I have following security concerns.
What if I would like to provide different ways of authentication. For example I would like to secure public clients with jwt token but some parts of api for instance mutators I would like to access by Bearer clients backend clients.
Is there a way to secure requests with clientId and secure token without a need to use another service?
How to prevent some queries. If I have social app I don’t want to allow users to traverse all database. If we have facebook like app I don’t want to let people traverse all userbase by querying friends. Can I limit depth of a query?
Speaking of your example with one to many relation for instance User <-> Post. Where post can have author field. How to ensure security so that user can add post with author set to his user id and not somebody else user id.
Can I for instance pass claim to a mutation?
And what is a status of file support?
Can I connect to blob storage and store files in blob storage with lambda functions?