fix(router): make computeSha256 independent of metric/access log attributes (#2633)

endigma · web-flow · commit f03d96e9790d · 2026-03-12T00:02:39.000Z
diff --git a/router-tests/cache_warmup_test.go b/router-tests/cache_warmup_test.go
@@ -462,6 +462,8 @@ func TestCacheWarmup(t *testing.T) {
 						ValidationMisses:                  1,
 						PlanHits:                          4,
 						PlanMisses:                        1,
+						QueryHashMisses:                   2, // 2x miss for safelist queries (raw query body hashed for safelist check)
+						QueryHashHits:                     1, // 1x hit for repeated query body hash
 					},
 				},
 			}, func(t *testing.T, xEnv *testenv.Environment) {
diff --git a/router-tests/safelist_test.go b/router-tests/safelist_test.go
@@ -117,6 +117,90 @@ func TestSafelist(t *testing.T) {
 		})
 	})
 
+	t.Run("safelist with access log sha256 attribute allows a persisted query to run", func(t *testing.T) {
+		testenv.Run(t, &testenv.Config{
+			AccessLogFields: []config.CustomAttribute{
+				{
+					Key: "operation_sha256",
+					ValueFrom: &config.CustomDynamicAttribute{
+						ContextField: core.ContextFieldOperationSha256,
+					},
+				},
+			},
+			RouterOptions: []core.Option{
+				core.WithPersistedOperationsConfig(config.PersistedOperationsConfig{
+					Safelist: config.SafelistConfiguration{Enabled: true},
+				}),
+			},
+		}, func(t *testing.T, xEnv *testenv.Environment) {
+			header := make(http.Header)
+			header.Add("graphql-client-name", "my-client")
+			res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
+				OperationName: []byte(`"Employees"`),
+				Header:        header,
+				Query:         persistedQuery,
+			})
+			require.NoError(t, err)
+			require.Equal(t, `{"data":{"employees":[{"id":1},{"id":2},{"id":3},{"id":4},{"id":5},{"id":7},{"id":8},{"id":10},{"id":11},{"id":12}]}}`, res.Body)
+		})
+	})
+
+	t.Run("safelist with access log sha256 attribute allows a persisted query run with ID", func(t *testing.T) {
+		testenv.Run(t, &testenv.Config{
+			AccessLogFields: []config.CustomAttribute{
+				{
+					Key: "operation_sha256",
+					ValueFrom: &config.CustomDynamicAttribute{
+						ContextField: core.ContextFieldOperationSha256,
+					},
+				},
+			},
+			RouterOptions: []core.Option{
+				core.WithPersistedOperationsConfig(config.PersistedOperationsConfig{
+					Safelist: config.SafelistConfiguration{Enabled: true},
+				}),
+			},
+		}, func(t *testing.T, xEnv *testenv.Environment) {
+			header := make(http.Header)
+			header.Add("graphql-client-name", "my-client")
+			res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
+				OperationName: []byte(`"Employees"`),
+				Extensions:    []byte(`{"persistedQuery": {"version": 1, "sha256Hash": "dc67510fb4289672bea757e862d6b00e83db5d3cbbcfb15260601b6f29bb2b8f"}}`),
+				Header:        header,
+			})
+			require.NoError(t, err)
+			require.Equal(t, `{"data":{"employees":[{"id":1},{"id":2},{"id":3},{"id":4},{"id":5},{"id":7},{"id":8},{"id":10},{"id":11},{"id":12}]}}`, res.Body)
+		})
+	})
+
+	t.Run("safelist with access log sha256 attribute rejects non persisted query", func(t *testing.T) {
+		testenv.Run(t, &testenv.Config{
+			AccessLogFields: []config.CustomAttribute{
+				{
+					Key: "operation_sha256",
+					ValueFrom: &config.CustomDynamicAttribute{
+						ContextField: core.ContextFieldOperationSha256,
+					},
+				},
+			},
+			RouterOptions: []core.Option{
+				core.WithPersistedOperationsConfig(config.PersistedOperationsConfig{
+					Safelist: config.SafelistConfiguration{Enabled: true},
+				}),
+			},
+		}, func(t *testing.T, xEnv *testenv.Environment) {
+			header := make(http.Header)
+			header.Add("graphql-client-name", "my-client")
+			res, err := xEnv.MakeGraphQLRequest(testenv.GraphQLRequest{
+				OperationName: []byte(`"Employees"`),
+				Header:        header,
+				Query:         queryWithDetails,
+			})
+			require.NoError(t, err)
+			require.Equal(t, persistedNotFoundResp, res.Body)
+		})
+	})
+
 	t.Run("log unknown operations", func(t *testing.T) {
 		t.Run("logs non persisted query but allows them to continue", func(t *testing.T) {
 			testenv.Run(t, &testenv.Config{
diff --git a/router-tests/structured_logging_test.go b/router-tests/structured_logging_test.go
@@ -1818,7 +1818,7 @@ func TestFlakyAccessLogs(t *testing.T) {
 					"service_name":             "service-name",                                                     // From request header
 					"operation_persisted_hash": "dc67510fb4289672bea757e862d6b00e83db5d3cbbcfb15260601b6f29bb2b8f", // From context
 					"operation_hash":           "1163600561566987607",                                              // From context
-					"operation_sha256":         "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", // From context
+					"operation_sha256":         "dc67510fb4289672bea757e862d6b00e83db5d3cbbcfb15260601b6f29bb2b8f", // From context
 					"operation_name":           "Employees",                                                        // From context
 					"operation_type":           "query",                                                            // From context
 				}
@@ -2029,7 +2029,7 @@ func TestFlakyAccessLogs(t *testing.T) {
 			)
 		})
 
