1. Create a login mutation which creates a session and sends back a cookie.<p>2. Use resolver middleware to check whether the user is authenticated.<p>I like to use express-session (<a href="https://github.com/expressjs/session" rel="nofollow">https://github.com/expressjs/session</a>) for part 1 and graphql-middleware (<a href="https://github.com/prisma/graphql-middleware" rel="nofollow">https://github.com/prisma/graphql-middleware</a>) for part 2.