Add appropriate labels to the container

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Dockerfile

@@ -6,3 +6,9 @@ ARG TARGETOS
 COPY --chmod=777 --chown=nonroot:nonroot static/app /go/src/app
 ADD dist/bot-$TARGETOS-$TARGETARCH /go/src/app/graphql-proxy
 ENTRYPOINT ["/go/src/app/graphql-proxy"]
+
+LABEL org.opencontainers.image.maintainer="lukasz@raczylo.com" \
+      org.opencontainers.image.authors="lukasz@raczylo.com" \
+      org.opencontainers.image.title="graphql-monitoring-proxy" \
+      org.opencontainers.image.description="GraphQL monitoring proxy" \
+      org.opencontainers.image.url="https://github.com/lukaszraczylo/graphql-monitoring-proxy"

Makefile

@@ -13,7 +13,7 @@ help:  ## display this help
 
 .PHONY: run
 run: build ## run application
-	@LOG_LEVEL=debug PURGE_METRICS_ON_CRAWL=true BLOCK_SCHEMA_INTROSPECTION=false CACHE_TTL=10 JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ HEALTHCHECK_GRAPHQL_URL=https://hasura8.lan/v1/graphql ./graphql-proxy
+	@LOG_LEVEL=debug PURGE_METRICS_ON_CRAWL=true BLOCK_SCHEMA_INTROSPECTION=true CACHE_TTL=10 JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ HEALTHCHECK_GRAPHQL_URL=https://hasura8.lan/v1/graphql PORT_GRAPHQL=8111 ./graphql-proxy
 
 .PHONY: build
 build: ## build the binary

README.md

@@ -14,6 +14,7 @@ This project is in active use by [telegram-bot.app](https://telegram-bot.app), a
   - [Endpoints](#endpoints)
   - [Features](#features)
   - [Configuration](#configuration)
+  - [Tracing](#tracing)
   - [Speed](#speed)
     - [Caching](#caching)
     - [Read-only endpoint](#read-only-endpoint)
@@ -40,6 +41,8 @@ I wanted to monitor the queries and responses of our graphql endpoint. Still, we
 
 You should always try to stick to the latest and greatest version of the graphql-proxy to ensure that it's as much bug-free as possible. Following list will be kept to the maximum of five "most important" bugs and enhancements included in the latest versions.
 
+* **06/12/2024 - 0.25.12** - Fixes the bug where deeply nested introspection queries were blocked despite of being present on the whitelist. GraphQL proxy will now inspect the queries in depth to find any possible nested introspections.
+
 * **20/08/2024 - 0.23.21+** - Fixes the bug when timeouts were not respected on proxy-graphql line. Affected versions before that were timeouting after 30 seconds which was set as default ( thanks to Jurica Železnjak for reporting ). It also provides a temporary fix for running within kubernetes deployment, when graphql server ( for example - hasura ) took more time to start than the proxy, causing avalanche of errors with "can't proxy the request".
 
 * **19/08/2024 - 0.21.82+** - Fixed the issue when proxy failed to start if global cache was disabled, therefore not initialized and proxy tried to perform the cache operations during normal query operations.
@@ -105,6 +108,7 @@ In this case, both proxy and websockets will be available under the `/v1/graphql
 | monitor    | Extracting user id from JWT token and adding it as a label to metrics |
 | monitor    | Extracting the query name and type and adding it as a label to metrics|
 | monitor    | Calculating the query duration and adding it to the metrics           |
+| monitor    | OpenTelemetry tracing support with configurable endpoint              |
 | speed      | Caching the queries, together with per-query cache and TTL            |
 | speed      | Support for READ ONLY graphql endpoint                                |
 | security   | Blocking schema introspection                                         |
@@ -153,6 +157,26 @@ You can still use the non-prefixed environment variables in the spirit of the ba
 | `HASURA_EVENT_CLEANER`   | Enable the hasura event cleaner          | `false`                    |
 | `HASURA_EVENT_CLEANER_OLDER_THAN` | The interval for the hasura event cleaner (in days) | `1`                  |
 | `HASURA_EVENT_METADATA_DB` | URL to the hasura metadata database    | `postgresql://localhost:5432/hasura` |
+| `ENABLE_TRACE`            | Enable OpenTelemetry tracing           | `false`                    |
+| `TRACE_ENDPOINT`          | OpenTelemetry collector endpoint       | `localhost:4317`           |
+
+### Tracing
+
+The proxy supports OpenTelemetry tracing to help monitor and debug requests. When enabled, it will create spans for each proxied request and send them to the configured OpenTelemetry collector.
+
+To use tracing:
+
+1. Enable tracing by setting `ENABLE_TRACE=true`
+2. Configure the OpenTelemetry collector endpoint using `TRACE_ENDPOINT` (defaults to `localhost:4317`)
+3. Include trace context in your requests using the `X-Trace-Span` header with the following format:
+
+```json
+{
+  "traceparent": "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"
+}
+```
+
+The proxy will extract the trace context from the header and create child spans for each request, allowing you to trace requests through your system.
 
 ### Speed
 
@@ -327,3 +351,5 @@ graphql_proxy_cache_hit{microservice="graphql_proxy",pod="hasura-w-proxy-interna
 graphql_proxy_cache_hit{pod="hasura-w-proxy-internal-6b5f4b4bbb-9xwfc",microservice="graphql_proxy"} 1
 graphql_proxy_cache_miss{microservice="graphql_proxy",pod="hasura-w-proxy-internal-6b5f4b4bbb-9xwfc"} 23
 ```
+
+.