-		t.Run("validate request.operation.sha256Hash expression with persisted hash and body", func(t *testing.T) {
+		t.Run("validate request.operation.sha256Hash expression with persisted hash only", func(t *testing.T) {
 			t.Parallel()
 
 			testenv.Run(t,
@@ -2062,7 +2062,7 @@ func TestFlakyAccessLogs(t *testing.T) {
 
 					val, ok := requestContext["operation_sha256_expression"].(string)
 					require.True(t, ok)
-					require.Equal(t, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", val)
+					require.Equal(t, "dc67510fb4289672bea757e862d6b00e83db5d3cbbcfb15260601b6f29bb2b8f", val)
 				},
 			)
 		})
diff --git a/router/core/graph_server.go b/router/core/graph_server.go
@@ -668,21 +668,25 @@ func (s *graphMux) buildOperationCaches(srv *graphServer) (computeSha256 bool, e
 	}
 
 	// Currently, we only support custom attributes from the context for OTLP metrics
-	if len(srv.metricConfig.Attributes) > 0 {
+	if !computeSha256 && len(srv.metricConfig.Attributes) > 0 {
 		for _, customAttribute := range srv.metricConfig.Attributes {
 			if customAttribute.ValueFrom != nil && customAttribute.ValueFrom.ContextField == ContextFieldOperationSha256 {
 				computeSha256 = true
 				break
 			}
 		}
-	} else if srv.accessLogsConfig != nil {
+	}
+
+	if !computeSha256 && srv.accessLogsConfig != nil {
 		for _, customAttribute := range append(srv.accessLogsConfig.Attributes, srv.accessLogsConfig.SubgraphAttributes...) {
 			if customAttribute.ValueFrom != nil && customAttribute.ValueFrom.ContextField == ContextFieldOperationSha256 {
 				computeSha256 = true
 				break
 			}
 		}
-	} else if srv.persistedOperationsConfig.Safelist.Enabled || srv.persistedOperationsConfig.LogUnknown {
+	}
+
+	if srv.persistedOperationsConfig.Safelist.Enabled || srv.persistedOperationsConfig.LogUnknown {
 		// In these case, we'll want to compute the sha256 for every operation, in order to check that the operation
 		// is present in the Persisted Operation cache
 		computeSha256 = true
diff --git a/router/core/graphql_prehandler.go b/router/core/graphql_prehandler.go
@@ -543,22 +543,34 @@ func (h *PreHandler) handleOperation(req *http.Request, httpOperation *httpOpera
 
