I’m using a graphql api route in NextJS at /api/graphql and I would like to protect the route so requests can only be made if the Next-Auth session email matches the email of the user object targeted by a GQL mutation.
Where is the best place to do this authentication? The options I’ve seen so far, but feel free to suggest something else, are:
- NextJS Middleware (With or without Next-Auth middleware)
- Authentication in the Apollo server context
- Authentication in the GQL resolvers
So what would be considered best practice in this situation?
Read more here: Source link