events.go

@@ -71,13 +71,14 @@ func enableHasuraEventCleaner() {
 
 func cleanEvents(pool *pgxpool.Pool) {
 	ctx := context.Background()
+	var errors []error
+	var failedQueries []string
+
 	for _, query := range delQueries {
 		_, err := pool.Exec(ctx, fmt.Sprintf(query, cfg.HasuraEventCleaner.ClearOlderThan))
 		if err != nil {
-			cfg.Logger.Error(&libpack_logger.LogMessage{
-				Message: "Failed to execute query",
-				Pairs:   map[string]interface{}{"query": query, "error": err.Error()},
-			})
+			errors = append(errors, err)
+			failedQueries = append(failedQueries, query)
 		} else {
 			cfg.Logger.Debug(&libpack_logger.LogMessage{
 				Message: "Successfully executed query",
@@ -85,4 +86,18 @@ func cleanEvents(pool *pgxpool.Pool) {
 			})
 		}
 	}
+
+	if len(errors) > 0 {
+		var errMsgs []string
+		for _, err := range errors {
+			errMsgs = append(errMsgs, err.Error())
+		}
+		cfg.Logger.Error(&libpack_logger.LogMessage{
+			Message: "Failed to execute some queries",
+			Pairs: map[string]interface{}{
+				"failed_queries": failedQueries,
+				"errors":         errMsgs,
+			},
+		})
+	}
 }

go.mod

@@ -1,55 +1,71 @@
 module github.com/lukaszraczylo/graphql-monitoring-proxy
 
-go 1.22.4
+go 1.22.7
+
+toolchain go1.23.4
 
 require (
-	github.com/VictoriaMetrics/metrics v1.35.1
+	github.com/VictoriaMetrics/metrics v1.35.2
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/avast/retry-go/v4 v4.6.0
-	github.com/goccy/go-json v0.10.3
-	github.com/gofiber/fiber/v2 v2.52.5
+	github.com/goccy/go-json v0.10.5
+	github.com/gofiber/fiber/v2 v2.52.6
 	github.com/gofrs/flock v0.12.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/goutil v0.6.17
+	github.com/gookit/goutil v0.6.18
 	github.com/graphql-go/graphql v0.8.1
-	github.com/jackc/pgx/v5 v5.7.1
+	github.com/jackc/pgx/v5 v5.7.2
 	github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9
 	github.com/lukaszraczylo/go-ratecounter v0.1.12
-	github.com/lukaszraczylo/go-simple-graphql v1.2.29
+	github.com/lukaszraczylo/go-simple-graphql v1.2.41
 	github.com/redis/go-redis/v9 v9.7.0
-	github.com/stretchr/testify v1.9.0
-	github.com/valyala/fasthttp v1.57.0
+	github.com/stretchr/testify v1.10.0
+	github.com/valyala/fasthttp v1.58.0
+	go.opentelemetry.io/otel v1.34.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
+	go.opentelemetry.io/otel/sdk v1.34.0
+	go.opentelemetry.io/otel/trace v1.34.0
+	google.golang.org/grpc v1.70.0
 )
 
 require (
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/andybalholm/brotli v1.1.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gookit/color v1.5.4 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fastrand v1.1.0 // indirect
 	github.com/valyala/histogram v1.2.0 // indirect
 	github.com/valyala/tcplisten v1.0.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
-	golang.org/x/crypto v0.29.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
-	golang.org/x/term v0.26.0 // indirect
-	golang.org/x/text v0.20.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250204164813-702378808489 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/VictoriaMetrics/metrics v1.35.1 h1:o84wtBKQbzLdDy14XeskkCZih6anG+veZ1SwJHFGwrU=
-github.com/VictoriaMetrics/metrics v1.35.1/go.mod h1:r7hveu6xMdUACXvB8TYdAj8WEsKzWB0EkpJN+RDtOf8=
+github.com/VictoriaMetrics/metrics v1.35.2 h1:Bj6L6ExfnakZKYPpi7mGUnkJP4NGQz2v5wiChhXNyWQ=
+github.com/VictoriaMetrics/metrics v1.35.2/go.mod h1:r7hveu6xMdUACXvB8TYdAj8WEsKzWB0EkpJN+RDtOf8=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a h1:HbKu58rmZpUGpz5+4FfNmIU+FmZg2P3Xaj2v2bfNWmk=
 github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
 github.com/alicebob/miniredis/v2 v2.33.0 h1:uvTF0EDeu9RLnUEG27Db5I68ESoIxTiXbNUiji6lZrA=
@@ -12,36 +12,48 @@ github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-reflect v1.2.0 h1:O0T8rZCuNmGXewnATuKYnkL0xm6o8UNOJZd/gOkb9ms=
 github.com/goccy/go-reflect v1.2.0/go.mod h1:n0oYZn8VcV2CkWTxi8B9QjkCoq6GTtCEdfmR66YhFtE=
-github.com/gofiber/fiber/v2 v2.52.5 h1:tWoP1MJQjGEe4GB5TUGOi7P2E0ZMMRx5ZTG4rT+yGMo=
-github.com/gofiber/fiber/v2 v2.52.5/go.mod h1:KEOE+cXMhXG0zHc9d8+E38hoX+ZN7bhOtgeF2oT6jrQ=
+github.com/gofiber/fiber/v2 v2.52.6 h1:Rfp+ILPiYSvvVuIPvxrBns+HJp8qGLDnLJawAu27XVI=
+github.com/gofiber/fiber/v2 v2.52.6/go.mod h1:YEcBbO/FB+5M1IZNBP9FO3J9281zgPAreiI1oqg8nDw=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gookit/goutil v0.6.17 h1:SxmbDz2sn2V+O+xJjJhJT/sq1/kQh6rCJ7vLBiRPZjI=
-github.com/gookit/goutil v0.6.17/go.mod h1:rSw1LchE1I3TDWITZvefoAC9tS09SFu3lHXLCV7EaEY=
+github.com/gookit/goutil v0.6.18 h1:MUVj0G16flubWT8zYVicIuisUiHdgirPAkmnfD2kKgw=
+github.com/gookit/goutil v0.6.18/go.mod h1:AY/5sAwKe7Xck+mEbuxj0n/bc3qwrGNe3Oeulln7zBA=
 github.com/graphql-go/graphql v0.8.1 h1:p7/Ou/WpmulocJeEx7wjQy611rtXGQaAcXGqanuMMgc=
 github.com/graphql-go/graphql v0.8.1/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.0 h1:VD1gqscl4nYs1YxVuSdemTrSgTKrwOWDK0FVFMqm+Cg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.0/go.mod h1:4EgsQoS4TOhJizV+JTFg40qx1Ofh3XmXEQNBpgvNT40=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.1 h1:x7SYsPBYDkHDksogeSmZZ5xzThcTgRz++I5E+ePFUcs=
-github.com/jackc/pgx/v5 v5.7.1/go.mod h1:e7O26IywZZ+naJtWWos6i6fvWK+29etgITqrqHLfoZA=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
