2. Use resolver middleware to check whether the user is authenticated.
I like to use express-session (https://github.com/expressjs/session) for part 1 and graphql-middleware (https://github.com/prisma/graphql-middleware) for part 2.