Working with PostgreSQL using raw SQL queries
Object-Relational Mapping (ORM) libraries can often help us write our code faster. The ORM allows us not to write raw SQL. Instead, we can manipulate the data…
August 29, 2022
Object-Relational Mapping (ORM) libraries can often help us write our code faster. The ORM allows us not to write raw SQL. Instead, we can manipulate the data using an object-oriented paradigm.
Using ORM can ease the learning curve of working with databases because we don’t need to go deep into learning SQL. Instead, we write the data model in the programming language we use to develop the application. On top of that, ORM should have security mechanisms that deal with issues such as SQL injection.
Unfortunately, ORMs have disadvantages too. For example, depending on ORM to generate the database structure based on our models can lead to not grasping the intricacies of the underlying architecture. Also, ORM automatically generates SQL queries for fetching, inserting or modifying data. Therefore, they are not always optimal and can lead to performance issues. Also, ORMs can have problems and bugs too.
It is fine to use ORM if we don’t need a lot of control over our SQL queries. If we develop a big project, though, we might prefer to deal with database management through raw SQL queries. In this article, we figure out how to structure our NestJS project to use raw SQL queries with a PostgreSQL database.
You can find the code from this article in this repository.
Connecting to the database#
As usual in this series, we use Docker to create an instance of the PostgreSQL database for us.
docker-compose.yml#
version: "3"
services:
postgres:
container_name: postgres-nestjs
image: postgres:latest
ports:
- "5432:5432"
volumes:
- /data/postgres:/data/postgres
env_file:
- docker.env
networks:
- postgres
pgadmin:
links:
- postgres:postgres
container_name: pgadmin-nestjs
image: dpage/pgadmin4
ports:
- "8080:80"
volumes:
- /data/pgadmin:/root/.pgadmin
env_file:
- docker.env
networks:
- postgres
networks:
postgres:
driver: bridgeTo provide Docker with the necessary environment variables, we need to create the docker.env file.
docker.env#
POSTGRES_USER=admin
POSTGRES_PASSWORD=admin
POSTGRES_DB=nestjs
PGADMIN_DEFAULT_EMAIL=admin@admin.com
PGADMIN_DEFAULT_PASSWORD=adminWe must also provide a similar set of variables for our NestJS application.
.env#
POSTGRES_HOST=localhost
POSTGRES_PORT=5432
POSTGRES_USER=admin
POSTGRES_PASSWORD=admin
POSTGRES_DB=nestjsIt is also a good idea to validate if the environment variables are provided when the application starts.
app.module.ts#
import { Module } from "@nestjs/common"
import { ConfigModule } from "@nestjs/config"
import * as Joi from "joi"
@Module({
imports: [
ConfigModule.forRoot({
validationSchema: Joi.object({
POSTGRES_HOST: Joi.string().required(),
POSTGRES_PORT: Joi.number().required(),
POSTGRES_USER: Joi.string().required(),
POSTGRES_PASSWORD: Joi.string().required(),
POSTGRES_DB: Joi.string().required(),
}),
}),
],
})
export class AppModule {}Establishing the connection#
In this article, we use the node-postgres library to establish a connection to our PostgreSQL database and run queries.
npm install pg @types/pgTo manage a database connection, we can create a dynamic module. Thanks to that, we could easily copy and paste it to a different project or keep it in a separate library.
database.module-definition.ts#
import { ConfigurableModuleBuilder } from "@nestjs/common"
import DatabaseOptions from "./databaseOptions"
export const CONNECTION_POOL = "CONNECTION_POOL"
export const {
ConfigurableModuleClass: ConfigurableDatabaseModule,
MODULE_OPTIONS_TOKEN: DATABASE_OPTIONS,
} = new ConfigurableModuleBuilder<DatabaseOptions>().setClassMethodName("forRoot").build()We use
forRootabove because we want ourDatabaseModuleto be global.
When the DatabaseModule is imported, we expect a particular set of options to be provided.
databaseOptions.ts#
interface DatabaseOptions {
host: string
port: number
user: string
password: string
database: string
}
export default DatabaseOptionsUsing a connection pool#
The node-postgres library recommends we use a connection pool. Since we are creating a dynamic module, we can define our pool as a provider.
database.module.ts#
import { Global, Module } from "@nestjs/common"
import {
ConfigurableDatabaseModule,
CONNECTION_POOL,
DATABASE_OPTIONS,
} from "./database.module-definition"
import DatabaseOptions from "./databaseOptions"
import { Pool } from "pg"
import DatabaseService from "./database.service"
@Global()
@Module({
exports: [DatabaseService],
providers: [
DatabaseService,
{
provide: CONNECTION_POOL,
inject: [DATABASE_OPTIONS],
useFactory: (databaseOptions: DatabaseOptions) => {
return new Pool({
host: databaseOptions.host,
port: databaseOptions.port,
user: databaseOptions.user,
password: databaseOptions.password,
database: databaseOptions.database,
})
},
},
],
})
export default class DatabaseModule extends ConfigurableDatabaseModule {}There is an advantage to defining the connection pool as a provider. If we want to specify some additional asynchronous configuration, this is a very good place to do so. You can find a proper example in a repository created by Jay McDoniel from the NestJS team.
