(): array { $interface = GraphQL::type('Character'); return [ $interface->getField('id'), $interface->getField('name'), $interface->getField('appearsIn'), 'totalCredits' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The total amount of credits this human owns.' ] ]; }
Or by using the getFields method:
public function fields(): array { $interface = GraphQL::type('Character'); return array_merge($interface->getFields(), [ 'totalCredits' => [ 'type' => Type::nonNull(Type::int()), 'description' => 'The total amount of credits this human owns.' ] ]); }
Input Object
Input Object types allow you to create complex inputs. Fields have no args or resolve options and their type must be InputType. You can add rules option if you want to validate input data.
Read more about Input Object here
First create an InputObjectType as an extension of the GraphQLType class:
declare(strict_types = 1); namespace App\GraphQL\InputObject; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\InputType; class ReviewInput extends InputType { protected $attributes = [ 'name' => 'reviewInput', 'description' => 'A review with a comment and a score (0 to 5)' ]; public function fields(): array { return [ 'comment' => [ 'description' => 'A comment (250 max chars)', 'type' => Type::string(), // You can define Laravel Validation here 'rules' => ['max:250'] ], 'score' => [ 'description' => 'A score (0 to 5)', 'type' => Type::int(), // You must use 'integer' on rules if you want to validate if the number is inside a range // Otherwise it will validate the number of 'characters' the number can have. 'rules' => ['integer', 'min:0', 'max:5'] ] ]; } }
The Input Object will be registered like any other type in your schema in config/graphql.php:
'schemas' => [ 'default' => [ 'types' => [ 'ReviewInput' => ReviewInput::class ],
Then use it in a mutation, like:
use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Mutation; class TestMutation extends Mutation { public function args(): array { return [ 'review' => [ 'type' => GraphQL::type('ReviewInput') ] ]; } }
OneOf Input Objects
OneOf Input Objects are a special type of input object where exactly one field must be provided. This is useful for creating polymorphic inputs or "input unions" where you want to accept one of several possible input types. Read more about OneOf in the RFC or in the GraphQL PHP Documentation
Creating a OneOf Input Type
Create a OneOf Input Type by setting 'isOneOf' => true in the attributes:
declare(strict_types = 1); namespace App\GraphQL\InputObject; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\InputType; class SearchInput extends InputType { protected $attributes = [ 'name' => 'SearchInput', 'description' => 'Search by exactly one criteria', 'isOneOf' => true, ]; public function fields(): array { return [ 'byId' => [ 'type' => Type::id(), 'description' => 'Search by user ID', ], 'byEmail' => [ 'type' => Type::string(), 'description' => 'Search by email address', ], 'byUsername' => [ 'type' => Type::string(), 'description' => 'Search by username', ], ]; } }
Using OneOf Input Types
declare(strict_types = 1); namespace App\GraphQL\Queries; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Facades\GraphQL; use Rebing\GraphQL\Support\Query; use App\Models\User; class UserQuery extends Query { protected $attributes = [ 'name' => 'user', 'description' => 'Find a user by search criteria' ]; public function type(): Type { return GraphQL::type('User'); } public function args(): array { return [ 'search' => [ 'type' => Type::nonNull(GraphQL::type('SearchInput')), 'description' => 'Search criteria (exactly one field required)', ], ]; } public function resolve($root, array $args) { $search = $args['search']; // Exactly one of these will be set if (isset($search['byId'])) { return User::find($search['byId']); } if (isset($search['byEmail'])) { return User::where('email', $search['byEmail'])->first(); } if (isset($search['byUsername'])) { return User::where('username', $search['byUsername'])->first(); } return null; } }
Generating OneOf Input Types
You can generate a OneOf input type using the Artisan command with the --oneof flag:
php artisan make:graphql:input SearchInput --oneof
This will create a new input type with 'isOneOf' => true already configured.
Type modifiers
Type modifiers can be applied by wrapping your chosen type in Type::nonNull or Type::listOf calls
or alternatively you can use the shorthand syntax available via GraphQL::type to build up more complex
types.
