Your final suggestion was my initial thought. I wish the article was a little shorter. My takeaway: 1- Pass a user object in the graphql context (would be nice to see how to do this with express-graphql). 2- Use the resolve function to pass a user object from the context to a service function. 3- Use services to authorize the user’s access to the resource.