Add client identifier header to HTTP requests

Creates an anonymized repository identifier based on the SHA of the
first commit, hashed with SHA256 for additional privacy. The identifier
is sent as an `x-hex-client-id` header when available.

Author: sorentwo

lib/hex/http.ex

@@ -48,7 +48,9 @@ defmodule Hex.HTTP do
   defp build_headers(headers) do
     default_headers = %{"user-agent" => user_agent()}
 
-    Map.merge(default_headers, headers)
+    default_headers
+    |> add_client_identifier_header()
+    |> Map.merge(headers)
   end
 
   defp build_http_opts(url, timeout) do
@@ -271,6 +273,13 @@ defmodule Hex.HTTP do
     host
   end
 
+  defp add_client_identifier_header(headers) do
+    case Hex.Utils.client_identifier() do
+      nil -> headers
+      identifier -> Map.put(headers, "x-hex-client-id", identifier)
+    end
+  end
+
   defp user_agent do
     ci = if Hex.State.fetch!(:ci), do: " (CI)", else: ""
     "Hex/#{Hex.version()} (Elixir/#{System.version()}) (OTP/#{Hex.Utils.otp_version()})#{ci}"

lib/hex/utils.ex

@@ -324,4 +324,24 @@ defmodule Hex.Utils do
       {app, req, opts}
     end)
   end
+
+  @doc """
+  Gets an anonymized identifier for the current git repository.
+
+  This function finds the SHA of the first commit in the repository and hashes it once more for
+  anonymization.
+
+  Returns `nil` if git is not available or the directory is not a git repository.
+  """
+  def client_identifier do
+    with path when is_binary(path) <- System.find_executable("git"),
+         {output, 0} <- System.cmd("git", ["rev-list", "--max-parents=0", "HEAD"]) do
+      output
+      |> String.trim()
+      |> then(&:crypto.hash(:sha256, &1))
+      |> Base.encode16(case: :lower)
+    else
+      _ -> nil
+    end
+  end
 end

test/hex/http_test.exs

@@ -115,4 +115,25 @@ defmodule Hex.HTTPTest do
       )
     end)
   end
+
+  test "request includes identifier header when available", %{bypass: bypass} do
+    in_tmp(fn ->
+      # Initialize a git repository with a commit
+      System.cmd("git", ["init", "--initial-branch=main"])
+      System.cmd("git", ["config", "user.email", "test@example.com"])
+      System.cmd("git", ["config", "user.name", "Test User"])
+      File.write!("test.txt", "test content")
+      System.cmd("git", ["add", "test.txt"])
+      System.cmd("git", ["commit", "-m", "Initial commit"])
+
+      Bypass.expect(bypass, fn conn ->
+        assert [client_id] = Plug.Conn.get_req_header(conn, "x-hex-client-id")
+        assert client_id =~ ~r/^[a-f0-9]{64}$/
+
+        Plug.Conn.resp(conn, 200, "")
+      end)
+
+      Hex.HTTP.request(:get, "http://localhost:#{bypass.port}", %{}, nil)
+    end)
+  end
 end

test/hex/utils_test.exs

@@ -0,0 +1,27 @@
+defmodule Hex.UtilsTest do
+  use ExUnit.Case
+
+  describe "client_identifier/0" do
+    test "an identifier is included within a repository" do
+      assert Hex.Utils.client_identifier() =~ ~r/^[a-f0-9]{64}$/
+    end
+
+    test "identifier is nil outside of a repository" do
+      # The tmp_dir resolves at hex/test/tmp, which allows git to traverse up to the repository
+      # root and find a commit. We're creating a temporary directory to simulate being outside of
+      # a repository instead.
+      dir =
+        "../../.."
+        |> Path.expand(__DIR__)
+        |> Path.join("empty-directory")
+
+      try do
+        File.mkdir!(dir)
+
+        File.cd!(dir, fn -> refute Hex.Utils.client_identifier() end)
+      after
+        File.rmdir(dir)
+      end
+    end
+  end
+end