Merge remote-tracking branch 'upstream/2.3.7-develop' into MC-38715

Author: hwyu@adobe.com

app/code/Magento/GraphQl/Controller/HttpRequestValidator/HttpVerbValidator.php

@@ -11,6 +11,8 @@
 use Magento\Framework\GraphQl\Exception\GraphQlInputException;
 use Magento\Framework\App\Request\Http;
 use Magento\GraphQl\Controller\HttpRequestValidatorInterface;
+use GraphQL\Language\AST\Node;
+use GraphQL\Language\AST\NodeKind;
 
 /**
  * Validator to check HTTP verb for Graphql requests
@@ -29,8 +31,20 @@ public function validate(HttpRequestInterface $request) : void
         /** @var Http $request */
         if (false === $request->isPost()) {
             $query = $request->getParam('query', '');
-            // The easiest way to determine mutations without additional parsing
-            if (strpos(trim($query), 'mutation') === 0) {
+            $operationType = null;
+            $queryAst = \GraphQL\Language\Parser::parse(new \GraphQL\Language\Source($query ?: '', 'GraphQL'));
+            \GraphQL\Language\Visitor::visit(
+                $queryAst,
+                [
+                    'leave' => [
+                        NodeKind::OPERATION_DEFINITION => function (Node $node) use (&$operationType) {
+                            $operationType = $node->operation;
+                        }
+                    ]
+                ]
+            );
+
+            if (strtolower($operationType) === 'mutation') {
                 throw new GraphQlInputException(
                     new \Magento\Framework\Phrase('Mutation requests allowed only for POST requests')
                 );