take review in account

EmrysMyrddin · EmrysMyrddin · commit 56eff8cb5448 · 2024-07-29T16:09:22.000+02:00
diff --git a/packages/graphql-yoga/src/plugins/request-validation/use-check-graphql-query-params.ts b/packages/graphql-yoga/src/plugins/request-validation/use-check-graphql-query-params.ts
@@ -154,38 +154,43 @@ export function useCheckGraphQLQueryParams(extraParamNames?: string[]): Plugin {
           return;
         }
 
-        let message: string | undefined;
+        let numberOfOperations = 0;
 
-        const operations = result.definitions.filter(
-          definition => definition.kind === Kind.OPERATION_DEFINITION,
-        );
-
-        if (operationName) {
-          const operationExists = operations.some(
-            operation => operation.name?.value === operationName,
-          );
+        for (const definition of result.definitions) {
+          if (definition.kind === Kind.OPERATION_DEFINITION) {
+            if (definition.name?.value === operationName) {
+              return;
+            }
 
-          if (!operationExists) {
-            if (operations.length === 1) {
-              message = `Operation name "${operationName}" doesn't match the name defined in the query.`;
-            } else {
-              message = `Could not determine what operation to execute. There is no operation "${operationName}" in the query.`;
+            numberOfOperations++;
+
+            if (operationName == null && numberOfOperations > 1) {
+              throw createGraphQLError(
+                'Could not determine what operation to execute. The query contains multiple operations, an operation name must be provided',
+                {
+                  extensions: {
+                    http: {
+                      status: 400,
+                    },
+                  },
+                },
+              );
             }
           }
-        } else if (operations.length > 1) {
-          message =
-            'Could not determine what operation to execute. The query contains multiple operations, an operation name must be provided';
         }
 
-        if (message) {
-          throw createGraphQLError(message, {
+        throw createGraphQLError(
+          numberOfOperations === 1
+            ? `Operation name "${operationName}" doesn't match the name defined in the query.`
+            : `Could not determine what operation to execute. There is no operation "${operationName}" in the query.`,
+          {
             extensions: {
               http: {
                 status: 400,
               },
             },
-          });
-        }
+          },
+        );
       };
     },
   };
diff --git a/packages/graphql-yoga/src/plugins/request-validation/use-prevent-mutation-via-get.ts b/packages/graphql-yoga/src/plugins/request-validation/use-prevent-mutation-via-get.ts
@@ -1,15 +1,19 @@
-import { DocumentNode, GraphQLError, Kind } from 'graphql';
+import { DocumentNode, getOperationAST, GraphQLError, OperationDefinitionNode } from 'graphql';
 import { Maybe } from '@envelop/core';
-import { createGraphQLError, isDocumentNode } from '@graphql-tools/utils';
+import { createGraphQLError } from '@graphql-tools/utils';
 import type { YogaInitialContext } from '../../types.js';
 import type { Plugin } from '../types.js';
 
-export function assertMutationViaGet(method: string, document: Maybe<DocumentNode>) {
-  const isMutation =
-    document?.definitions.find(def => def.kind === Kind.OPERATION_DEFINITION)?.operation ===
-    'mutation';
+export function assertMutationViaGet(
+  method: string,
+  document: Maybe<DocumentNode>,
+  operationName?: string,
+) {
+  const operation: OperationDefinitionNode | undefined = document
+    ? getOperationAST(document, operationName) ?? undefined
+    : undefined;
 
-  if (isMutation && method === 'GET') {
+  if (operation?.operation === 'mutation' && method === 'GET') {
     throw createGraphQLError('Can only perform a mutation operation from a POST request.', {
       extensions: {
         http: {
@@ -27,7 +31,15 @@ export function usePreventMutationViaGET(): Plugin<YogaInitialContext> {
   return {
     onParse() {
       // We should improve this by getting Yoga stuff from the hook params directly instead of the context
-      return ({ result, context: { request } }) => {
+      return ({
+        result,
+        context: {
+          request,
+          // the `params` might be missing in cases where the user provided
+          // malformed context to getEnveloped (like `yoga.getEnveloped({})`)
+          params: { operationName } = {},
+        },
+      }) => {
         // Run only if this is a Yoga request
         // the `request` might be missing when using graphql-ws for example
         // in which case throwing an error would abruptly close the socket
@@ -45,9 +57,7 @@ export function usePreventMutationViaGET(): Plugin<YogaInitialContext> {
           throw result;
         }
 
-        if (isDocumentNode(result)) {
-          assertMutationViaGet(request.method, result);
-        }
+        assertMutationViaGet(request.method, result, operationName);
       };
     },
   };