GraphQL::type('MyInput!'); GraphQL::type('[MyInput]'); GraphQL::type('[MyInput]!'); GraphQL::type('[MyInput!]!'); GraphQL::type('String!'); GraphQL::type('[String]'); GraphQL::type('[String]!'); GraphQL::type('[String!]!');
Field and input alias
It is possible to alias query and mutation arguments as well as input object fields.
It can be especially useful for mutations saving data to the database.
Here you might want the input names to be different from the column names in the database.
Example, where the database columns are first_name and last_name:
declare(strict_types = 1); namespace App\GraphQL\InputObject; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\InputType; class UserInput extends InputType { protected $attributes = [ 'name' => 'userInput', 'description' => 'A user.' ]; public function fields(): array { return [ 'firstName' => [ 'alias' => 'first_name', 'description' => 'The first name of the user', 'type' => Type::string(), 'rules' => ['max:30'] ], 'lastName' => [ 'alias' => 'last_name', 'description' => 'The last name of the user', 'type' => Type::string(), 'rules' => ['max:30'] ] ]; } }
declare(strict_types = 1); namespace App\GraphQL\Mutations; use Closure; use App\Models\User; use Rebing\GraphQL\Support\Facades\GraphQL; use GraphQL\Type\Definition\Type; use GraphQL\Type\Definition\ResolveInfo; use Rebing\GraphQL\Support\Mutation; class UpdateUserMutation extends Mutation { protected $attributes = [ 'name' => 'updateUser' ]; public function type(): Type { return GraphQL::type('User'); } public function args(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()) ], 'input' => [ 'type' => GraphQL::type('UserInput') ] ]; } public function resolve($root, array $args, $context, ResolveInfo $resolveInfo, Closure $getSelectFields) { $user = User::find($args['id']); $user->fill($args['input']); $user->save(); return $user; } }
JSON columns
When using JSON columns in your database, the field won't be defined as a "relationship",
but rather a simple column with nested data. To get a nested object that's not a database relationship,
use the is_relation attribute in your Type:
class UserType extends GraphQLType { // ... public function fields(): array { return [ // ... // JSON column containing all posts made by this user 'posts' => [ 'type' => Type::listOf(GraphQL::type('Post')), 'description' => 'A list of posts written by the user', // Now this will simply request the "posts" column, and it won't // query for all the underlying columns in the "post" object // The value defaults to true 'is_relation' => false ] ]; } // ... }
Field deprecation
Sometimes you would want to deprecate a field but still have to maintain backward compatibility
until clients completely stop using that field. You can deprecate a field using
directive. If you add deprecationReason
to field attributes it will become marked as deprecated in GraphQL documentation. You can validate schema on client
using Apollo GraphOS.
declare(strict_types = 1); namespace App\GraphQL\Types; use App\Models\User; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Type as GraphQLType; class UserType extends GraphQLType { protected $attributes = [ 'name' => 'User', 'description' => 'A user', 'model' => User::class, ]; public function fields(): array { return [ 'id' => [ 'type' => Type::nonNull(Type::string()), 'description' => 'The id of the user', ], 'email' => [ 'type' => Type::string(), 'description' => 'The email of user', ], 'address' => [ 'type' => Type::string(), 'description' => 'The address of user', 'deprecationReason' => 'Deprecated due to address field split' ], 'address_line_1' => [ 'type' => Type::string(), 'description' => 'The address line 1 of user', ], 'address_line_2' => [ 'type' => Type::string(), 'description' => 'The address line 2 of user', ], ]; } }
Default field resolver
It's possible to override the default field resolver provided by the underlying
webonyx/graphql-php library using the config option defaultFieldResolver.
You can define any valid callable (static class method, closure, etc.) for it:
'defaultFieldResolver' => [Your\Klass::class, 'staticMethod'],
The parameters received are your regular "resolve" function signature.
Macros
If you would like to define some helpers that you can re-use in a variety of your
queries, mutations and types, you may use the macro method on the GraphQL facade.
