With https://github.com/oors/oors all of the issues you mentioned are taken care of. You can handle authorization in 2 diff ways: at the resolver level using something I call higher order resolvers (or decorators) - there's a withUser decorators (https://github.com/oors/oors/blob/master/packages/oors-graphql/src/decorators/withUser.js) that gives you enough control to allow or restrict access based on your business logic and requirements at the type definitions level using one of the 2 directives from here - https://github.com/oors/oors/blob/master/packages/oors-user/src/graphql/typeDefs.graphql