Update go.mod and go.sum

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Makefile

@@ -13,7 +13,7 @@ help:  ## display this help
 
 .PHONY: run
 run: build ## run application
-	@LOG_LEVEL=debug PURGE_METRICS_ON_CRAWL=true BLOCK_SCHEMA_INTROSPECTION=false CACHE_TTL=10 JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ HEALTHCHECK_GRAPHQL_URL=https://hasura8.lan/v1/graphql ./graphql-proxy
+	@LOG_LEVEL=debug PURGE_METRICS_ON_CRAWL=true BLOCK_SCHEMA_INTROSPECTION=true CACHE_TTL=10 JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/ HEALTHCHECK_GRAPHQL_URL=https://hasura8.lan/v1/graphql PORT_GRAPHQL=8111 ./graphql-proxy
 
 .PHONY: build
 build: ## build the binary

README.md

@@ -40,7 +40,7 @@ I wanted to monitor the queries and responses of our graphql endpoint. Still, we
 
 You should always try to stick to the latest and greatest version of the graphql-proxy to ensure that it's as much bug-free as possible. Following list will be kept to the maximum of five "most important" bugs and enhancements included in the latest versions.
 
-* **06/12/2024 - 0.24.2** - Fixes the bug where deeply nested introspection queries were blocked despite of being present on the whitelist. GraphQL proxy will now inspect the queries in depth to find any possible nested introspections.
+* **06/12/2024 - 0.25.12** - Fixes the bug where deeply nested introspection queries were blocked despite of being present on the whitelist. GraphQL proxy will now inspect the queries in depth to find any possible nested introspections.
 
 * **20/08/2024 - 0.23.21+** - Fixes the bug when timeouts were not respected on proxy-graphql line. Affected versions before that were timeouting after 30 seconds which was set as default ( thanks to Jurica Železnjak for reporting ). It also provides a temporary fix for running within kubernetes deployment, when graphql server ( for example - hasura ) took more time to start than the proxy, causing avalanche of errors with "can't proxy the request".
 

go.mod

@@ -6,19 +6,19 @@ require (
 	github.com/VictoriaMetrics/metrics v1.35.1
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/avast/retry-go/v4 v4.6.0
-	github.com/goccy/go-json v0.10.3
+	github.com/goccy/go-json v0.10.4
 	github.com/gofiber/fiber/v2 v2.52.5
 	github.com/gofrs/flock v0.12.1
 	github.com/google/uuid v1.6.0
-	github.com/gookit/goutil v0.6.17
+	github.com/gookit/goutil v0.6.18
 	github.com/graphql-go/graphql v0.8.1
 	github.com/jackc/pgx/v5 v5.7.1
 	github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9
 	github.com/lukaszraczylo/go-ratecounter v0.1.12
-	github.com/lukaszraczylo/go-simple-graphql v1.2.32
+	github.com/lukaszraczylo/go-simple-graphql v1.2.33
 	github.com/redis/go-redis/v9 v9.7.0
 	github.com/stretchr/testify v1.9.0
-	github.com/valyala/fasthttp v1.57.0
+	github.com/valyala/fasthttp v1.58.0
 )
 
 require (
@@ -45,7 +45,7 @@ require (
 	github.com/valyala/tcplisten v1.0.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yuin/gopher-lua v1.1.1 // indirect
-	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/net v0.32.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect

