I'm currently dealing with a GraphQL project with poor architecture. I read about where to put AuthZ checks and they refer to the "business layer" as to be called from a GraphQL resolver.
Up till now, I thought GraphQL belongs in the Data Access Layer (or at least, JUST BEFORE the DAL), but it now looks like it belongs in the most outside layer, similar to a "controller".
What layer does it belong to?
GraphQL is an interface technology. Its goal is to improve upon the more traditional way of explicitly defining interface methods. Since it's an interface technology it belongs at the outermost layer of a service, and should immediately call the business logic below it. The reason it may seem like a data access pattern is because it's reflective of one. In GraphQL you define queries and mutations--both of which are seemingly inspired by data access, but it's meant to be applied against the business logic not data persistence.
