Beginner here & new to this. I have a simple subscription site (gatsbyjs), & I am using the Auth0 Lock to enable users access to my site. My site queries some data from my nodejs server via graphql.
Now I realised that while my frontend is secured by auth0, my backend isn’t. A malicious user could thus theoretically send queries to my graphql backend en masse, even if he/she is not logged in via the frontend.
How would I go about securing the backend now? I only want logged in users to be able to query data. However, authentication goes via auth0 & the lock api, so my server seems kind of separate of all of this?