go.sum

@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-reflect v1.2.0 h1:O0T8rZCuNmGXewnATuKYnkL0xm6o8UNOJZd/gOkb9ms=
 github.com/goccy/go-reflect v1.2.0/go.mod h1:n0oYZn8VcV2CkWTxi8B9QjkCoq6GTtCEdfmR66YhFtE=
 github.com/gofiber/fiber/v2 v2.52.5 h1:tWoP1MJQjGEe4GB5TUGOi7P2E0ZMMRx5ZTG4rT+yGMo=
@@ -32,8 +32,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gookit/goutil v0.6.17 h1:SxmbDz2sn2V+O+xJjJhJT/sq1/kQh6rCJ7vLBiRPZjI=
-github.com/gookit/goutil v0.6.17/go.mod h1:rSw1LchE1I3TDWITZvefoAC9tS09SFu3lHXLCV7EaEY=
+github.com/gookit/goutil v0.6.18 h1:MUVj0G16flubWT8zYVicIuisUiHdgirPAkmnfD2kKgw=
+github.com/gookit/goutil v0.6.18/go.mod h1:AY/5sAwKe7Xck+mEbuxj0n/bc3qwrGNe3Oeulln7zBA=
 github.com/graphql-go/graphql v0.8.1 h1:p7/Ou/WpmulocJeEx7wjQy611rtXGQaAcXGqanuMMgc=
 github.com/graphql-go/graphql v0.8.1/go.mod h1:nKiHzRM0qopJEwCITUuIsxk9PlVlwIiiI8pnJEhordQ=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -54,8 +54,8 @@ github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9 h1:pL8B9mjv6RPUf
 github.com/lukaszraczylo/ask v0.0.0-20240916204100-6e9ef53a62d9/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
 github.com/lukaszraczylo/go-ratecounter v0.1.12 h1:VO6hHYGw/Jy9JUizXf/bS0AI2QX1ueWWAWckMFVJ/w4=
 github.com/lukaszraczylo/go-ratecounter v0.1.12/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
-github.com/lukaszraczylo/go-simple-graphql v1.2.32 h1:CKjXgNHUuwzeBVKIPLXoMw4wPQCqchIV0htFGk5+Hpg=
-github.com/lukaszraczylo/go-simple-graphql v1.2.32/go.mod h1:Y0fEHnPijfPyTF4fzSEpgmu5kaA4lENA0+gQdI1y1+0=
+github.com/lukaszraczylo/go-simple-graphql v1.2.33 h1:77znJSjPCCbJg8qBjGrx+uRLn/JncBKDDPOwO3I64DM=
+github.com/lukaszraczylo/go-simple-graphql v1.2.33/go.mod h1:UOhnDW0SGIQglxwCbHLzpCQZ755JAUdQUa6v/c+V3dU=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -79,8 +79,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.57.0 h1:Xw8SjWGEP/+wAAgyy5XTvgrWlOD1+TxbbvNADYCm1Tg=
-github.com/valyala/fasthttp v1.57.0/go.mod h1:h6ZBaPRlzpZ6O3H5t2gEk1Qi33+TmLvfwgLLp0t9CpE=
+github.com/valyala/fasthttp v1.58.0 h1:GGB2dWxSbEprU9j0iMJHgdKYJVDyjrOwF9RE59PbRuE=
+github.com/valyala/fasthttp v1.58.0/go.mod h1:SYXvHHaFp7QZHGKSHmoMipInhrI5StHrhDTYVEjK/Kw=
 github.com/valyala/fastrand v1.1.0 h1:f+5HkLW4rsgzdNoleUOB69hyT9IlD2ZQh9GyDMfb5G8=
 github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ=
 github.com/valyala/histogram v1.2.0 h1:wyYGAZZt3CpwUiIb9AU/Zbllg1llXyrtApRS815OLoQ=
@@ -93,8 +93,8 @@ github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZ
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
 github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
 github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
-golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
-golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=

graphql.go

@@ -27,10 +27,16 @@ var (
 )
 
 func prepareQueriesAndExemptions() {
+	introspectionAllowedQueries = make(map[string]struct{})
+	allowedUrls = make(map[string]struct{})
+
+	// Process allowed introspection queries
 	for _, q := range cfg.Security.IntrospectionAllowed {
-			introspectionAllowedQueries[strings.ToLower(q)] = struct{}{}
+		cleanQuery := strings.Trim(strings.TrimSpace(q), `"`)
+		introspectionAllowedQueries[strings.ToLower(cleanQuery)] = struct{}{}
 	}
 
