Can you share how req.session is being set (where’s your passport js code)?
Is it in an app.get call maybe? Should it be in an app.use instead? (your graphql requests are probably post and wouldn’t hit middleware using app.get)
Do you have separate code blocks for adding cookie and adding passport to the session object? Most likely, your passport block isn’t running for graphql requests.