Tweetdeck validating problem
It talks to the Graph QL API (in addition to the other HTTP API services): Imagine a request to api.that is authenticated using a cookie header. Because validating a cookie is fairly involved, this is done in the TFE layer, and passes on a bundle of Twitter Identity Assertion headers to Graph QL.
The Graph QL API then passes the bundle through to the other services, so each service doesn't need to worry about authentication.
For each Graph QL query, they track the number of exceptions generated.
This becomes their success rate measure, so dashboards and alerting revolves around this metric. Imagine a pathologically nested query (followers of followers of followers...): They have two defences: complexity and depth. They assign a "score" (some point value) to each field, and calculate the total cost of a query.
This protects against attackers exploring the Graph QL API or running introspection queries against it to find out what data is available or looking for vulnerabilities.
Lastly on the topic of the Twitter API, Tom will cover how they handle authentication in Graph QL.
This is similar to a Thrift interface, so they are using Graph QL over both Thrift and HTTP.
We're going to cover: Twitter is famously a microservices company.
There's a service for everything, and often multiple new services for every new feature.
So, the Graph QL community isn't the first to find a service-to-service type system useful.
Twitter uses Scala, so they use the open source Sangria library.