+	// Process allowed URLs
 	for _, u := range cfg.Server.AllowURLs {
 			allowedUrls[u] = struct{}{}
 	}
@@ -66,106 +72,106 @@ func parseGraphQLQuery(c *fiber.Ctx) *parseGraphQLQueryResult {
 
 	m := queryPool.Get().(map[string]interface{})
 	defer func() {
-			for k := range m {
-					delete(m, k)
-			}
-			queryPool.Put(m)
+		for k := range m {
+			delete(m, k)
+		}
+		queryPool.Put(m)
 	}()
 
 	if err := json.Unmarshal(c.Body(), &m); err != nil {
-			cfg.Logger.Error(&libpack_logger.LogMessage{
-					Message: "Can't unmarshal the request",
-					Pairs:   map[string]interface{}{"error": err.Error(), "body": string(c.Body())},
-			})
-			if ifNotInTest() {
-					cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
-			}
-			return res
+		cfg.Logger.Error(&libpack_logger.LogMessage{
+			Message: "Can't unmarshal the request",
+			Pairs:   map[string]interface{}{"error": err.Error(), "body": string(c.Body())},
+		})
+		if ifNotInTest() {
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+		}
+		return res
 	}
 
 	query, ok := m["query"].(string)
 	if !ok {
-			cfg.Logger.Error(&libpack_logger.LogMessage{
-					Message: "Can't find the query",
-					Pairs:   map[string]interface{}{"m_val": m},
-			})
-			if ifNotInTest() {
-					cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
-			}
-			return res
+		cfg.Logger.Error(&libpack_logger.LogMessage{
+			Message: "Can't find the query",
+			Pairs:   map[string]interface{}{"m_val": m},
+		})
+		if ifNotInTest() {
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+		}
+		return res
 	}
 
 	p, err := parser.Parse(parser.ParseParams{Source: query})
 	if err != nil {
-			cfg.Logger.Error(&libpack_logger.LogMessage{
-					Message: "Can't parse the query",
-					Pairs:   map[string]interface{}{"query": query, "m_val": m},
-			})
-			if ifNotInTest() {
-					cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-			}
-			return res
+		cfg.Logger.Error(&libpack_logger.LogMessage{
+			Message: "Can't parse the query",
+			Pairs:   map[string]interface{}{"query": query, "m_val": m},
+		})
+		if ifNotInTest() {
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+		}
+		return res
 	}
 
 	res.shouldIgnore = false
 	res.operationName = "undefined"
 