For example, from a service provider's boot method:
declare(strict_types = 1); namespace App\Providers; use GraphQL\Type\Definition\Type; use Illuminate\Support\ServiceProvider; use Rebing\GraphQL\Support\Facades\GraphQL; class AppServiceProvider extends ServiceProvider { /** * Bootstrap any application services. * * @return void */ public function boot() { GraphQL::macro('listOf', function (string $name): Type { return Type::listOf(GraphQL::type($name)); }); } }
The macro function accepts a name as its first argument, and a Closure as its second.
Automatic Persisted Queries support
Automatic Persisted Queries (APQ) improve network performance by sending smaller requests, with zero build-time configuration.
APQ is disabled by default and can be enabled in the config via apq.enable=true or by setting the environment variable GRAPHQL_APQ_ENABLE=true.
A persisted query is an ID or hash that can be generated on the client sent to the server instead of the entire GraphQL query string.
This smaller signature reduces bandwidth utilization and speeds up client loading times.
Persisted queries pair especially with GET requests, enabling the browser cache and integration with a CDN.
Note that GET requests are disabled by default; to use APQ with GET, you must explicitly set 'method' => ['GET', 'POST'] in your schema configuration.
Behind the scenes, APQ uses Laravel's cache for storing / retrieving the queries. They are parsed by GraphQL before storing, so re-parsing them again is not necessary. Please see the various options there for which cache, prefix, TTL, etc. to use.
Note: it is advised to clear the cache after a deployment to accommodate for changes in your schema!
For more information see:
Note: the APQ protocol requires the hash sent by the client being compared with the computed hash on the server. In case a mutating middleware like
TrimStringsis active and the query sent contains leading/trailing whitespaces, these hashes can never match resulting in an error.In such case either disable the middleware or trim the query on the client before hashing.
Notes
- The error descriptions are aligned with apollo-server.
Client example
Below a simple integration example with Vue 3 and Apollo Client, where createPersistedQueryLink
automatically manages the APQ flow.
// [example apollo.js] import { ApolloClient, InMemoryCache, HttpLink, ApolloLink } from '@apollo/client/core'; import { createPersistedQueryLink } from '@apollo/client/link/persisted-queries'; import { sha256 } from 'crypto-hash'; const httpLink = new HttpLink({ uri: '/graphql' }); const persistedQueryLink = createPersistedQueryLink({ sha256 }); export const apolloClient = new ApolloClient({ link: ApolloLink.from([persistedQueryLink, httpLink]), cache: new InMemoryCache(), connectToDevTools: true, });
<!-- [example TestComponent.vue] --> <template> <div> <p>Test APQ</p> <p v-if="loading">Loading...</p> <p v-else>{{ result?.hello }}</p> </div> </template> <script setup> import { useQuery } from '@vue/apollo-composable'; import gql from 'graphql-tag'; const { result, loading } = useQuery(gql` query { hello } `); </script>
Tracing / Observability
GraphQL operations can be instrumented with timing data by configuring a tracing
driver. Tracing is disabled by default ('driver' => null).
The built-in OpenTelemetryTracingDriver emits spans via the OpenTelemetry API
following the GraphQL semantic conventions.
It requires the open-telemetry/api ^1.0 package.
Enabling OpenTelemetry
Install the OpenTelemetry API package first:
composer require open-telemetry/api
Then configure the driver:
'tracing' => [ 'driver' => \Rebing\GraphQL\Support\Tracing\OpenTelemetryTracingDriver::class, 'driver_options' => [ // Include the GraphQL document in spans (may contain sensitive data) 'include_document' => true, ], ],
Without an OTel SDK configured, all spans are automatically no-ops.
To actually collect and export spans, you need to install and configure the
OpenTelemetry PHP SDK along
with an exporter for
your backend. The
Getting Started guide
walks through a complete example. Once the SDK is configured, the driver
automatically picks up the global TracerProvider - no additional wiring is
needed in this package.
Per-field resolver tracing
By default, only the top-level operation is traced. To instrument individual
field resolvers, enable field_tracing:
'tracing' => [ 'driver' => \Rebing\GraphQL\Support\Tracing\OpenTelemetryTracingDriver::class, 'field_tracing' => true, ],
With OpenTelemetry this creates a child span for each resolved field.
