How to operation safelist / guard against unwanted operations

Hey friends,

I’m struggling to find info on how to protect my graph from randos making arbitrary queries to collect any data they want.

The only documentation is to use the Apollo CLI to npx apollo client:push to a safelist, but this feature is gated under the “Enterprise” plan (with the new pricing changes, is unclear how to even pay for this.)

This seems like a core feature to use Apollo, right? Otherwise anyone could run a query { getUser { sensitiveField } } With the little documentation on the topic, I feel like I’m missing a core concept. How do you guard against unwanted operations?

Check out context and autheticatication

my example here

context: async ({ req }) => {
      const token = req.headers.authorization || '';
      const user = getUser(token);
      return {
        user: user ? user : undefined,
        models: {
          Auth: generateAuthModel(),
          User: user ? generateUserModel({ user }) : undefined,
          Admin: user ?
            user.level > 2 ?
              generateAdminModel({ user }) : undefined
            : undefined,
        }
      };

Now if you are not login resolvers will not be created for you
if level did reach admin you query admin functions