 	for _, d := range p.Definitions {
-			if oper, ok := d.(*ast.OperationDefinition); ok {
-					if res.operationType == "" {
-							res.operationType = strings.ToLower(oper.Operation)
-							if oper.Name != nil {
-									res.operationName = oper.Name.Value
-							}
-					}
-
-					if cfg.Server.HostGraphQLReadOnly != "" {
-							if res.operationType == "" || res.operationType != "mutation" {
-									res.activeEndpoint = cfg.Server.HostGraphQLReadOnly
-							}
-					}
-
-					if res.operationType == "mutation" && cfg.Server.ReadOnlyMode {
-							cfg.Logger.Warning(&libpack_logger.LogMessage{
-									Message: "Mutation blocked - server in read-only mode",
-									Pairs:   map[string]interface{}{"query": query},
-							})
-							if ifNotInTest() {
-									cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
-							}
-							_ = c.Status(403).SendString("The server is in read-only mode")
-							res.shouldBlock = true
-							resultPool.Put(res)
-							return res
-					}
-
-					for _, dir := range oper.Directives {
-							if dir.Name.Value == "cached" {
-									res.cacheRequest = true
-									for _, arg := range dir.Arguments {
-											switch arg.Name.Value {
-											case "ttl":
-													if v, ok := arg.Value.GetValue().(string); ok {
-															res.cacheTime, _ = strconv.Atoi(v)
-													}
-											case "refresh":
-													if v, ok := arg.Value.GetValue().(bool); ok {
-															res.cacheRefresh = v
-													}
-											}
-									}
-							}
-					}
-
-					if cfg.Security.BlockIntrospection {
-							if checkSelections(c, oper.GetSelectionSet().Selections) {
-									_ = c.Status(403).SendString("Introspection queries are not allowed")
-									res.shouldBlock = true
-									resultPool.Put(res)
-									return res
-							}
-					}
+		if oper, ok := d.(*ast.OperationDefinition); ok {
+			if res.operationType == "" {
+				res.operationType = strings.ToLower(oper.Operation)
+				if oper.Name != nil {
+					res.operationName = oper.Name.Value
+				}
 			}
+
+			if cfg.Server.HostGraphQLReadOnly != "" {
+				if res.operationType == "" || res.operationType != "mutation" {
+					res.activeEndpoint = cfg.Server.HostGraphQLReadOnly
+				}
+			}
+
+			if res.operationType == "mutation" && cfg.Server.ReadOnlyMode {
+				cfg.Logger.Warning(&libpack_logger.LogMessage{
+					Message: "Mutation blocked - server in read-only mode",
+					Pairs:   map[string]interface{}{"query": query},
+				})
+				if ifNotInTest() {
+					cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+				}
+				_ = c.Status(403).SendString("The server is in read-only mode")
+				res.shouldBlock = true
+				resultPool.Put(res)
+				return res
+			}
+
+			for _, dir := range oper.Directives {
+				if dir.Name.Value == "cached" {
+					res.cacheRequest = true
+					for _, arg := range dir.Arguments {
+						switch arg.Name.Value {
+						case "ttl":
+							if v, ok := arg.Value.GetValue().(string); ok {
+								res.cacheTime, _ = strconv.Atoi(v)
+							}
+						case "refresh":
+							if v, ok := arg.Value.GetValue().(bool); ok {
+								res.cacheRefresh = v
+							}
+						}
+					}
+				}
+			}
+
+			if cfg.Security.BlockIntrospection {
+				if checkSelections(c, oper.GetSelectionSet().Selections) {
+					_ = c.Status(403).SendString("Introspection queries are not allowed")
+					res.shouldBlock = true
+					resultPool.Put(res)
+					return res
+				}
+			}
+		}
 	}
 	return res
 }
@@ -177,13 +183,16 @@ func checkSelections(c *fiber.Ctx, selections []ast.Selection) bool {
 					fieldName := strings.ToLower(sel.Name.Value)
 					if _, exists := introspectionQueries[fieldName]; exists {
 							if len(cfg.Security.IntrospectionAllowed) > 0 {
-									if _, allowed := introspectionAllowedQueries[fieldName]; !allowed {
-											return true
+									_, allowed := introspectionAllowedQueries[fieldName]
+									if !allowed {
+											return true // Block if this field isn't allowed
 									}
+									// Even if this field is allowed, we need to check its nested selections
 							} else {
-									return true
+									return true // Block if no allowlist exists
 							}
 					}
+					// Always check nested selections
 					if sel.SelectionSet != nil {
 							if checkSelections(c, sel.GetSelectionSet().Selections) {
 									return true

graphql_test.go

@@ -3,9 +3,12 @@ package main
 import (
 	"fmt"
 	"strings"
+	"testing"
 
 	"github.com/goccy/go-json"
 	fiber "github.com/gofiber/fiber/v2"
+	"github.com/graphql-go/graphql/language/ast"
+	"github.com/graphql-go/graphql/language/parser"
 	"github.com/valyala/fasthttp"
 )
 
