api – NextJS + Next-Auth + Apollo GraphQL Security Best Practices?

I’m using a graphql api route in NextJS at /api/graphql and I would like to protect the route so requests can only be made if the Next-Auth session email matches the email of the user object targeted by a GQL mutation.

Where is the best place to do this authentication? The options I’ve seen so far, but feel free to suggest something else, are:

• NextJS Middleware (With or without Next-Auth middleware)
• Authentication in the Apollo server context
• Authentication in the GQL resolvers

So what would be considered best practice in this situation?

Thanks