Since I have played a little bit with the GraphQL playground, I have noted that we can control columns on an object, and I always wondered does any protection exists over which columns can be returned by the server? Let us say your app is querying Users names, and I alter your script on my browser to ask for the password column (which I guessed it exists, and it fact let us imagine it really exists), does the password will be fetched or is there any "field guards" with a black list of field?
from your backend codebase you can determine the object of data you want to return to the client...
for example.. twitter uses graphql and if you want to request for a particular object/data of a user.. it will never return user's password because it has been removed from the column you can play with..
moreover, when you are authenticating a user, it better to use client token verification such as jwt(Json Web Token)
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.