@@ -436,69 +439,173 @@ func createTestContext(body string) *fiber.Ctx {
 
 func (suite *Tests) Test_DeepIntrospectionQueries() {
 	tests := []struct {
-			name     string
-			query    string
-			allowed  []string
-			expected bool
+		name     string
+		query    string
+		allowed  []string
+		expected bool
 	}{
-			{
-					name: "deeply nested single introspection",
-					query: "query { users { profiles { settings { preferences { __typename } } } } }",
-					allowed:  []string{},
-					expected: true,
-			},
-			{
-					name: "multiple nested introspections",
-					query: "query { users { __typename profiles { __schema settings { __type } } } }",
-					allowed:  []string{},
-					expected: true,
-			},
-			{
-					name: "nested with selective allowlist",
-					query: "query { users { __typename profiles { __schema settings { __type } } } }",
-					allowed:  []string{"__typename"},
-					expected: true,
-			},
-			{
-					name: "deeply nested with full allowlist",
-					query: "query { users { __typename profiles { __schema settings { __type } } } }",
-					allowed:  []string{"__typename", "__schema", "__type"},
-					expected: false,
-			},
-			{
-				name: "deeply nested with repeated item from allowlist",
-				query: "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
-				allowed: []string{"__type", "__typename"},
-				expected: false,
-			},
-			{
-				name: "deeply nested with repeated item denied",
-				query: "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
-				allowed: []string{},
-				expected: true,
-			},
+		{
+			name:     "deeply nested single introspection",
+			query:    "query { users { profiles { settings { preferences { __typename } } } } }",
+			allowed:  []string{},
+			expected: true,
+		},
+		{
+			name:     "multiple nested introspections",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{},
+			expected: true,
+		},
+		{
+			name:     "nested with selective allowlist",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{"__typename"},
+			expected: true,
+		},
+		{
+			name:     "deeply nested with full allowlist",
+			query:    "query { users { __typename profiles { __schema settings { __type } } } }",
+			allowed:  []string{"__typename", "__schema", "__type"},
+			expected: false,
+		},
+		{
+			name:     "deeply nested with repeated item from allowlist",
+			query:    "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
+			allowed:  []string{"__type", "__typename"},
+			expected: false,
+		},
+		{
+			name:     "deeply nested with repeated item denied",
+			query:    "query PreloadStaticData {\n  scenario {\n    id\n    name\n    __typename\n  }\n  impact {\n    id\n    description\n    __typename\n  }\n  likelihood {\n    id\n    description\n    __typename\n  }\n  consequence {\n    name\n    __typename\n  }\n  risk_categories {\n    name\n    abbreviation\n    __typename\n  }\n  mitigation {\n    name\n    __typename\n  }\n}",
+			allowed:  []string{},
+			expected: true,
+		},
 	}
 
 	for _, tt := range tests {
-			suite.Run(tt.name, func() {
-					cfg.Security.BlockIntrospection = true
-					cfg.Security.IntrospectionAllowed = tt.allowed
-					introspectionAllowedQueries = make(map[string]struct{})
-					for _, q := range tt.allowed {
-							introspectionAllowedQueries[strings.ToLower(q)] = struct{}{}
-					}
-					body := map[string]interface{}{
-							"query": tt.query,
-					}
-					bodyBytes, _ := json.Marshal(body)
-					ctx := fiber.New().AcquireCtx(&fasthttp.RequestCtx{})
-					ctx.Request().SetBody(bodyBytes)
-					parseGraphQLQuery(ctx)
-					if tt.expected {
-							suite.Equal(403, ctx.Response().StatusCode())
-					} else {
-							suite.Equal(200, ctx.Response().StatusCode())
-					}
-			})
+		suite.Run(tt.name, func() {
+			cfg.Security.BlockIntrospection = true
+			cfg.Security.IntrospectionAllowed = tt.allowed
+			introspectionAllowedQueries = make(map[string]struct{})
+			for _, q := range tt.allowed {
+				introspectionAllowedQueries[strings.ToLower(q)] = struct{}{}
+			}
+			body := map[string]interface{}{
+				"query": tt.query,
+			}
+			bodyBytes, _ := json.Marshal(body)
+			ctx := fiber.New().AcquireCtx(&fasthttp.RequestCtx{})
+			ctx.Request().SetBody(bodyBytes)
+			parseGraphQLQuery(ctx)
+			if tt.expected {
+				suite.Equal(403, ctx.Response().StatusCode())
+			} else {
+				suite.Equal(200, ctx.Response().StatusCode())
+			}
+		})
 	}
-}
+}
+
+func TestIntrospectionQueryHandling(t *testing.T) {
+	tests := []struct {
+		name               string
+		blockIntrospection bool
+		allowedQueries     []string
+		query              string
+		wantBlocked        bool
+	}{
+		{
+			name:               "allows __typename when in allowed list",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							users {
+									id
+									name
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name:               "case insensitive matching for allowed queries",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__TYPENAME"},
+			query: `{
+							users {
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name:               "blocks other introspection queries",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							__schema {
+									types {
+											name
+									}
+							}
+					}`,
+			wantBlocked: true,
+		},
+		{
+			name:               "allows multiple __typename occurrences",
+			blockIntrospection: true,
+			allowedQueries:     []string{"__typename"},
+			query: `{
+							users {
+									__typename
+									posts {
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup config
+			cfg = &config{
+				Security: struct {
+					IntrospectionAllowed []string
+					BlockIntrospection   bool
+				}{
+					IntrospectionAllowed: tt.allowedQueries,
+					BlockIntrospection:   tt.blockIntrospection,
+				},
+			}
+
+			// Initialize allowed queries
+			prepareQueriesAndExemptions()
+
+			// Parse query
+			p, err := parser.Parse(parser.ParseParams{Source: tt.query})
+			if err != nil {
+				t.Fatalf("failed to parse query: %v", err)
+			}
+
+			// Create mock fiber context
+			app := fiber.New()
+			ctx := app.AcquireCtx(&fasthttp.RequestCtx{})
+			defer app.ReleaseCtx(ctx)
+
+			// Check selections
+			var blocked bool
+			for _, def := range p.Definitions {
+				if op, ok := def.(*ast.OperationDefinition); ok {
+					blocked = checkSelections(ctx, op.GetSelectionSet().Selections)
+					break
+				}
+			}
+
+			if blocked != tt.wantBlocked {
+				t.Errorf("checkSelections() blocked = %v, want %v", blocked, tt.wantBlocked)
+			}
+		})
+	}
+}