Thanks to the fact that above we define a provider using the CONNECTION_POOL string, we now can use it in our service.
database.service.ts#
import { Inject, Injectable } from "@nestjs/common"
import { Pool } from "pg"
import { CONNECTION_POOL } from "./database.module-definition"
@Injectable()
class DatabaseService {
constructor(@Inject(CONNECTION_POOL) private readonly pool: Pool) {}
async runQuery(query: string, params?: unknown[]) {
return this.pool.query(query, params)
}
}
export default DatabaseServiceManaging migrations using Knex#
We could manage migrations manually, but using an existing tool might save us time and trouble. Therefore, in this article, we use Knex.
npm install knexThe first step in using Knex is to create the configuration file.
knexfile.ts#
import { ConfigService } from "@nestjs/config"
import { config } from "dotenv"
import type { Knex } from "knex"
config()
const configService = new ConfigService()
const knexConfig: Knex.Config = {
client: "postgresql",
connection: {
host: configService.get("POSTGRES_HOST"),
port: configService.get("POSTGRES_PORT"),
user: configService.get("POSTGRES_USER"),
password: configService.get("POSTGRES_PASSWORD"),
database: configService.get("POSTGRES_DB"),
},
}
module.exports = knexConfigAbove we use
dotenvto make sure that our.envis loaded before using theConfigService.
We can now create our first migration using the migration CLI.
npx knex migrate:make add_posts_tableRunning the above command creates a file where we can define our migration.
20220825173451_add_posts_table.ts#
import { Knex } from "knex"
export async function up(knex: Knex): Promise<void> {}
export async function down(knex: Knex): Promise<void> {}We need to fill the up and down methods with the SQL queries Knex will run when running migrations and rolling them back.
20220825173451_add_posts_table.ts#
import { Knex } from "knex"
export async function up(knex: Knex): Promise<void> {
return knex.raw(`
CREATE TABLE posts (
id int GENERATED BY DEFAULT AS IDENTITY PRIMARY KEY,
title text NOT NULL,
post_content text NOT NULL
)
`)
}
export async function down(knex: Knex): Promise<void> {
return knex.raw(`
DROP TABLE posts
`)
}We must execute one last command if we want Knex to run our migration.
npx knex migrate:latestRunning migrations creates the knex_migrations table that contains information about which migrations Knex has already executed.
Knex also creates the
knex_migrations_locktable to prevent multiple procsses from running the same migrations in the same time.
The official documentation is a good resource if you want to know more about managing migrations with Knex.
The repository pattern and working with models#
It might be a good idea to keep the logic of accessing data in a single place for a particular table. A very popular way of doing that is using the repository pattern.
posts.repository.ts#
import { Injectable } from "@nestjs/common"
import DatabaseService from "../database/database.service"
@Injectable()
class PostsRepository {
constructor(private readonly databaseService: DatabaseService) {}
async getAll() {
const databaseResponse = await this.databaseService.runQuery(`
SELECT * FROM posts
`)
return databaseResponse.rows
}
}
export default PostsRepositoryWhen running the getAll method, we get the data in the following format:
[
{
id: 1,
title: 'Hello world',
post_content: 'Lorem ipsum'
}
]We often might want to transform the raw data we get from the database. A fitting way to do that is to use the class-transformer library, a popular choice when working with NestJS.
post.model.ts#
import { Expose } from "class-transformer"
class PostModel {
id: number
title: string
@Expose({ name: "post_content" })
content: string
}
export default PostModelWe need to call the plainToInstance function in our repository to use the above model.
posts.repository.ts#
import { Injectable } from "@nestjs/common"
import DatabaseService from "../database/database.service"
import { plainToInstance } from "class-transformer"
import PostModel from "./post.model"
@Injectable()
class PostsRepository {
constructor(private readonly databaseService: DatabaseService) {}
async getAll() {
const databaseResponse = await this.databaseService.runQuery(`
SELECT * FROM posts
`)
return plainToInstance(PostModel, databaseResponse.rows)
}
}
export default PostsRepositoryThanks to doing the above, the data returned by the getAll function contains the instances of the PostModel class. Now, instead of post_content we have the content property.
[
{
id: 1,
title: 'Hello world',
content: 'Lorem ipsum'
}
]Using parametrized queries#
We often need to use the input provided by the user as a part of our SQL query. When doing that carelessly, we open ourselves to SQL injections. The SQL injection can happen if we treat the user’s input as a part of the query. Let’s take a look at a simple example:
async getById(id: unknown) {
const databaseResponse = await this.databaseService.runQuery(
`
SELECT * FROM posts WHERE id=${id}
`
);
const entity = databaseResponse.rows[0];
if (!entity) {
throw new NotFoundException();
}
return plainToInstance(PostModel, entity);
}Because in the getById function, we concatenate a string, we open ourselves to the following SQL injection:
getById('1; DROP TABLE posts;');Running the getById method with the above string causes the following SQL query to run:
SELECT * FROM posts WHERE id=1; DROP TABLE posts;Unfortunately, it destroys our posts table.