@@ -54,11 +66,10 @@ github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9 h1:pL8B9mjv6RPUf
 github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
 github.com/lukaszraczylo/go-ratecounter v0.1.12 h1:VO6hHYGw/Jy9JUizXf/bS0AI2QX1ueWWAWckMFVJ/w4=
 github.com/lukaszraczylo/go-ratecounter v0.1.12/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
-github.com/lukaszraczylo/go-simple-graphql v1.2.29 h1:Fo/3SN4vrST1pyX1UJ5Nd+pQCkurZNJSck4pyx5B/Fk=
-github.com/lukaszraczylo/go-simple-graphql v1.2.29/go.mod h1:kCvRu01tLxj0iKash5qwL7Em+SltQmZ82bs0yu2aOrk=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/lukaszraczylo/go-simple-graphql v1.2.41 h1:RNFEjntCsjvKA5VADdio3zid3nH0+rO9qdKJvXmRpfQ=
+github.com/lukaszraczylo/go-simple-graphql v1.2.41/go.mod h1:i0R9B7tR025qduN4/t6ujolMBdWyiMlAppqczrnPfLc=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
@@ -70,17 +81,17 @@ github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93Ge
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.57.0 h1:Xw8SjWGEP/+wAAgyy5XTvgrWlOD1+TxbbvNADYCm1Tg=
-github.com/valyala/fasthttp v1.57.0/go.mod h1:h6ZBaPRlzpZ6O3H5t2gEk1Qi33+TmLvfwgLLp0t9CpE=
+github.com/valyala/fasthttp v1.58.0 h1:GGB2dWxSbEprU9j0iMJHgdKYJVDyjrOwF9RE59PbRuE=
+github.com/valyala/fasthttp v1.58.0/go.mod h1:SYXvHHaFp7QZHGKSHmoMipInhrI5StHrhDTYVEjK/Kw=
 github.com/valyala/fastrand v1.1.0 h1:f+5HkLW4rsgzdNoleUOB69hyT9IlD2ZQh9GyDMfb5G8=
 github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ=
 github.com/valyala/histogram v1.2.0 h1:wyYGAZZt3CpwUiIb9AU/Zbllg1llXyrtApRS815OLoQ=
@@ -93,22 +104,49 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
+go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU=
-golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+google.golang.org/genproto/googleapis/api v0.0.0-20250204164813-702378808489 h1:fCuMM4fowGzigT89NCIsW57Pk9k2D12MMi2ODn+Nk+o=
+google.golang.org/genproto/googleapis/api v0.0.0-20250204164813-702378808489/go.mod h1:iYONQfRdizDB8JJBybql13nArx91jcUk7zCXEsOofM4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489 h1:5bKytslY8ViY0Cj/ewmRtrWHW64bNF03cAatUUFCdFI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250204164813-702378808489/go.mod h1:8BS3B93F/U1juMFq9+EDk+qOT5CO1R9IzXxG3PTqiRk=
+google.golang.org/grpc v1.70.0 h1:pWFv03aZoHzlRKHWicjsZytKAiYCtNS0dHbXnIdq7jQ=
+google.golang.org/grpc v1.70.0/go.mod h1:ofIJqVKDXx/JiXrwr2IG4/zwdH9txy3IlF40RmcJSQw=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

graphql.go

@@ -27,10 +27,16 @@ var (
 )
 
 func prepareQueriesAndExemptions() {
+	introspectionAllowedQueries = make(map[string]struct{})
+	allowedUrls = make(map[string]struct{})
+
+	// Process allowed introspection queries
 	for _, q := range cfg.Security.IntrospectionAllowed {
-		introspectionAllowedQueries[strings.ToLower(q)] = struct{}{}
+		cleanQuery := strings.Trim(strings.TrimSpace(q), `"`)
+		introspectionAllowedQueries[strings.ToLower(cleanQuery)] = struct{}{}
 	}
 
+	// Process allowed URLs
 	for _, u := range cfg.Server.AllowURLs {
 		allowedUrls[u] = struct{}{}
 	}
@@ -80,10 +86,6 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 		if ifNotInTest() {
 			cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
 		}
-		if res.shouldBlock {
-			resultPool.Put(res)
-			return res
-		}
 		return res
 	}
 
@@ -96,7 +98,6 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 		if ifNotInTest() {
 			cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
 		}
-		resultPool.Put(res)
 		return res
 	}
 
@@ -109,7 +110,6 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 		if ifNotInTest() {
 			cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
 		}
-		resultPool.Put(res)
 		return res
 	}
 
@@ -126,21 +126,11 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 			}
 
 			if cfg.Server.HostGraphQLReadOnly != "" {
-				if res.operationType == "" {
-					res.activeEndpoint = cfg.Server.HostGraphQLReadOnly
-				} else if res.operationType != "mutation" {
+				if res.operationType == "" || res.operationType != "mutation" {
 					res.activeEndpoint = cfg.Server.HostGraphQLReadOnly
 				}
 			}
 
-			cfg.Logger.Debug(&libpack_logger.LogMessage{
-				Message: "Endpoint selection",
-				Pairs: map[string]interface{}{
-					"operationType":    res.operationType,
-					"selectedEndpoint": res.activeEndpoint,
-				},
-			})
-
 			if res.operationType == "mutation" && cfg.Server.ReadOnlyMode {
 				cfg.Logger.Warning(&libpack_logger.LogMessage{
 					Message: "Mutation blocked - server in read-only mode",
@@ -174,8 +164,9 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 			}
 
 			if cfg.Security.BlockIntrospection {
-				res.shouldBlock = checkSelections(c, oper.GetSelectionSet().Selections)
-				if res.shouldBlock {
+				if checkSelections(c, oper.GetSelectionSet().Selections) {
+					_ = c.Status(403).SendString("Introspection queries are not allowed")
+					res.shouldBlock = true
 					resultPool.Put(res)
 					return res
 				}
@@ -186,43 +177,70 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 }
 
 func checkSelections(c *fiber.Ctx, selections []ast.Selection) bool {
-	stack := make([]ast.Selection, len(selections))
-	copy(stack, selections)
-
-	for len(stack) > 0 {
