Add client identifier header to HTTP requests

sorentwo · sorentwo · commit 38391994377f · 2025-06-02T09:08:08.000-05:00
Creates an anonymized repository identifier based on the SHA of the
first commit, hashed with SHA256 for additional privacy. The identifier
is sent as an `x-hex-client-id` header when available.
diff --git a/lib/hex/http.ex b/lib/hex/http.ex
@@ -48,7 +48,9 @@ defmodule Hex.HTTP do
   defp build_headers(headers) do
     default_headers = %{"user-agent" => user_agent()}
 
-    Map.merge(default_headers, headers)
+    default_headers
+    |> add_client_identifier_header()
+    |> Map.merge(headers)
   end
 
   defp build_http_opts(url, timeout) do
@@ -271,6 +273,13 @@ defmodule Hex.HTTP do
     host
   end
 
+  defp add_client_identifier_header(headers) do
+    case Hex.Utils.client_identifier() do
+      nil -> headers
+      identifier -> Map.put(headers, "x-hex-client-id", identifier)
+    end
+  end
+
   defp user_agent do
     ci = if Hex.State.fetch!(:ci), do: " (CI)", else: ""
     "Hex/#{Hex.version()} (Elixir/#{System.version()}) (OTP/#{Hex.Utils.otp_version()})#{ci}"
diff --git a/lib/hex/utils.ex b/lib/hex/utils.ex
@@ -324,4 +324,27 @@ defmodule Hex.Utils do
       {app, req, opts}
     end)
   end
+
+  @doc """
+  Gets an anonymized identifier for the current git repository.
+
+  This function finds the SHA of the first commit in the repository and hashes it once more for
+  anonymization.
+
+  Returns `nil` if git is not available or the directory is not a git repository.
+  """
+  def client_identifier do
+    opts = ["rev-list", "--max-parents=0", "HEAD"]
+
+    with path when is_binary(path) <- System.find_executable("git"),
+         {output, 0} <- System.cmd("git", opts, stderr_to_stdout: true) do
+      output
+      |> String.trim()
+      |> then(&:crypto.hash(:sha256, &1))
+      |> Base.encode16(case: :lower)
+    else
+      _ ->
+        nil
+    end
+  end
 end
diff --git a/test/hex/http_test.exs b/test/hex/http_test.exs
@@ -115,4 +115,23 @@ defmodule Hex.HTTPTest do
       )
     end)
   end
+
+  test "request includes identifier header when available", %{bypass: bypass} do
+    in_tmp(fn ->
+      # Initialize a git repository with a commit
+      System.cmd("git", ["init"])
+      File.write!("test.txt", "test content")
+      System.cmd("git", ["add", "test.txt"])
+      System.cmd("git", ["commit", "-m", "Initial commit"])
+
+      Bypass.expect(bypass, fn conn ->
+        assert [client_id] = Plug.Conn.get_req_header(conn, "x-hex-client-id")
+        assert client_id =~ ~r/^[a-f0-9]{64}$/
+
+        Plug.Conn.resp(conn, 200, "")
+      end)
+
+      Hex.HTTP.request(:get, "http://localhost:#{bypass.port}", %{}, nil)
+    end)
+  end
 end
diff --git a/test/hex/utils_test.exs b/test/hex/utils_test.exs
@@ -0,0 +1,14 @@
+defmodule Hex.UtilsTest do
+  use ExUnit.Case
+
+  describe "client_identifier/0" do
+    test "an identifier is included within a repository" do
+      assert Hex.Utils.client_identifier() =~ ~r/^[a-f0-9]{64}$/
+    end
+
+    @tag :tmp_dir
+    test "identifier is nil outside of a repository", %{tmp_dir: dir} do
+      File.cd!(dir, fn -> refute Hex.Utils.client_identifier() end)
+    end
+  end
+end
