When implementing mutations, where should one typically put authorization (not authentication)? I have a choice between : a) putting the authorization in the mutation resolver before calling on some services that make changes b) putting the authorization in the services that are called

Can wholeheartedly recommend graphql-shield (https://github.com/maticzav/graphql-shield) for handling authorization. We use this in production at my company.

Should probably have mentioned that the backend I'm working on, is written in Kotlin (that compiles to jvm) so using .js libraries isn't an option. Thanks for the link though, will probably use it when working on some of my typescript projects.

Aaaah, my bad. Are you storing the login data yourself or using something like Auth0?

An outside trusted API (the old java REST API we are replacing parts of) forwards all graphql calls to this API, so that's where the login data comes from. At the moment, we are checking some roles before getting data from our store, then we are doing auth on the resource itself and then finally returning the request

Okay. In my head I would consider what would require the least amount of work. If I have to talk to an outside API for authorization then I'd do it in the resolver before I allow data fetching through the service. If I, on the other hand, store all the data myself I would have the service take care of the auth as it is 'closer' to the data. But these are just my 2 cents on this.