From the Graphql website:
Where should you define the actual business logic? Where should you perform validation and authorization checks? The answer: inside a dedicated business logic layer. Your business logic layer should act as the single source of truth for enforcing business domain rules.
(https://graphql.org/learn/thinking-in-graphs/#business-logic-layer)
So by definition of the GraphQL specification, the resolver is not a desirable place for business logic. I’d love to hear from a Strapi dev why they choose to bypass the controller in the GraphQL API, and what they envisioned to be the place to handle its business logic…