When tracing is enabled (i.e. a driver is configured), the tracing execution
and resolver middlewares (TracingExecutionMiddleware and
TracingResolverMiddleware) are automatically registered - you do not need to
add them to the execution_middleware or resolver_middleware_append config
arrays manually.
Note: Field tracing produces high-cardinality data and is intended for development/debugging. Use it with caution in production.
Custom tracing drivers
You can implement the Rebing\GraphQL\Support\Tracing\TracingDriver interface
to create your own driver. The interface has four methods:
startOperation(schemaName, operationName, operationType, source)- called before executionendOperation(context, ExecutionResult)- called after execution; receives the opaque context fromstartOperationand may modify the resultstartFieldResolve(ResolveInfo)- called before each field resolve (when field tracing is enabled)endFieldResolve(context, ResolveInfo)- called after each field resolve
Register your driver class in the tracing.driver config key and it will be
resolved from the Laravel service container. If the driver constructor accepts
an array $driverOptions parameter, it will receive the merged driver_options
from the global and per-schema tracing config.
Per-schema tracing
By default, the global tracing configuration applies to every schema. You can
override tracing on a per-schema basis by adding a tracing key inside the
schema's config array.
Disable tracing for a specific schema:
'schemas' => [ 'internal' => [ 'query' => [/* ... */], 'tracing' => false, // no tracing for this schema ], ],
Enable tracing only for a specific schema (no global driver):
// Global: tracing disabled 'tracing' => [ 'driver' => null, ], 'schemas' => [ 'default' => [ 'query' => [/* ... */], // No 'tracing' key - inherits global (disabled) ], 'monitored' => [ 'query' => [/* ... */], 'tracing' => [ 'driver' => \Rebing\GraphQL\Support\Tracing\OpenTelemetryTracingDriver::class, 'field_tracing' => true, ], ], ],
Override driver options per schema (deep-merged over global):
// Global: tracing enabled, document excluded 'tracing' => [ 'driver' => \Rebing\GraphQL\Support\Tracing\OpenTelemetryTracingDriver::class, 'driver_options' => [ 'include_document' => false, ], ], 'schemas' => [ 'debug' => [ 'query' => [/* ... */], 'tracing' => [ 'field_tracing' => true, 'driver_options' => [ 'include_document' => true, // override for this schema only ], ], ], ],
Per-schema tracing arrays are deep-merged over the global config: schema
values win for top-level keys, and driver_options is merged separately so you
can override individual options without repeating the full array.
Security
GraphQL APIs have a different attack surface than REST APIs. A single endpoint accepts arbitrary queries, so without safeguards a client can craft deeply nested or highly complex queries that exhaust server resources.
Introspection
Schema introspection lets clients discover your entire type system -- every query, mutation, field, and argument. This is essential for development tooling (GraphiQL, IDE plugins, codegen) but exposes your full API surface in production.
Introspection is disabled by default:
// config/graphql.php 'security' => [ 'disable_introspection' => env('GRAPHQL_DISABLE_INTROSPECTION', true), ],
Set GRAPHQL_DISABLE_INTROSPECTION=false in your .env during development.
Query depth limiting
Deeply nested queries can cause excessive resolver calls and memory usage. The
query_max_depth option rejects queries that exceed the allowed nesting level:
'security' => [ 'query_max_depth' => 13, // default ],
For example, with a depth limit of 3, the query { users { posts { comments { author { name } } } } } would be rejected because it nests 4 levels deep.
Tune this based on your schema's legitimate nesting requirements. Start strict and increase only if real queries require it.
Query complexity analysis
Complex queries (many fields, large lists) can be expensive even when shallow.
The query_max_complexity option assigns a cost to each resolved field and
rejects queries that exceed the budget:
'security' => [ 'query_max_complexity' => 500, // default ],
You can assign custom complexity to individual fields using the complexity
callback supported by webonyx/graphql-php:
'posts' => [ 'type' => Type::listOf(GraphQL::type('Post')), 'complexity' => fn (int $childCost, array $args): int => $childCost * ($args['limit'] ?? 10), ],
See the webonyx/graphql-php security documentation for full details on how complexity is calculated.