-		var s ast.Selection
-		s, stack = stack[len(stack)-1], stack[:len(stack)-1]
-
-		if field, ok := s.(*ast.Field); ok {
-			if checkIfContainsIntrospection(c, field.Name.Value) {
-				return true
+	for _, s := range selections {
+		switch sel := s.(type) {
+		case *ast.Field:
+			fieldName := strings.ToLower(sel.Name.Value)
+			if _, exists := introspectionQueries[fieldName]; exists {
+				if len(cfg.Security.IntrospectionAllowed) > 0 {
+					_, allowed := introspectionAllowedQueries[fieldName]
+					if !allowed {
+						return true // Block if this field isn't allowed
+					}
+					// Even if this field is allowed, we need to check its nested selections
+				} else {
+					return true // Block if no allowlist exists
+				}
 			}
-			if field.SelectionSet != nil {
-				stack = append(stack, field.GetSelectionSet().Selections...)
+			// Always check nested selections
+			if sel.SelectionSet != nil {
+				if checkSelections(c, sel.GetSelectionSet().Selections) {
+					return true
+				}
+			}
+		case *ast.InlineFragment:
+			if sel.SelectionSet != nil {
+				if checkSelections(c, sel.GetSelectionSet().Selections) {
+					return true
+				}
 			}
 		}
 	}
 	return false
 }
 
-func checkIfContainsIntrospection(c *fiber.Ctx, whatever string) bool {
-	whateverLower := strings.ToLower(whatever)
-
-	if _, exists := introspectionQueries[whateverLower]; exists {
-		if len(cfg.Security.IntrospectionAllowed) > 0 {
-			if _, allowed := introspectionAllowedQueries[whateverLower]; allowed {
-				cfg.Logger.Debug(&libpack_logger.LogMessage{
-					Message: "Introspection query allowed, passing through",
-					Pairs:   map[string]interface{}{"query": whatever},
-				})
-				return false
+func checkIfContainsIntrospection(c *fiber.Ctx, query string) bool {
+	blocked := false
+	// Try parsing as a complete query first
+	p, err := parser.Parse(parser.ParseParams{Source: query})
+	if err == nil {
+		// It's a complete query, check all selections
+		for _, def := range p.Definitions {
+			if op, ok := def.(*ast.OperationDefinition); ok {
+				if op.SelectionSet != nil {
+					blocked = checkSelections(c, op.GetSelectionSet().Selections)
+				}
 			}
 		}
+	} else {
+		// Not a complete query, check as a field name
+		whateverLower := strings.ToLower(query)
+		if _, exists := introspectionQueries[whateverLower]; exists {
+			if len(cfg.Security.IntrospectionAllowed) > 0 {
+				if _, allowed := introspectionAllowedQueries[whateverLower]; !allowed {
+					blocked = true
+				}
+			} else {
+				blocked = true
+			}
+		}
+	}
+
+	if blocked {
 		if ifNotInTest() {
 			cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
 		}
 		_ = c.Status(403).SendString("Introspection queries are not allowed")
-		return true
 	}
-	return false
+	return blocked
 }

graphql_test.go

@@ -3,8 +3,12 @@ package main
 import (
 	"fmt"
 	"strings"
+	"testing"
 
+	"github.com/goccy/go-json"
 	fiber "github.com/gofiber/fiber/v2"
+	"github.com/graphql-go/graphql/language/ast"
+	"github.com/graphql-go/graphql/language/parser"
 	"github.com/valyala/fasthttp"
 )
 
@@ -278,23 +282,15 @@ func (suite *Tests) Test_parseGraphQLQuery() {
 		suite.Run(tt.name, func() {
 			cfg = &config{}
 			parseConfig()
-			ctx_headers := func() *fasthttp.RequestHeader {
-				h := fasthttp.RequestHeader{}
-				for k, v := range tt.suppliedQuery.headers {
-					h.Add(k, v)
-				}
-				return &h
-			}()
-
-			ctx_request := fasthttp.Request{
-				Header: *ctx_headers,
+			ctx := suite.app.AcquireCtx(&fasthttp.RequestCtx{})
+			
+			// Set headers
+			for k, v := range tt.suppliedQuery.headers {
+				ctx.Request().Header.Add(k, v)
 			}
 
-			ctx_request.AppendBody([]byte(tt.suppliedQuery.body))
-
-			ctx := suite.app.AcquireCtx(&fasthttp.RequestCtx{
-				Request: ctx_request,
-			})
+			// Set body
+			ctx.Request().AppendBody([]byte(tt.suppliedQuery.body))
 
 			// defer func() {
 			// 	cfg = &config{}
@@ -408,6 +404,8 @@ func (suite *Tests) Test_checkIfContainsIntrospection() {
 		{"allowed introspection", "__schema", []string{"__schema"}, false},
 		{"disallowed introspection", "__type", []string{"__schema"}, true},
 		{"non-introspection query", "normalQuery", []string{}, false},
+		{"allowed introspection with deep nesting of __typename", "{__schema {queryType {fields {name description __typename}}}}", []string{"__schema", "__typename"}, false},
+		{"disallowed introspection with deep nesting of __typename", "{__type {queryType {fields {name description __typename}}}}", []string{"__type"}, true},
 	}
 
 	for _, tt := range tests {
@@ -430,3 +428,176 @@ func createTestContext(body string) *fiber.Ctx {
 	ctx.Request().SetBody([]byte(body))
 	return ctx
 }
+
+func (suite *Tests) Test_DeepIntrospectionQueries() {
+	tests := []struct {
+		name     string
+		query    string
+		allowed  []string
+		expected bool
+	}{
+		{
+			name:     "deeply nested single introspection",
+			query:    "query { users { profiles { settings { preferences { __typename } } } } }",
+			allowed:  []string{},
+			expected: true,
+		},
+		{
+			name:     "multiple nested introspections",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{},
+			expected: true,
+		},
+		{