main_test.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"os"
 	"testing"
 	"time"
@@ -11,6 +12,7 @@ import (
 	libpack_logging "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
 	assertions "github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
+	"github.com/valyala/fasthttp"
 )
 
 type Tests struct {
@@ -138,3 +140,122 @@ func (suite *Tests) Test_getDetailsFromEnv() {
 		})
 	}
 }
+
+func (suite *Tests) TestIntrospectionEnvironmentConfig() {
+	// Save original env vars
+	oldEnv := make(map[string]string)
+	varsToSave := []string{
+		"BLOCK_SCHEMA_INTROSPECTION",
+		"ALLOWED_INTROSPECTION",
+		"GMP_BLOCK_SCHEMA_INTROSPECTION",
+		"GMP_ALLOWED_INTROSPECTION",
+	}
+	for _, env := range varsToSave {
+		if val, exists := os.LookupEnv(env); exists {
+			oldEnv[env] = val
+			os.Unsetenv(env)
+		}
+	}
+	defer func() {
+		// Restore original env vars
+		for k, v := range oldEnv {
+			os.Setenv(k, v)
+		}
+	}()
+
+	tests := []struct {
+		name         string
+		envVars      map[string]string
+		query        string
+		wantBlocked  bool
+		wantEndpoint string
+	}{
+		{
+			name: "basic typename allowed",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__typename",
+			},
+			query: `{
+							users {
+									id
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "GMP prefix takes precedence",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION":     "false",
+				"GMP_BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":          "__type",
+				"GMP_ALLOWED_INTROSPECTION":      "__typename",
+			},
+			query: `{
+							users {
+									__typename
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "multiple allowed queries",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__typename,__schema",
+			},
+			query: `{
+							__schema {
+									types {
+											name
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: false,
+		},
+		{
+			name: "multiple allowed queries with one of them blocked",
+			envVars: map[string]string{
+				"BLOCK_SCHEMA_INTROSPECTION": "true",
+				"ALLOWED_INTROSPECTION":      "__schema",
+			},
+			query: `{
+							__schema {
+									types {
+											name
+											__typename
+									}
+							}
+					}`,
+			wantBlocked: true,
+		},
+	}
+
+	for _, tt := range tests {
+		suite.Run(tt.name, func() {
+			// Set test env vars
+			for k, v := range tt.envVars {
+				os.Setenv(k, v)
+			}
+
+			// Reset global config
+			cfg = nil
+			parseConfig()
+
+			// Create test request
+			app := fiber.New()
+			ctx := app.AcquireCtx(&fasthttp.RequestCtx{})
+			defer app.ReleaseCtx(ctx)
+			ctx.Request().Header.SetMethod("POST")
+			ctx.Request().SetBody([]byte(fmt.Sprintf(`{"query": %q}`, tt.query)))
+
+			result := parseGraphQLQuery(ctx)
+			assert.Equal(tt.wantBlocked, result.shouldBlock)
+			for k := range tt.envVars {
+				os.Unsetenv(k)
+			}
+		})
+	}
+}