 	// Compute the operation sha256 hash as soon as possible for observability reasons
 	if h.shouldComputeOperationSha256(operationKit, requestContext) {
-		if err := operationKit.ComputeOperationSha256(); err != nil {
-			return &httpGraphqlError{
-				message:    fmt.Sprintf("error hashing operation: %s", err),
-				statusCode: http.StatusInternalServerError,
+		if operationKit.parsedOperation.Request.Query == "" && operationKit.parsedOperation.GraphQLRequestExtensions.PersistedQuery.HasHash() {
+			// No query body to hash; use the client-provided persisted hash for telemetry.
+			requestContext.operation.sha256Hash = operationKit.parsedOperation.GraphQLRequestExtensions.PersistedQuery.Sha256Hash
+			requestContext.expressionContext.Request.Operation.Sha256Hash = requestContext.operation.sha256Hash
+
+			setTelemetryAttributes(req.Context(), requestContext, expr.BucketSha256)
+
+			requestContext.telemetry.addCustomMetricStringAttr(ContextFieldOperationSha256, requestContext.operation.sha256Hash)
+		} else {
+			if err := operationKit.ComputeOperationSha256(); err != nil {
+				return &httpGraphqlError{
+					message:    fmt.Sprintf("error hashing operation: %s", err),
+					statusCode: http.StatusInternalServerError,
+				}
 			}
-		}
-		requestContext.operation.sha256Hash = operationKit.parsedOperation.Sha256Hash
-		requestContext.expressionContext.Request.Operation.Sha256Hash = operationKit.parsedOperation.Sha256Hash
+			requestContext.operation.sha256Hash = operationKit.parsedOperation.Sha256Hash
+			requestContext.expressionContext.Request.Operation.Sha256Hash = operationKit.parsedOperation.Sha256Hash
 
-		setTelemetryAttributes(req.Context(), requestContext, expr.BucketSha256)
+			setTelemetryAttributes(req.Context(), requestContext, expr.BucketSha256)
 
-		requestContext.telemetry.addCustomMetricStringAttr(ContextFieldOperationSha256, requestContext.operation.sha256Hash)
-		if h.operationBlocker.safelistEnabled || h.operationBlocker.logUnknownOperationsEnabled {
-			// Set the request hash to the parsed hash, to see if it matches a persisted operation
-			operationKit.parsedOperation.GraphQLRequestExtensions.PersistedQuery = &GraphQLRequestExtensionsPersistedQuery{
-				Sha256Hash: operationKit.parsedOperation.Sha256Hash,
+			requestContext.telemetry.addCustomMetricStringAttr(ContextFieldOperationSha256, requestContext.operation.sha256Hash)
+			if h.operationBlocker.safelistEnabled || h.operationBlocker.logUnknownOperationsEnabled {
+				if !operationKit.parsedOperation.GraphQLRequestExtensions.PersistedQuery.HasHash() {
+					// Set the request hash to the parsed hash, to see if it matches a persisted operation
+					operationKit.parsedOperation.GraphQLRequestExtensions.PersistedQuery = &GraphQLRequestExtensionsPersistedQuery{
+						Sha256Hash: operationKit.parsedOperation.Sha256Hash,
+					}
+				}
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -668,21 +668,25 @@ func (s graphMux) buildOperationCaches(srv graphServer) (computeSha256 bool, e`
`668`	`668`	`}`
`669`	`669`
`670`	`670`	`// Currently, we only support custom attributes from the context for OTLP metrics`
`671`		`- if len(srv.metricConfig.Attributes) > 0 {`
	`671`	`+ if !computeSha256 && len(srv.metricConfig.Attributes) > 0 {`
`672`	`672`	`for _, customAttribute := range srv.metricConfig.Attributes {`
`673`	`673`	`if customAttribute.ValueFrom != nil && customAttribute.ValueFrom.ContextField == ContextFieldOperationSha256 {`
`674`	`674`	`computeSha256 = true`
`675`	`675`	`break`
`676`	`676`	`}`
`677`	`677`	`}`
`678`		`- } else if srv.accessLogsConfig != nil {`
	`678`	`+ }`
	`679`	`+`
	`680`	`+ if !computeSha256 && srv.accessLogsConfig != nil {`
`679`	`681`	`for _, customAttribute := range append(srv.accessLogsConfig.Attributes, srv.accessLogsConfig.SubgraphAttributes...) {`
`680`	`682`	`if customAttribute.ValueFrom != nil && customAttribute.ValueFrom.ContextField == ContextFieldOperationSha256 {`
`681`	`683`	`computeSha256 = true`
`682`	`684`	`break`
`683`	`685`	`}`
`684`	`686`	`}`
`685`		`- } else if srv.persistedOperationsConfig.Safelist.Enabled \|\| srv.persistedOperationsConfig.LogUnknown {`
	`687`	`+ }`
	`688`	`+`
	`689`	`+ if srv.persistedOperationsConfig.Safelist.Enabled \|\| srv.persistedOperationsConfig.LogUnknown {`
`686`	`690`	`// In these case, we'll want to compute the sha256 for every operation, in order to check that the operation`
`687`	`691`	`// is present in the Persisted Operation cache`
`688`	`692`	`computeSha256 = true`