+			name:     "nested with selective allowlist",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{"__typename"},
+			expected: true,
+		},
+		{
+			name:     "deeply nested with full allowlist",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{"__typename", "__schema", "__type"},
+			expected: false,
+		},
+		{
+			name:     "deeply nested with repeated item from allowlist",
+			query:    "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
+			allowed:  []string{"__type", "__typename"},
+			expected: false,
+		},
+		{
+			name:     "deeply nested with repeated item denied",
+			query:    "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
+			allowed:  []string{},
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		suite.Run(tt.name, func() {
+			cfg.Security.BlockIntrospection = true
+			cfg.Security.IntrospectionAllowed = tt.allowed
+			introspectionAllowedQueries = make(map[string]struct{})
+			for _, q := range tt.allowed {
+				introspectionAllowedQueries[strings.ToLower(q)] = struct{}{}
+			}
+			body := map[string]interface{}{
+				"query": tt.query,
+			}
+			bodyBytes, _ := json.Marshal(body)
+			ctx := fiber.New().AcquireCtx(&fasthttp.RequestCtx{})
+			ctx.Request().SetBody(bodyBytes)
+			parseGraphQLQuery(ctx)
+			if tt.expected {
+				suite.Equal(403, ctx.Response().StatusCode())
+			} else {
+				suite.Equal(200, ctx.Response().StatusCode())
+			}
+		})
+	}
+}
+
+func TestIntrospectionQueryHandling(t *testing.T) {
+	tests := []struct {
+		name               string
+		blockIntrospection bool
+		allowedQueries     []string
+		query              string
+		wantBlocked        bool
+	}{
+		{
+			name:               "allows __typename when in allowed list",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							users {
+									id
+									name
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name:               "case insensitive matching for allowed queries",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__TYPENAME"},
+			query: `{
+							users {
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name:               "blocks other introspection queries",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							__schema {
+									types {
+											name
+									}
+							}
+					}`,
+			wantBlocked: true,
+		},
+		{
+			name:               "allows multiple __typename occurrences",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							users {
+									__typename
+									posts {
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup config
+			cfg = &config{
+				Security: struct {
+					IntrospectionAllowed []string
+					BlockIntrospection   bool
+				}{
+					IntrospectionAllowed: tt.allowedQueries,
+					BlockIntrospection:   tt.blockIntrospection,
+				},
+			}
+
+			// Initialize allowed queries
+			prepareQueriesAndExemptions()
+
+			// Parse query
+			p, err := parser.Parse(parser.ParseParams{Source: tt.query})
+			if err != nil {
+				t.Fatalf("failed to parse query: %v", err)
+			}
+
+			// Create mock fiber context
+			app := fiber.New()
+			ctx := app.AcquireCtx(&fasthttp.RequestCtx{})
+			defer app.ReleaseCtx(ctx)
+
+			// Check selections
+			var blocked bool
+			for _, def := range p.Definitions {
+				if op, ok := def.(*ast.OperationDefinition); ok {
+					blocked = checkSelections(ctx, op.GetSelectionSet().Selections)
+					break
+				}
+			}
+
+			if blocked != tt.wantBlocked {
+				t.Errorf("checkSelections() blocked = %v, want %v", blocked, tt.wantBlocked)
+			}
+		})
+	}
+}

logging/logger_bench_test.go

@@ -55,9 +55,9 @@ func Benchmark_NewLogger(b *testing.B) {
 	for _, tt := range tests {
 		b.Run(tt.name, func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
-				got := New()
+				logger := New()
 				if tt.triggers.ModLevel.Level != 0 {
-					got = got.SetMinLogLevel(tt.triggers.ModLevel.Level)
+					logger.SetMinLogLevel(tt.triggers.ModLevel.Level)
 				}
 			}
 		})

logging/logger_test.go

@@ -3,7 +3,6 @@ package libpack_logger
 import (
 	"bytes"
 	"fmt"
-	"os"
 	"reflect"
 	"testing"
 	"time"
@@ -11,30 +10,6 @@ import (
 	"github.com/goccy/go-json"
 )
 
-func captureStderr(f func()) string {
-	originalStderr := os.Stderr
-	r, w, _ := os.Pipe()
-	os.Stderr = w
-	f()
-	w.Close()
-	var buf bytes.Buffer
-	buf.ReadFrom(r)
-	os.Stderr = originalStderr
-	return buf.String()
-}
-
-func captureStdOut(f func()) string {
-	originalStdout := os.Stdout
-	r, w, _ := os.Pipe()
-	os.Stdout = w
-	f()
-	w.Close()
-	var buf bytes.Buffer
-	buf.ReadFrom(r)
-	os.Stdout = originalStdout
-	return buf.String()
-}
-
 func (suite *LoggerTestSuite) Test_LogMessageString() {
 	msg := &LogMessage{
 		Message: "test message",

main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"os"
 	"strings"
@@ -13,11 +14,13 @@ import (
 	libpack_cache "github.com/lukaszraczylo/graphql-monitoring-proxy/cache"
 	libpack_config "github.com/lukaszraczylo/graphql-monitoring-proxy/config"
 	libpack_logging "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
+	libpack_tracing "github.com/lukaszraczylo/graphql-monitoring-proxy/tracing"
 )
 
 var (
-	cfg  *config
-	once sync.Once
+	cfg    *config
+	once   sync.Once
+	tracer *libpack_tracing.TracingSetup
 )
 
 // getDetailsFromEnv retrieves the value from the environment or returns the default.
