fix: verify APQ hash before executing mutation in automatic mode

Fixes #1227

Author: mcollina

lib/routes.js

@@ -281,24 +281,29 @@ module.exports = async function (app, opts) {
       }
     }
 
-    // Execute the query
-    const result = await executeQuery(query, variables, operationName, request, reply)
-
-    // Only save queries which are not yet persisted and if this is a persisted query retry
+    // Verify hash before executing (if this is a persisted query retry)
     if (isPersistedQueryRetry && isPersistedQueryRetry(body) && query) {
       // Extract the hash from the request
       const hash = getHash && getHash(body)
-
       const hashForQuery = getHashForQuery && getHashForQuery(query)
+
       if (hash && hashForQuery !== hash) {
         // The calculated hash does not match the provided one, tell the client
         throw new MER_ERR_GQL_PERSISTED_QUERY_MISMATCH(mismatchError)
       }
+    }
+
+    // Execute the query
+    const result = await executeQuery(query, variables, operationName, request, reply)
+
+    // Only save queries which are not yet persisted and if this is a persisted query retry
+    if (isPersistedQueryRetry && isPersistedQueryRetry(body) && query) {
+      const hashForQuery = getHashForQuery && getHashForQuery(query)
 
       try {
         await saveQuery(hashForQuery, query)
       } catch (err) {
-        request.log.warn({ err, hash, query }, 'Failed to persist query')
+        request.log.warn({ err, hashForQuery, query }, 'Failed to persist query')
       }
     }
 

test/persisted.test.js

@@ -497,6 +497,59 @@ test('avoid persisting query if hashes mismatch', async (t) => {
   t.assert.deepEqual(JSON.parse(res.body), { data: null, errors: [{ message: 'provided sha does not match query' }] })
 })
 
+test('avoid executing mutations if hashes mismatch in automatic mode', async (t) => {
+  const app = Fastify()
+
+  const schema = `
+      type Query {
+        add(x: Int, y: Int): Int
+      }
+      type Mutation {
+        setFlag(value: Boolean): Boolean
+      }
+    `
+
+  const sideEffects = []
+
+  const resolvers = {
+    add: async ({ x, y }) => x + y,
+    Mutation: {
+      setFlag: async (_, { value }) => {
+        sideEffects.push(value)
+        return value
+      }
+    }
+  }
+
+  app.register(GQL, {
+    schema,
+    resolvers,
+    persistedQueryProvider: GQL.persistedQueryDefaults.automatic()
+  })
+
+  const res = await app.inject({
+    method: 'POST',
+    url: '/graphql',
+    body: {
+      operationName: 'SetFlagMutation',
+      variables: { value: true },
+      query: `
+        mutation SetFlagMutation ($value: Boolean!) {
+            setFlag(value: $value)
+        }`,
+      extensions: {
+        persistedQuery: {
+          version: 1,
+          sha256Hash: 'foobar'
+        }
+      }
+    }
+  })
+
+  t.assert.deepEqual(JSON.parse(res.body), { data: null, errors: [{ message: 'provided sha does not match query' }] })
+  t.assert.strictEqual(sideEffects.length, 0, 'Mutation should not execute when hash mismatches')
+})
+
 // persistedQueryProvider
 
 test('GET route with query, variables & persisted', async (t) => {