HomeGraphQL in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
GraphQL in 5 Days — Day 4

Authentication and Context

Pass auth tokens via headers, validate them in context, and restrict resolvers by role.

The Context Function

Context setup
import { ApolloServer } from '@apollo/server';
import { expressMiddleware } from '@apollo/server/express4';
import jwt from 'jsonwebtoken';
import User from './models/User.js';

const server = new ApolloServer({ typeDefs, resolvers });
await server.start();

app.use('/graphql', expressMiddleware(server, {
  context: async ({ req }) => {
    const token = req.headers.authorization?.split('Bearer ')[1];
    let currentUser = null;
    if (token) {
      try {
        const { id } = jwt.verify(token, process.env.JWT_SECRET);
        currentUser = await User.findById(id);
      } catch {}
    }
    return { currentUser };
  }
}));
Using context in resolvers
const resolvers = {
  Query: {
    me: (_, __, { currentUser }) => {
      if (!currentUser) throw new Error('Not authenticated');
      return currentUser;
    },
  },
  Mutation: {
    createPost: (_, { input }, { currentUser }) => {
      if (!currentUser) throw new Error('Not authenticated');
      if (currentUser.role !== 'author') throw new Error('Not authorized');
      return createPost({ ...input, authorId: currentUser.id });
    }
  }
}
💡
Build a reusable requireAuth(context) helper function that throws if currentUser is null. Call it at the top of every protected resolver. Consistent error messages make debugging easier.
📝 Day 4 Exercise
Add Auth to Your GraphQL API
  1. A
  2. d
  3. d
  5. a
  7. l
  8. o
  9. g
  10. i
  11. n
  13. m
  14. u
  15. t
  16. a
  17. t
  18. i
  19. o
  20. n
  22. t
  23. h
  24. a
  25. t
  27. r
  28. e
  29. t
  30. u
  31. r
  32. n
  33. s
  35. a
  37. J
  38. W
  39. T
  40. .
  42. A
  43. d
  44. d
  46. c
  47. o
  48. n
  49. t
  50. e
  51. x
  52. t
  54. t
  55. o
  57. y
  58. o
  59. u
  60. r
  62. s
  63. e
  64. r
  65. v
  66. e
  67. r
  69. t
  70. h
  71. a
  72. t
  74. r
  75. e
  76. a
  77. d
  78. s
  80. a
  81. n
  82. d
  84. v
  85. e
  86. r
  87. i
  88. f
  89. i
  90. e
  91. s
  93. t
  94. h
  95. e
  97. t
  98. o
  99. k
  100. e
  101. n
  102. .
  104. A
  105. d
  106. d
  108. a
  110. p
  111. r
  112. o
  113. t
  114. e
  115. c
  116. t
  117. e
  118. d
  120. m
  121. e
  123. q
  124. u
  125. e
  126. r
  127. y
  128. .
  130. T
  131. e
  132. s
  133. t
  135. a
  136. u
  137. t
  138. h
  140. i
  141. n
  143. G
  144. r
  145. a
  146. p
  147. h
  148. i
  149. Q
  150. L
  152. b
  153. y
  155. p
  156. a
  157. s
  158. s
  159. i
  160. n
  161. g
  163. t
  164. h
  165. e
  167. t
  168. o
  169. k
  170. e
  171. n
  173. i
  174. n
  176. t
  177. h
  178. e
  180. H
  181. e
  182. a
  183. d
  184. e
  185. r
  186. s
  188. p
  189. a
  190. n
  191. e
  192. l
  193. .

Day 4 Summary

  • Context runs on every request and is passed to every resolver as the third argument.
  • Verify the JWT in context. If invalid, set currentUser = null — don't throw.
  • Throw authorization errors inside resolvers, not in the context function.
  • AuthenticationError → 401. ForbiddenError → 403. Use the right error type.
← Previous
Day 3: Mutations: Writing Data
Next →
Day 5: Apollo Client
Finished this lesson?