@@ -102,8 +105,38 @@ func parseConfig() {
 	c.HasuraEventCleaner.Enable = getDetailsFromEnv("HASURA_EVENT_CLEANER", false)
 	c.HasuraEventCleaner.ClearOlderThan = getDetailsFromEnv("HASURA_EVENT_CLEANER_OLDER_THAN", 1)
 	c.HasuraEventCleaner.EventMetadataDb = getDetailsFromEnv("HASURA_EVENT_METADATA_DB", "")
+	// Tracing configuration
+	c.Tracing.Enable = getDetailsFromEnv("ENABLE_TRACE", false)
+	c.Tracing.Endpoint = getDetailsFromEnv("TRACE_ENDPOINT", "localhost:4317")
 	cfg = &c
 
+	// Initialize tracing if enabled
+	if cfg.Tracing.Enable {
+		if cfg.Tracing.Endpoint == "" {
+			cfg.Logger.Warning(&libpack_logging.LogMessage{
+				Message: "Tracing endpoint not configured, using default localhost:4317",
+			})
+			cfg.Tracing.Endpoint = "localhost:4317"
+		}
+
+		var err error
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+
+		tracer, err = libpack_tracing.NewTracing(ctx, cfg.Tracing.Endpoint)
+		if err != nil {
+			cfg.Logger.Error(&libpack_logging.LogMessage{
+				Message: "Failed to initialize tracing",
+				Pairs:   map[string]interface{}{"error": err.Error()},
+			})
+		} else {
+			cfg.Logger.Info(&libpack_logging.LogMessage{
+				Message: "Tracing initialized",
+				Pairs:   map[string]interface{}{"endpoint": cfg.Tracing.Endpoint},
+			})
+		}
+	}
+
 	// Initialize cache if enabled
 	if cfg.Cache.CacheEnable || cfg.Cache.CacheRedisEnable {
 		cacheConfig := &libpack_cache.CacheConfig{
@@ -125,7 +158,7 @@ func parseConfig() {
 		go enableApi()
 		go enableHasuraEventCleaner()
 	})
-	prepareQueriesAndExemptions() // Ensure this function is defined elsewhere
+	prepareQueriesAndExemptions()
 }
 
 func main() {
@@ -133,6 +166,16 @@ func main() {
 	StartMonitoringServer()
 	time.Sleep(5 * time.Second)
 	StartHTTPProxy()
+
+	// Cleanup tracing on exit
+	if tracer != nil {
+		if err := tracer.Shutdown(context.Background()); err != nil {
+			cfg.Logger.Error(&libpack_logging.LogMessage{
+				Message: "Error shutting down tracer",
+				Pairs:   map[string]interface{}{"error": err.Error()},
+			})
+		}
+	}
 }
 
 // ifNotInTest checks if the program is not running in a test environment.

main_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"os"
 	"testing"
 	"time"
@@ -11,6 +12,7 @@ import (
 	libpack_logging "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
 	assertions "github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
+	"github.com/valyala/fasthttp"
 )
 
 type Tests struct {
@@ -138,3 +140,122 @@ func (suite *Tests) Test_getDetailsFromEnv() {
 		})
 	}
 }
+
+func (suite *Tests) TestIntrospectionEnvironmentConfig() {
+	// Save original env vars
+	oldEnv := make(map[string]string)
+	varsToSave := []string{
+		"BLOCK_SCHEMA_INTROSPECTION",
+		"ALLOWED_INTROSPECTION",
+		"GMP_BLOCK_SCHEMA_INTROSPECTION",
+		"GMP_ALLOWED_INTROSPECTION",
+	}
+	for _, env := range varsToSave {
+		if val, exists := os.LookupEnv(env); exists {
+			oldEnv[env] = val
+			os.Unsetenv(env)
+		}
+	}
+	defer func() {
+		// Restore original env vars
+		for k, v := range oldEnv {
+			os.Setenv(k, v)
+		}
+	}()
+
+	tests := []struct {
+		name         string
+		envVars      map[string]string
+		query        string
+		wantBlocked  bool
+		wantEndpoint string
+	}{
+		{
+			name: "basic typename allowed",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__typename",
+			},
+			query: `{
+							users {
+									id
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "GMP prefix takes precedence",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION":     "false",
+				"GMP_BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":          "__type",
+				"GMP_ALLOWED_INTROSPECTION":      "__typename",
+			},
+			query: `{
+							users {
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "multiple allowed queries",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__typename,__schema",
+			},
+			query: `{
+							__schema {
+									types {
+											name
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "multiple allowed queries with one of them blocked",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__schema",
+			},
+			query: `{
+							__schema {
+									types {
+											name
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: true,
+		},
+	}
+
+	for _, tt := range tests {
+		suite.Run(tt.name, func() {
+			// Set test env vars
+			for k, v := range tt.envVars {
+				os.Setenv(k, v)
+			}
+
+			// Reset global config
+			cfg = nil
+			parseConfig()
+
+			// Create test request
+			app := fiber.New()
+			ctx := app.AcquireCtx(&fasthttp.RequestCtx{})
+			defer app.ReleaseCtx(ctx)
+			ctx.Request().Header.SetMethod("POST")
+			ctx.Request().SetBody([]byte(fmt.Sprintf(`{"query": %q}`, tt.query)))
+
+			result := parseGraphQLQuery(ctx)
+			assert.Equal(tt.wantBlocked, result.shouldBlock)
