Search for any of my posts, and pretty much all of them are talking about this problem.
Currently, there is only one real way to solve the problem: Custom Lambda Mutations.
Here is an example of how you would get the information in the mutation, and re-run the query in DQL.
However, you can also re-run the GraphQL in the docs. Basically, you secure the regular mutations like this:
Obviously, the problem is that you have to create a custom lambda mutation for every type you have, possibly 3 different ones (update, add, delete) and secure the regular ones with deny. For the moment, this is the only real way to secure your mutation.
It is worth noting, that for certain cases, like the createdAt date, you could use the Lambda Webhook, which is a post-hook to do things after the data is already added or updated in the database. However, you have no access to the before data. There are no pre-hook methods unfortunately.
Here is an example code you could easily copy in the Lambda Webhook to add a createdAt date, but automatic timestamps is another feature request we hope to see one day.
As far as realistic security, a lot could be solved if Dgraph would simply add update-after. This opens up many new options.
J