Batching limits
When batching is enabled, clients can send multiple operations in a
single HTTP request. Without a cap, this can be used to amplify the impact of
expensive queries. Batching is disabled by default, and when enabled the
batching.max_batch_size option (default: 10) limits the number of operations
per request.
Recommended production configuration
// config/graphql.php 'security' => [ 'disable_introspection' => env('GRAPHQL_DISABLE_INTROSPECTION', true), 'query_max_depth' => 13, 'query_max_complexity' => 500, ], 'batching' => [ 'enable' => false, ],
Additional measures to consider at the infrastructure level:
- Rate limiting -- Apply Laravel's
ThrottleRequestsmiddleware viaroute.middlewareor per-schemamiddlewareto limit requests per client. - Request size limits -- Configure your web server (Nginx
client_max_body_size, ApacheLimitRequestBody) to reject oversized request bodies. - Timeout limits -- Set PHP
max_execution_timeand web server timeouts to prevent long-running queries from holding connections open. - Persisted queries -- Enable APQ and, once warmed, consider rejecting ad-hoc queries entirely for maximum lockdown.
Error handling
This library has two distinct error layers:
- Errors (
Rebing\GraphQL\Error\*): ExtendGraphQL\Error\Errorfrom webonyx/graphql-php. These are client-safe and appear in GraphQL JSON responses. - Exceptions (
Rebing\GraphQL\Exception\*): ExtendRuntimeException. These indicate configuration or developer errors (e.g. a missing schema or unregistered type) and are not included in GraphQL responses.
Built-in error types
| Class | Category | When thrown |
|---|---|---|
ValidationError |
validation |
Argument validation rules fail (via rules() or inline 'rules' key) |
AuthorizationError |
authorization |
authorize() returns anything other than true |
AutomaticPersistedQueriesError |
apq |
APQ hash mismatch, query not found, or APQ disabled |
Error response format
Errors are returned in the standard GraphQL errors array. The library enriches
each error with an extensions key:
{
"errors": [
{
"message": "validation",
"extensions": {
"category": "validation",
"validation": {
"email": ["The email field is required."]
}
},
"locations": [{"line": 1, "column": 20}]
}
]
}
For AuthorizationError, the response contains extensions.category set to
"authorization" and the message from getAuthorizationMessage() (defaults
to "Unauthorized").
Error reporting
The default errors_handler selectively reports errors to Laravel's exception
handler:
ValidationErrorandAuthorizationErrorare not reported (they are expected application-level errors, not bugs).- GraphQL syntax/type errors (e.g. invalid queries) are not reported.
- All other exceptions (unexpected errors, database failures, etc.) are
reported through Laravel's
ExceptionHandler, which typically logs them.
Customizing error formatting
You can replace the default error formatter and/or error handler via config:
// config/graphql.php // Receives each GraphQL\Error\Error; must return an array 'error_formatter' => [App\GraphQL\ErrorFormatter::class, 'format'], // Receives all errors + the formatter; must return an array of formatted errors 'errors_handler' => [App\GraphQL\ErrorHandler::class, 'handle'],
The default formatter (GraphQL::formatError) respects app.debug: when debug
mode is enabled, errors include debugMessage and trace fields for easier
development. In production these are omitted.
Tip: Laravel's built-in
ValidationException(thrown byValidator::validate()) is also handled by the default formatter -- it is automatically converted to the sameextensions.validationformat shown above.
Misc features
Detecting unused variables
By default, 'variables' provided alongside the GraphQL query which are not
consumed, are silently ignored.
If you consider the hypothetical case you have an optional (nullable) argument in your query, and you provide a variable argument for it but you make a typo, this can go unnoticed.
Example:
mutation test($value:ID) { someMutation(type:"falbala", optional_id: $value) }
Variables provided:
{ // Ops! typo in `values` "values": "138" }
In this case, nothing happens and optional_id will be treated as not being provided.
