api – NextJS + Next-Auth + Apollo GraphQL Security Best Practices?

I’m using a graphql api route in NextJS at /api/graphql and I would like to protect the route so requests can only be made if the Next-Auth session email matches the email of the user object targeted by a GQL mutation.

Where is the best place to do this authentication? The options I’ve seen so far, but feel free to suggest something else, are:

  • NextJS Middleware (With or without Next-Auth middleware)
  • Authentication in the Apollo server context
  • Authentication in the GQL resolvers

So what would be considered best practice in this situation?


Read more here: Source link