For authentication we recommend using a solution that's independent of GraphQL, and then passing the authentication context into GraphQL. For Express, Passport.js is a popular option, which we've used in our GitHunt example app. It's also described in this Medium post.
As for authorization, we're envisioning something along the lines of decorators, but we're waiting to see what the community comes up with while we work on other things.