Here’s a comprehensive guide to building type-safe GraphQL APIs using NestJS, Prisma, and Apollo:
I’ve spent months wrestling with untyped API layers that caused production issues at 3AM. GraphQL’s promise of self-documenting APIs drew me in, but only through combining NestJS, Prisma, and Apollo did I achieve true end-to-end type safety. Let me show you how to build enterprise-grade GraphQL APIs that catch errors before runtime.
First, we establish our foundation:
nest new api-platform --strict
npm install @nestjs/graphql @nestjs/apollo graphql
npm install prisma @prisma/client
npx prisma initPrisma’s schema definition becomes our single source of truth:
// schema.prisma
model User {
id String @id @default(cuid())
email String @unique
posts Post[]
}
model Post {
id String @id @default(cuid())
title String
content String
author User @relation(fields: [authorId], references: [id])
authorId String
}Notice how we define relationships directly in the schema. Have you considered how these relations translate to GraphQL types? Let’s see the transformation:
// posts/dto/create-post.input.ts
import { Field, InputType } from '@nestjs/graphql';
import { IsNotEmpty } from 'class-validator';
@InputType()
export class CreatePostInput {
@Field()
@IsNotEmpty()
title: string;
@Field()
content: string;
@Field()
authorId: string;
}Our resolvers leverage Prisma’s type-safe client:
// posts/posts.resolver.ts
@Resolver(() => Post)
export class PostsResolver {
constructor(private prisma: DatabaseService) {}
@Query(() => [Post])
async posts(): Promise<Post[]> {
return this.prisma.post.findMany();
}
@Mutation(() => Post)
async createPost(@Args('input') input: CreatePostInput): Promise<Post> {
return this.prisma.post.create({
data: {
title: input.title,
content: input.content,
authorId: input.authorId,
},
});
}
}Authentication is non-negotiable in enterprise systems. Here’s a JWT guard implementation:
// auth/jwt.guard.ts
@Injectable()
export class JwtGuard extends AuthGuard('jwt') {
canActivate(context: ExecutionContext) {
const gqlContext = GqlExecutionContext.create(context);
const { req } = gqlContext.getContext();
return super.canActivate(
new ExecutionContextHost([req])
);
}
}What happens when we need real-time updates? Subscriptions provide the answer:
@Subscription(() => Post, {
filter: (payload, variables) =>
payload.postAdded.authorId === variables.userId,
})
postAdded(@Args('userId') userId: string) {
return pubSub.asyncIterator('postAdded');
}Testing ensures reliability. We use Jest with mocked Prisma clients:
// posts/posts.service.spec.ts
describe('PostsService', () => {
let service: PostsService;
let prisma: PrismaService;
beforeEach(async () => {
const module = await Test.createTestingModule({
providers: [
PostsService,
{ provide: DatabaseService, useValue: mockPrisma },
],
}).compile();
service = module.get<PostsService>(PostsService);
prisma = module.get<DatabaseService>(DatabaseService);
});
it('creates post', async () => {
mockPrisma.post.create.mockResolvedValue(mockPost);
expect(await service.create(mockInput)).toEqual(mockPost);
});
});Deployment requires optimization:
# Dockerfile.prod
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY dist ./dist
CMD ["node", "dist/main.js"]Notice how we’ve maintained type safety from database to API responses. How much time could this save your team during refactors? The combination of Prisma’s generated types, NestJS decorators, and Apollo’s validation creates an unbreakable chain of type safety.
Performance matters at scale. We implement dataloaders to batch requests:
// posts/posts.loader.ts
@Injectable()
export class PostsLoader {
constructor(private prisma: DatabaseService) {}
createLoader() {
return new DataLoader<string, Post[]>(async (authorIds) => {
const posts = await this.prisma.post.findMany({
where: { authorId: { in: [...authorIds] } },
});
return authorIds.map(id => posts.filter(p => p.authorId === id));
});
}
}Error handling deserves special attention:
// common/filters/graphql-exception.filter.ts
@Catch()
export class GraphQLExceptionFilter implements GqlExceptionFilter {
catch(exception: Error) {
if (exception instanceof Prisma.PrismaClientKnownRequestError) {
throw new GraphQLError('Database operation failed', {
extensions: { code: 'DATABASE_ERROR' },
});
}
return exception;
}
}What about complex permissions? We use custom decorators:
// auth/decorators/roles.decorator.ts
export const Roles = (...roles: Role[]) => SetMetadata('roles', roles);
// In resolver
@Roles(Role.ADMIN)
@Mutation(() => Post)
async deletePost(@Args('id') id: string) {
return this.prisma.post.delete({ where: { id } });
}The final piece is monitoring. We add Prometheus metrics:
// common/prometheus/metrics.service.ts
@Injectable()
export class MetricsService {
register = new Registry();
constructor() {
this.register.setDefaultLabels({ app: 'graphql-api' });
collectDefaultMetrics({ register: this.register });
}
}We’ve covered the full journey from database to deployment. The synergy between these technologies creates a safety net that catches errors during development rather than production. Type safety isn’t just convenient—it’s your frontline defense against runtime disasters.
This approach has transformed how my teams build APIs. What challenges have you faced with GraphQL type safety? Share your experiences below—I’d love to hear how others solve these problems. If this guide helped you, consider sharing it with colleagues who might benefit.