+			for k := range tt.envVars {
+				os.Unsetenv(k)
+			}
+		})
+	}
+}

monitoring/helpers.go

@@ -17,7 +17,6 @@ var sortedLabelKeysCache = struct {
 }{}
 
 func (ms *MetricsSetup) get_metrics_name(name string, labels map[string]string) string {
-	const unknownPodName = "unknown"
 	var buf bytes.Buffer
 
 	podName := getPodName()

proxy.go

@@ -3,17 +3,21 @@ package main
 import (
 	"bytes"
 	"compress/gzip"
+	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net/url"
 	"time"
 
+	"go.opentelemetry.io/otel/trace"
+
 	"github.com/avast/retry-go/v4"
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/proxy"
 	libpack_logger "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
 	libpack_monitoring "github.com/lukaszraczylo/graphql-monitoring-proxy/monitoring"
+	libpack_tracing "github.com/lukaszraczylo/graphql-monitoring-proxy/tracing"
 	"github.com/valyala/fasthttp"
 )
 
@@ -30,12 +34,35 @@ func createFasthttpClient(timeout int) *fasthttp.Client {
 		WriteTimeout:                  time.Duration(timeout) * time.Second,
 		MaxIdleConnDuration:           time.Duration(timeout) * time.Second,
 		MaxConnDuration:               time.Duration(timeout) * time.Second,
-		DisableHeaderNamesNormalizing: true,
+		DisableHeaderNamesNormalizing: false,
 	}
 }
 
 // proxyTheRequest handles the request proxying logic.
 func proxyTheRequest(c *fiber.Ctx, currentEndpoint string) error {
+	if cfg.Tracing.Enable && tracer != nil {
+		var span trace.Span
+		spanCtx := context.Background()
+		// Extract trace information from header
+		if traceHeader := c.Get("X-Trace-Span"); traceHeader != "" {
+			spanInfo, err := libpack_tracing.ParseTraceHeader(traceHeader)
+			if err != nil {
+				cfg.Logger.Warning(&libpack_logger.LogMessage{
+					Message: "Failed to parse trace header",
+					Pairs:   map[string]interface{}{"error": err.Error()},
+				})
+			} else {
+				if extractedSpanCtx, err := tracer.ExtractSpanContext(spanInfo); err == nil {
+					spanCtx = trace.ContextWithSpanContext(spanCtx, extractedSpanCtx)
+				}
+			}
+		}
+
+		// Start a new span
+		span, _ = tracer.StartSpan(spanCtx, "proxy_request")
+		defer span.End()
+	}
+
 	if !checkAllowedURLs(c) {
 		cfg.Logger.Error(&libpack_logger.LogMessage{
 			Message: "Request blocked",

proxy_test.go

@@ -87,23 +87,17 @@ func (suite *Tests) Test_proxyTheRequest() {
 				cfg.Server.HostGraphQLReadOnly = tt.hostRO
 			}
 
-			ctx_headers := func() *fasthttp.RequestHeader {
-				h := fasthttp.RequestHeader{}
-				for k, v := range tt.headers {
-					h.Add(k, v)
-				}
-				return &h
-			}()
-
-			ctx_request := fasthttp.Request{
-				Header: *ctx_headers,
+			ctx := suite.app.AcquireCtx(&fasthttp.RequestCtx{})
+			
+			// Set headers
+			for k, v := range tt.headers {
+				ctx.Request().Header.Add(k, v)
 			}
-			ctx_request.SetBody([]byte(tt.body))
-			ctx_request.SetRequestURI(tt.path)
-			ctx_request.Header.SetMethod("POST")
-			ctx := suite.app.AcquireCtx(&fasthttp.RequestCtx{
-				Request: ctx_request,
-			})
+
+			// Set body and other request properties
+			ctx.Request().SetBody([]byte(tt.body))
+			ctx.Request().SetRequestURI(tt.path)
+			ctx.Request().Header.SetMethod("POST")
 			res := parseGraphQLQuery(ctx)
 			assert.NotNil(ctx, "Fiber context is nil", tt.name)
 			err := proxyTheRequest(ctx, res.activeEndpoint)

server.go

@@ -162,7 +162,7 @@ func processGraphQLRequest(c *fiber.Ctx) error {
 		}
 	}
 
-	wasCached := false
+	wasCached := false //nolint:ineffassign
 
 	if parsedResult.cacheRefresh {
 		cfg.Logger.Debug(&libpack_logger.LogMessage{

struct_config.go

@@ -12,8 +12,12 @@ type config struct {
 	Logger     *libpack_logging.Logger
 	LogLevel   string
 	Monitoring *libpack_monitoring.MetricsSetup
-	Api        struct{ BannedUsersFile string }
-	Client     struct {
+	Tracing    struct {
+		Enable   bool
+		Endpoint string
+	}
+	Api    struct{ BannedUsersFile string }
+	Client struct {
 		GQLClient        *graphql.BaseClient
 		FastProxyClient  *fasthttp.Client
 		JWTUserClaimPath string

tracing/tracing.go

@@ -0,0 +1,105 @@
+package tracing
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
+	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
+	"go.opentelemetry.io/otel/trace"
+)
+
+type TracingSetup struct {
+	tracerProvider *sdktrace.TracerProvider
+	tracer         trace.Tracer
+}
+
+type TraceSpanInfo struct {
+	TraceParent string `json:"traceparent"`
+}
+
+// NewTracing creates a new tracing setup with OTLP exporter
+func NewTracing(ctx context.Context, endpoint string) (*TracingSetup, error) {
+	if ctx.Err() != nil {
+		return nil, fmt.Errorf("invalid context: %v", ctx.Err())
+	}
+	if endpoint == "" {
+		return nil, fmt.Errorf("endpoint cannot be empty")
+	}
+
+	exporter, err := otlptracegrpc.New(ctx,
+		otlptracegrpc.WithEndpoint(endpoint),
