I followed and used the AuthDirective found at https://www.apollographql.com/docs/apollo-server/schema/creating-directives/#enforcing-access-permissions .
Its working well within Queries and Mutations. However, I don't understand the statement "One drawback of this approach is that it does not guarantee fields will be wrapped if they are added to the schema after AuthDirective is applied" found near the end of the "Enforcing Access Permissions" section. How would fields be added to the schema after AuthDirective is applied? Is it talking about the results returned from a field that had AuthDirective applied to it?
If the @auth directive shown is applied to a type, that type could also have another directive applied to it that adds fields to the type. For example, imagine an @id directive that added an id field to whatever type it was applied to. If the @id directive directive is applied after the @auth directive, the id field's resolver would never be modified by the @auth directive like all the other fields were. The directives are applied in the order they appear in the type definition, so it's easy enough to avoid this scenario but it is something to be aware of if you make extensive use of directives.