This is being analyzed (but I think they are already starting to work on it if I’m not mistaken).
Quote from @michaelcompton
You can always use the GraphQL as part of another server that has auth built into it, exposing it straight to the world is not the only thing you can do, and till we have auth built-in, it’s not something you should do at all.
Don’t expose your DB without adequate security … that’s just bad
ACL works in GraphQL, just like normal
In general, following the specifications created by GraphQL Devs/foundation. We should not impose an Auth approach, as there are several and each one with its own particularities. And many tend to evolve a lot. In practice this takes more work to maintain.
I believe that with the new customization features coming, you will be able to do any type of Auth approach. Different from what the Core Team chose.
Cheers.