+		otlptracegrpc.WithInsecure(),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create trace exporter: %w", err)
+	}
+
+	res, err := resource.New(ctx,
+		resource.WithAttributes(
+			semconv.ServiceName("graphql-monitoring-proxy"),
+		),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create resource: %w", err)
+	}
+
+	tracerProvider := sdktrace.NewTracerProvider(
+		sdktrace.WithBatcher(exporter),
+		sdktrace.WithResource(res),
+	)
+	otel.SetTracerProvider(tracerProvider)
+	otel.SetTextMapPropagator(propagation.TraceContext{})
+
+	tracer := tracerProvider.Tracer("graphql-monitoring-proxy")
+
+	return &TracingSetup{
+		tracerProvider: tracerProvider,
+		tracer:         tracer,
+	}, nil
+}
+
+// ExtractSpanContext extracts span context from TraceSpanInfo
+func (ts *TracingSetup) ExtractSpanContext(spanInfo *TraceSpanInfo) (trace.SpanContext, error) {
+	carrier := propagation.MapCarrier{
+		"traceparent": spanInfo.TraceParent,
+	}
+	ctx := context.Background()
+	ctx = otel.GetTextMapPropagator().Extract(ctx, carrier)
+	spanCtx := trace.SpanContextFromContext(ctx)
+	if !spanCtx.IsValid() {
+		return trace.SpanContext{}, fmt.Errorf("invalid span context")
+	}
+	return spanCtx, nil
+}
+
+// ParseTraceHeader parses X-Trace-Span header content
+func ParseTraceHeader(headerContent string) (*TraceSpanInfo, error) {
+	var spanInfo TraceSpanInfo
+	if err := json.Unmarshal([]byte(headerContent), &spanInfo); err != nil {
+		return nil, fmt.Errorf("failed to parse trace header: %w", err)
+	}
+	return &spanInfo, nil
+}
+
+// Shutdown cleanly shuts down the tracer provider
+func (ts *TracingSetup) Shutdown(ctx context.Context) error {
+	if ts.tracerProvider == nil {
+		return nil
+	}
+	return ts.tracerProvider.Shutdown(ctx)
+}
+
+// StartSpan starts a new span with the given name and parent context
+func (ts *TracingSetup) StartSpan(ctx context.Context, name string) (trace.Span, context.Context) {
+	if ts.tracer == nil {
+		return trace.SpanFromContext(ctx), ctx
+	}
+	ctx, span := ts.tracer.Start(ctx, name)
+	return span, ctx
+}

tracing/tracing_test.go

@@ -0,0 +1,103 @@
+package tracing
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"go.opentelemetry.io/otel/trace"
+)
+
+func TestParseTraceHeader(t *testing.T) {
+	tests := []struct {
+		name    string
+		header  string
+		want    *TraceSpanInfo
+		wantErr bool
+	}{
+		{
+			name:   "valid trace header",
+			header: `{"traceparent": "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01"}`,
+			want: &TraceSpanInfo{
+				TraceParent: "00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01",
+			},
+			wantErr: false,
+		},
+		{
+			name:    "invalid json",
+			header:  `{"traceparent": invalid}`,
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name:    "empty header",
+			header:  "",
+			want:    nil,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseTraceHeader(tt.header)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ParseTraceHeader() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr {
+				gotJSON, _ := json.Marshal(got)
+				wantJSON, _ := json.Marshal(tt.want)
+				if string(gotJSON) != string(wantJSON) {
+					t.Errorf("ParseTraceHeader() = %v, want %v", string(gotJSON), string(wantJSON))
+				}
+			}
+		})
+	}
+}
+
+func TestNewTracing(t *testing.T) {
+	// Skip actual connection tests since they require a running collector
+	t.Run("empty endpoint", func(t *testing.T) {
+		ctx := context.Background()
+		_, err := NewTracing(ctx, "")
+		assert.Error(t, err, "Expected error for empty endpoint")
+		assert.Contains(t, err.Error(), "endpoint cannot be empty")
+	})
+
+	t.Run("invalid context", func(t *testing.T) {
+		ctx, cancel := context.WithCancel(context.Background())
+		cancel() // Cancel the context immediately
+		_, err := NewTracing(ctx, "localhost:4317")
+		assert.Error(t, err, "Expected error for invalid context")
+	})
+}
+
+func TestTracingSetup_ExtractSpanContext(t *testing.T) {
+	ts := &TracingSetup{}
+	spanInfo := &TraceSpanInfo{
+		TraceParent: "invalid-traceparent",
+	}
+
+	_, err := ts.ExtractSpanContext(spanInfo)
+	assert.Error(t, err, "Expected error for invalid traceparent")
+	assert.Contains(t, err.Error(), "invalid span context")
+}
+
+func TestTracingSetup_StartSpan(t *testing.T) {
+	ts := &TracingSetup{}
+	ctx := context.Background()
+
+	span, newCtx := ts.StartSpan(ctx, "test-span")
+	assert.NotNil(t, span, "Expected non-nil span even when tracer is nil")
+	assert.NotNil(t, newCtx, "Expected non-nil context")
+	assert.Equal(t, trace.SpanFromContext(ctx), span, "Expected span from context when tracer is nil")
+}
+
+func TestTracingSetup_Shutdown(t *testing.T) {
+	ts := &TracingSetup{}
+	ctx := context.Background()
+
+	err := ts.Shutdown(ctx)
+	assert.NoError(t, err, "Expected no error when shutting down nil tracer provider")
+}