To prevent such scenarios, you can add the UnusedVariablesMiddleware to your
execution_middleware.
Configuration options
| Option | Default | Description |
|---|---|---|
route.prefix |
graphql |
URL prefix for GraphQL endpoints (without leading /) |
route.controller |
Built-in | Override the default controller class (supports string and array format) |
route.middleware |
[] |
Global HTTP middleware for all schemas (unless overridden per-schema) |
route.group_attributes |
[] |
Additional route group attributes |
default_schema |
'default' |
Name of the default schema when none is specified via the route |
batching.enable |
false |
Enable/disable GraphQL batching |
batching.max_batch_size |
10 |
Max operations per batch (null for no limit) |
error_formatter |
Built-in | Callable receiving each Error object; must return an array |
errors_handler |
Built-in | Custom error handling; default passes exceptions to Laravel's error handler |
security.query_max_complexity |
500 |
Maximum allowed query complexity. See graphql-php security docs |
security.query_max_depth |
13 |
Maximum allowed query depth |
security.disable_introspection |
true |
Disable schema introspection (env: GRAPHQL_DISABLE_INTROSPECTION) |
pagination_type |
Built-in | Custom pagination type class |
simple_pagination_type |
Built-in | Custom simple pagination type class |
cursor_pagination_type |
Built-in | Custom cursor pagination type class |
defaultFieldResolver |
null |
Override the default field resolver |
headers |
[] |
Headers added to responses from the default controller |
json_encoding_options |
0 |
JSON encoding options for responses from the default controller |
apq.enable |
false |
Enable Automatic Persisted Queries |
apq.cache_driver |
App default | Cache driver for APQ (defaults to your app's cache.default driver; env: GRAPHQL_APQ_CACHE_DRIVER) |
apq.cache_prefix |
'{cache.prefix}:graphql.apq' |
Cache key prefix for persisted queries |
apq.cache_ttl |
300 |
Cache TTL in seconds for persisted queries |
schemas |
Defines available schemas and their settings. See Schemas | |
schemas.*.query |
[] |
Array of query classes for this schema |
schemas.*.mutation |
[] |
Array of mutation classes for this schema |
schemas.*.types |
[] |
Array of type classes scoped to this schema |
schemas.*.middleware |
- | Per-schema HTTP middleware (overrides route.middleware) |
schemas.*.method |
['POST'] |
HTTP methods to support (must be uppercase) |
schemas.*.execution_middleware |
- | Per-schema execution middleware (overrides global execution_middleware) |
schemas.*.route_attributes |
[] |
Additional Laravel route attributes (e.g. domain, prefix) |
schemas.*.controller |
- | Override the controller for this schema |
schemas.*.tracing |
- | Per-schema tracing overrides |
types |
[] |
Global types shared across all schemas. See Creating a query |
execution_middleware |
Built-in set | Global execution middleware classes. Terminal middleware is always appended automatically |
resolver_middleware_append |
null |
Global resolver middleware appended after per-field middleware |
tracing.driver |
null |
Tracing driver class (null = disabled). Built-in: OpenTelemetryTracingDriver. See Tracing |
tracing.field_tracing |
false |
Instrument individual field resolvers |
tracing.driver_options |
[] |
Array of options passed to the driver constructor (e.g. 'include_document' => true) |
Performance considerations
Wrap Types
You can wrap types to add more information to the queries and mutations. Similar to how pagination works, you can do the same with your extra data that you want to inject. For instance, in your query:
public function type(): Type { return GraphQL::wrapType( 'PostType', 'PostMessageType', \App\GraphQL\Types\WrapMessagesType::class, ); } public function resolve($root, array $args) { return [ 'data' => Post::find($args['post_id']), 'messages' => new Collection([ new SimpleMessage("Congratulations, the post was found"), new SimpleMessage("This post cannot be edited", "warning"), ]), ]; }
Using wrap types with SelectFields
If you use SelectFields (via the $getSelectFields closure) in a query that
returns a wrap type, your wrapper class must implement the
Rebing\GraphQL\Support\Contracts\WrapType marker interface. This tells
SelectFields to look through the wrapper's data field to find the underlying
model type and generate the correct SELECT/WITH clauses.
