Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xcode_install 2FA #436

Open
bfrolicher opened this issue Jun 8, 2021 · 10 comments
Open

xcode_install 2FA #436

bfrolicher opened this issue Jun 8, 2021 · 10 comments

Comments

@bfrolicher
Copy link

Hi guy,

We are using Fastlane for the whole project CI.
Maybe I miss something but we can't use xcode_install lane, if the account specified in AppFile apple_id("[email protected]") has 2FA activated.

We are using app_store_connect_api_key lane to avoid OTP on other actions like sign, match, deliver.

There is a way to be able to have xcode_install working in a CI environment with prompting for password or OTP ?

Console output :

INFO [2021-06-08 15:55:26.09]: ---------------------------
INFO [2021-06-08 15:55:26.09]: --- Step: xcode_install ---
INFO [2021-06-08 15:55:26.09]: ---------------------------
INFO [2021-06-08 15:55:26.09]: gem 'xcode-install' is already installed
Reading keychain entry, because either user or password were empty
Two-factor Authentication (6 digits code) is enabled for account '[email protected]'
More information about Two-factor Authentication: https://support.apple.com/en-us/HT204915

If you're running this in a non-interactive session (e.g. server or CI)
check out https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification

(Input `sms` to escape this prompt and select a trusted phone number to send the code as a text message)

(You can also set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automate this)
(Read more at: https://github.com/fastlane/fastlane/blob/master/spaceship/docs/Authentication.md#auto-select-sms-via-spaceship_2fa_sms_default_phone_number)

Please enter the 6 digit code:


Cheers,
Ben

@bfrolicher bfrolicher changed the title Xcode_install 2FA xcode_install 2FA Jun 8, 2021
@Kylmakalle
Copy link

AFAIK this gem is a parser for https://developer.apple.com/devcenter/ and thus it's not supported by API.

If you've already found a solution, please share it with us.

@rogerluan
Copy link
Collaborator

Here's a related ticket you might find useful information (including workarounds): #395

@daemedeor
Copy link

Just curious, it has been a while since this topic was revisited. Is there a reason why /devcenter doesn't accept any jwt auth tokens as part of the headers or will only a valid cookie auth through to this endpoint?

@rogerluan
Copy link
Collaborator

@daemedeor IIRC the reason is that the official API provided by Apple doesn't contain APIs to download Xcode. The code this project uses is the undocumented/unofficial API, which only supports user/pass (and not the JWT auth token).

This comment can be outdated 😬 that might not be the case anymore, but that has always been the case.

@daemedeor
Copy link

daemedeor commented Jan 12, 2022

Yeah, I've been looking into the responses, and I couldn't figure out if there was another header that would allow me to use anything other than the cookies. Since it's undocumented, I was wondering if anyone has seen anything different yet. I'm happy to do the work that if it's a manpower issue but I'm just not great about sniffing network traffic for this particular endpoint.

Edit:

Cheers for the response though. I'll see if I can use Charles proxy or something similar to try one more time.

@rogerluan
Copy link
Collaborator

No problem! :)
If you're looking for pointers on where to start, I think that, moving forward, the best use of your time would be if you played around with the new authentication system already. You can find more info about spaceship here: https://github.com/fastlane/fastlane/tree/master/spaceship/ (pardon the out-of-date documentation), and you'll want to focus on https://github.com/fastlane/fastlane/tree/master/spaceship/lib/spaceship/connect_api (note the connect_api) which's different than portal or tunes directories (which contain the old, cookie-based, authentication system).

From an authenticated spaceship client, perhaps you can poke around to see if any of the APIs we hit in this repo will work with the JWT-based auth 🤞

Best of luck!

@daemedeor
Copy link

daemedeor commented Jan 13, 2022

Yup! I've been playing around and at least got it to the point where I understand the new auth system. Just trying to figure out the header view and hope everything pulls out.

Edit:
Because I don't want people to feel frustrated that I never updated:

So this is the landscape as I see it currently. I tried accessing this url (https://developer.apple.com/services-account/download?path=%2FDeveloper_Tools%2FXcode_13.2.1%2FXcode_13.2.1.xip) by generating a token, utilizing spaceship connect API by supplying a new API client. then hitting the url by trying a simple get command. However, even with all the rest authenticated correctly, the client kept still redirecting me to https://idmsa.apple.com/IDMSWebAuth/signin which would mainly mean that i am not able to auth with the token header as far as i can tell. The authorization and the bearer token should be set correctly. My ruby skills are absolute trash right now, so maybe there's something I'm missing but so far to me, it looks like that apple still only allows the old login method w/ 2fa still

@rogerluan
Copy link
Collaborator

Ah, that makes sense 😞 Yeah, unfortunately everything leads us to think that it's still not available (not even as a undocumented official API) 😬

Thanks for digging into this @daemedeor ! That was super helpful! Hopefully they release an API for this soon enough 🤞

@martinimartinimartini
Copy link

Guys, is there a way to generate a SESSION cookie with the JWT auth token?
I'm trying to use "fastlane run xcversion" command but it doesnt support api_key like pilot or deliver.
HELP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants
@bfrolicher @daemedeor @rogerluan @Kylmakalle @martinimartinimartini and others