fix(browser): Strengthen type guard for persisted GraphQL operations

tbeeren · claude · tbeeren · commit 516610f4b7aa · 2025-12-15T13:25:59.000+01:00
The isPersistedRequest type guard now validates that sha256Hash and version properties exist in the persistedQuery object, preventing undefined values from being set as span attributes and breadcrumb data. Added tests for edge cases: - Empty persistedQuery object - Missing sha256Hash property - Missing version property 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/packages/browser/src/integrations/graphqlClient.ts b/packages/browser/src/integrations/graphqlClient.ts
@@ -232,7 +232,9 @@ function isPersistedRequest(payload: unknown): payload is GraphQLPersistedReques
     isObject(payload) &&
     typeof payload.operationName === 'string' &&
     isObject(payload.extensions) &&
-    isObject(payload.extensions.persistedQuery)
+    isObject(payload.extensions.persistedQuery) &&
+    typeof payload.extensions.persistedQuery.sha256Hash === 'string' &&
+    typeof payload.extensions.persistedQuery.version === 'number'
   );
 }
 
diff --git a/packages/browser/test/integrations/graphqlClient.test.ts b/packages/browser/test/integrations/graphqlClient.test.ts
@@ -111,6 +111,44 @@ describe('GraphqlClient', () => {
       expect(getGraphQLRequestPayload(JSON.stringify(requestBody))).toBeUndefined();
     });
 
+    test('should return undefined for persisted operation with incomplete persistedQuery object', () => {
+      const requestBody = {
+        operationName: 'GetUser',
+        variables: { id: '123' },
+        extensions: {
+          persistedQuery: {},
+        },
+      };
+
+      expect(getGraphQLRequestPayload(JSON.stringify(requestBody))).toBeUndefined();
+    });
+
+    test('should return undefined for persisted operation missing sha256Hash', () => {
+      const requestBody = {
+        operationName: 'GetUser',
+        extensions: {
+          persistedQuery: {
+            version: 1,
+          },
+        },
+      };
+
+      expect(getGraphQLRequestPayload(JSON.stringify(requestBody))).toBeUndefined();
+    });
+
+    test('should return undefined for persisted operation missing version', () => {
+      const requestBody = {
+        operationName: 'GetUser',
+        extensions: {
+          persistedQuery: {
+            sha256Hash: 'abc123',
+          },
+        },
+      };
+
+      expect(getGraphQLRequestPayload(JSON.stringify(requestBody))).toBeUndefined();
+    });
+
     test('should return undefined for invalid JSON', () => {
       expect(getGraphQLRequestPayload('not valid json {')).toBeUndefined();
     });
