I have built a backend for a prototype application Im doing for a group of friends. Since its a prototype, I've used typegraphql-prisma integration to generate not only the DTOs and models but all the resolvers as well. The app doesnt have any complicaded custom logic and where there were, I've built custom resolvers that attend those use cases.
My question here, however, is more about graphql security. Since the resolvers are all generic and dont check for things like if someone owns the relations they are trying to change/remove, for an instance, anyone with access to the resolvers could do harm to the app if we decide to take it public, for example.
Now, I have built other applications just with custom resolvers and everything works find and dandy so this never crossed my mind. What I want to know is if someone could sniff the network and build their own graphql client to talk to my server and abuse the resolvers however they want since the only thing they would need is a valid login token or does graphql have any systems that make it so only the app can use the resolvers?
Also, is there a way to add custom logic to typegraphql-prisma integration to make this transition easier?