use GraphQL\Type\Definition\ObjectType; use GraphQL\Type\Definition\Type; use Rebing\GraphQL\Support\Contracts\WrapType; use Rebing\GraphQL\Support\Facades\GraphQL; class PostWrappedType extends ObjectType implements WrapType { public function __construct() { parent::__construct([ 'name' => 'PostWrapped', 'fields' => fn () => [ 'data' => [ 'type' => Type::listOf(GraphQL::type('Post')), 'is_relation' => false, ], 'message' => [ 'type' => Type::string(), 'selectable' => false, ], ], ]); } }
The built-in pagination types (PaginationType, SimplePaginationType,
CursorPaginationType) already implement this interface. Custom pagination
classes configured via the pagination_type, simple_pagination_type, or
cursor_pagination_type config keys must also implement it.
Known limitations
SelectFields related
- Resolving fields via aliases will only resolve them once, even if the fields have different arguments (Issue).
GraphQL testing clients
You can interact with your GraphQL API using any of these clients:
| Client | Notes |
|---|---|
| GraphiQL | The reference GraphQL IDE. Use the laravel-graphiql package for seamless in-app integration (/graphiql route) |
| Altair | Feature-rich desktop/browser client with file upload support, environments, and pre-request scripts |
| Postman | Has native GraphQL support with schema introspection, auto-complete, and variable management |
| Insomnia | Lightweight REST/GraphQL client with schema fetching and query auto-complete |
| Bruno | Open-source, offline-first API client with GraphQL support. Collections are stored as files, making them easy to version control |
Tip: Most of these clients rely on schema introspection. Introspection is disabled by default in this package. Set
GRAPHQL_DISABLE_INTROSPECTION=falsein your.envduring development to enable it.
Testing
You can test your GraphQL API using Laravel's built-in HTTP testing helpers. No additional packages are required.
Querying an endpoint
Use postJson to send a GraphQL request and assert the response:
namespace Tests\Feature; use Tests\TestCase; class BooksQueryTest extends TestCase { public function test_can_query_books(): void { $response = $this->postJson('/graphql', [ 'query' => '{ books { id title author } }', ]); $response->assertOk() ->assertJsonStructure([ 'data' => [ 'books' => [ '*' => ['id', 'title', 'author'], ], ], ]); } }
Using query variables
public function test_can_fetch_user_by_id(): void { $response = $this->postJson('/graphql', [ 'query' => 'query FetchUser($id: String!) { user(id: $id) { id email } }', 'variables' => ['id' => '1'], ]); $response->assertOk() ->assertJsonPath('data.user.id', '1'); }
Testing mutations
public function test_can_update_user_password(): void { $response = $this->postJson('/graphql', [ 'query' => 'mutation { updateUserPassword(id: "1", password: "newpassword") { id } }', ]); $response->assertOk() ->assertJsonPath('data.updateUserPassword.id', '1'); }
Testing a non-default schema
Pass the schema name as part of the URL path:
public function test_user_schema_requires_auth(): void { $response = $this->postJson('/graphql/user', [ 'query' => '{ profile { id email } }', ]); $response->assertUnauthorized(); }
Asserting errors
public function test_authorization_rejects_guest(): void { $response = $this->postJson('/graphql', [ 'query' => '{ protectedQuery { id } }', ]); $response->assertOk() ->assertJsonPath('errors.0.message', 'Unauthorized'); } public function test_validation_returns_errors(): void { $response = $this->postJson('/graphql', [ 'query' => 'mutation { updateUserEmail(id: "", email: "not-an-email") { id } }', ]); $response->assertOk() ->assertJsonPath('errors.0.message', 'validation') ->assertJsonStructure([ 'errors' => [ ['extensions' => ['validation']], ], ]); }
Tip: For database-backed tests, use Laravel's
RefreshDatabaseorDatabaseTransactionstrait as you would in any feature test.
Upgrading
For upgrade guides, see UPGRADE.md:
Credits
This project was originally forked from Folklore's laravel-graphql.