Document ID header properties

It needs to be cryptographically unique so that each client is uniquely
identified and cannot be mistaken with another client.

If it is not cryptographically unique one client could potentially guess
the ID and thus send data as if it is was another client.

Signed-off-by: Linus Wallgren <[email protected]>

Author: Linus Wallgren

Diff for: cmd/proxy/coordinator.go

@@ -25,9 +25,9 @@ import (
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
 	"github.com/google/uuid"
+	"github.com/prometheus-community/pushprox/util"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
-	"github.com/prometheus-community/pushprox/util"
 )
 
 var (
@@ -73,6 +73,8 @@ func NewCoordinator(logger log.Logger) (*Coordinator, error) {
 }
 
 // Generate a unique ID
+// It is important this ID is cryptographically unique to ensure clients can't
+// be mixed up.
 func (c *Coordinator) genID() (string, error) {
 	id, err := uuid.NewRandom()
 	return id.String(), err
@@ -114,6 +116,8 @@ func (c *Coordinator) DoScrape(ctx context.Context, r *http.Request) (*http.Resp
 		return nil, err
 	}
 	level.Info(c.logger).Log("msg", "DoScrape", "scrape_id", id, "url", r.URL.String())
+	// It is important this id is cryptographically generated as it is relied
+	// upon to match the request and the response.
 	r.Header.Add("Id", id)
 	select {
 	case <-ctx.Done():