I want to write authentication middleware using graphql-middleware. There's an example which basically just throws an exception when you decide theuser is not authorized. How would you get the server to throw a 401 error instead?

Hey @Avi Block, you should take a look at @matic’s https://github.com/maticzav/graphql-shield ; it's a middleware with some very very useful logic functions to do permissions and authentication. Also, i recently made a class to exemplify the development of rules, though it's a work in progress. https://gist.github.com/dukuo/351f581e54b0af863f7155110e8f39c6 #shamelessplug

Sure...although my permission layer is very basic...block everything (except introspection query) so i didn't think in needed a full solution like that. But as i understand it is a middleware so i guess i can peak at his code and see what he did (assuming he's returning a 401)

You can handle that logic at the HTTP layer (basically, in

express

itself) if that is what you wish to do.

I don't want to handle it at that layer because I don't want to block the graphql server completely...i want to block just queries and mutations, but have the server be introspectatable

you can probably write an express middleware that does this

I just wrote some quick express middleware that blocks all requests unless it looks like an IntrospectionQuery (literally req.body.query.match('IntrospectionQuery')) i'm sure it can be made more robust but seems to do the trick