One one of dealing with the above problem is using parameterized queries. When we use it, we send the parameters separately from the query, and our database knows to treat them as parameters.
To use parameters, we need to provide the second argument to the runQuery method we’ve defined in the DatabaseService.
posts.repository.ts#
import { Injectable, NotFoundException } from "@nestjs/common"
import DatabaseService from "../database/database.service"
import { plainToInstance } from "class-transformer"
import PostModel from "./post.model"
@Injectable()
class PostsRepository {
constructor(private readonly databaseService: DatabaseService) {}
async getById(id: number) {
const databaseResponse = await this.databaseService.runQuery(
`
SELECT * FROM posts WHERE id=$1
`,
[id],
)
const entity = databaseResponse.rows[0]
if (!entity) {
throw new NotFoundException()
}
return plainToInstance(PostModel, entity)
}
async delete(id: number) {
const databaseResponse = await this.databaseService.runQuery(`DELETE FROM posts WHERE id=$1`, [
id,
])
if (databaseResponse.rowCount === 0) {
throw new NotFoundException()
}
} // ...
}
export default PostsRepositoryValidating incoming data#
To validate the data provided by the users, we can take advantage of the class-validator library that’s popular among people using the NestJS framework.
post.dto.ts#
import { IsString, IsNotEmpty } from "class-validator"
class PostDto {
@IsString()
@IsNotEmpty()
title: string
@IsString()
@IsNotEmpty()
content: string
}
export default PostDtoWe can use the above class in our repository when creating and updating posts.
posts.repository.ts#
import { Injectable, NotFoundException } from "@nestjs/common"
import DatabaseService from "../database/database.service"
import { plainToInstance } from "class-transformer"
import PostModel from "./post.model"
import PostDto from "./post.dto"
@Injectable()
class PostsRepository {
constructor(private readonly databaseService: DatabaseService) {}
async create(postData: PostDto) {
const databaseResponse = await this.databaseService.runQuery(
`
INSERT INTO posts (
title,
post_content
) VALUES (
$1,
$2
) RETURNING *
`,
[postData.title, postData.content],
)
return plainToInstance(PostModel, databaseResponse.rows[0])
}
async update(id: number, postData: PostDto) {
const databaseResponse = await this.databaseService.runQuery(
`
UPDATE posts
SET title = $2, post_content = $3
WHERE id = $1
RETURNING *
`,
[id, postData.title, postData.content],
)
const entity = databaseResponse.rows[0]
if (!entity) {
throw new NotFoundException()
}
return plainToInstance(PostModel, entity)
} // ...
}
export default PostsRepositoryIf you want to see the full repository, check out this repository.
We also need to use the PostDto class in our controller.
posts.controller.ts#
import { Body, Controller, Delete, Get, Param, Post, Put } from "@nestjs/common"
import { PostsService } from "./posts.service"
import FindOneParams from "../utils/findOneParams"
import PostDto from "./post.dto"
@Controller("posts")
export default class PostsController {
constructor(private readonly postsService: PostsService) {}
@Get()
getPosts() {
return this.postsService.getPosts()
}
@Get(":id")
getPostById(@Param() { id }: FindOneParams) {
return this.postsService.getPostById(id)
}
@Put(":id")
updatePost(@Param() { id }: FindOneParams, @Body() postData: PostDto) {
return this.postsService.updatePost(id, postData)
}
@Post()
createPost(@Body() postData: PostDto) {
return this.postsService.createPost(postData)
}
@Delete(":id")
deletePost(@Param() { id }: FindOneParams) {
return this.postsService.deletePost(id)
}
}The FindOneParams class takes care of parsing the id from the string to a number.
For validation to take place, we also need to use the ValidationPipe. To do that globally, we can add it to the providers array in our AppModule.
app.module.ts#
import { Module, ValidationPipe } from "@nestjs/common"
import { APP_PIPE } from "@nestjs/core"
@Module({
providers: [
{
provide: APP_PIPE,
useValue: new ValidationPipe({
transform: true,
}),
},
], // ...
})
export class AppModule {}Using services#
You might have noticed that the PostsController uses the PostsService, a straightforward service that uses the PostsRepository.
posts.service.ts#
import { Injectable } from "@nestjs/common"
import PostsRepository from "./posts.repository"
import PostDto from "./post.dto"
@Injectable()
export class PostsService {
constructor(private readonly postsRepository: PostsRepository) {}
getPosts() {
return this.postsRepository.getAll()
}
getPostById(id: number) {
return this.postsRepository.getById(id)
}
createPost(postData: PostDto) {
return this.postsRepository.create(postData)
}
updatePost(id: number, postData: PostDto) {
return this.postsRepository.update(id, postData)
}
deletePost(id: number) {
return this.postsRepository.delete(id)
}
}A service is a great place to write additional logic. A good example would be caching or using ElasticSearch.
Summary#
There could be many reasons we might not want to use ORM, and we’ve covered some of them in this article. To deal with that, we’ve implemented a way to write raw SQL queries when working with PostgreSQL and NestJS. To increase the development experience, we’ve decided to rely on Knex for managing migrations. The repository created in this article can serve as a good starting point for a more complex project.