Yep, you definitely need to implement user authz for _every_ resolver indepedently and safelist/allowlist only those operations you'll use. You probably had to disable introspection in production too.
Out of curiosity, could you name the third party security firm?
I didn't work on the security audit implementation though. I actually forgot what security firm we used, but it was local in our area.
They provided a document detailing all the security exploits they found though.
I don't recall exactly how this is done in graphQL, but i believe we used the context object and made a request to our database to find the users role. GraphQL endpoints have 4 arguments, the 4th one specifies the datagraph payload coming in. I think we blacklisted everything and whitelisted them depending on what the user requested and their corresponding role.
Out of curiosity, could you name the third party security firm?