fix: max-depth ignore only Field Node named __schema (#823)

* fix: max-depth ignore only Field Node named __schema

* Create hip-cheetahs-eat.md

Signed-off-by: M0ngi <[email protected]>

---------

Signed-off-by: M0ngi <[email protected]>

Author: M0ngi

.changeset/hip-cheetahs-eat.md

@@ -0,0 +1,5 @@
+---
+"@escape.tech/graphql-armor-max-depth": patch
+---
+
+fix: max-depth ignore only Field Node named __schema

packages/plugins/max-depth/src/index.ts

@@ -76,7 +76,12 @@ class MaxDepthVisitor {
     node: FieldNode | FragmentDefinitionNode | InlineFragmentNode | OperationDefinitionNode | FragmentSpreadNode,
     parentDepth = 0,
   ): number {
-    if (this.config.ignoreIntrospection && 'name' in node && node.name?.value === '__schema') {
+    if (
+      this.config.ignoreIntrospection &&
+      'name' in node &&
+      node.name?.value === '__schema' &&
+      node.kind === Kind.FIELD
+    ) {
       return 0;
     }
     let depth = parentDepth;

packages/plugins/max-depth/test/index.spec.ts

@@ -239,4 +239,34 @@ describe('maxDepthPlugin', () => {
       `Syntax Error: Query depth limit of ${maxDepth} exceeded, found ${maxDepth + 1}.`,
     ]);
   });
+
+  it('rejects for fragment named `__schema` exceeding max depth', async () => {
+    const bypass_query = `
+      query {
+        books {
+          author {
+            books {
+              author {
+                ...__schema
+              }
+            }
+          }
+        }
+      }
+      fragment __schema on Author {
+        books {
+          title
+        }
+      }
+    `;
+    const maxDepth = 6;
+    const testkit = createTestkit([maxDepthPlugin({ n: maxDepth, exposeLimits: true })], schema);
+    const result = await testkit.execute(bypass_query);
+
+    assertSingleExecutionValue(result);
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.map((error) => error.message)).toEqual([
+      `Syntax Error: Query depth limit of ${maxDepth} exceeded, found ${maxDepth + 2}.`,
+    ]);
+  });
 });