xcode_install 2FA

[bfrolicher]

Hi guy,

We are using Fastlane for the whole project CI.
Maybe I miss something but we can't use xcode_install lane, if the account specified in AppFile apple_id("user@email.com") has 2FA activated.

We are using app_store_connect_api_key lane to avoid OTP on other actions like sign, match, deliver.

There is a way to be able to have xcode_install working in a CI environment with prompting for password or OTP ?

Console output :

INFO [2021-06-08 15:55:26.09]: ---------------------------
INFO [2021-06-08 15:55:26.09]: --- Step: xcode_install ---
INFO [2021-06-08 15:55:26.09]: ---------------------------
INFO [2021-06-08 15:55:26.09]: gem 'xcode-install' is already installed
Reading keychain entry, because either user or password were empty
Two-factor Authentication (6 digits code) is enabled for account 'user@email.com'
More information about Two-factor Authentication: https://support.apple.com/en-us/HT204915

If you're running this in a non-interactive session (e.g. server or CI)
check out https://github.com/fastlane/fastlane/tree/master/spaceship#2-step-verification

(Input `sms` to escape this prompt and select a trusted phone number to send the code as a text message)

(You can also set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automate this)
(Read more at: https://github.com/fastlane/fastlane/blob/master/spaceship/docs/Authentication.md#auto-select-sms-via-spaceship_2fa_sms_default_phone_number)

Please enter the 6 digit code:

Cheers,
Ben

[Kylmakalle]

AFAIK this gem is a parser for https://developer.apple.com/devcenter/ and thus it's not supported by API.

If you've already found a solution, please share it with us.

[rogerluan]

Here's a related ticket you might find useful information (including workarounds): #395

[daemedeor]

Just curious, it has been a while since this topic was revisited. Is there a reason why /devcenter doesn't accept any jwt auth tokens as part of the headers or will only a valid cookie auth through to this endpoint?

[rogerluan]

@daemedeor IIRC the reason is that the official API provided by Apple doesn't contain APIs to download Xcode. The code this project uses is the undocumented/unofficial API, which only supports user/pass (and not the JWT auth token).

This comment can be outdated 😬 that might not be the case anymore, but that has always been the case.

[daemedeor]

Yeah, I've been looking into the responses, and I couldn't figure out if there was another header that would allow me to use anything other than the cookies. Since it's undocumented, I was wondering if anyone has seen anything different yet. I'm happy to do the work that if it's a manpower issue but I'm just not great about sniffing network traffic for this particular endpoint.

Edit:

Cheers for the response though. I'll see if I can use Charles proxy or something similar to try one more time.

[rogerluan]

No problem! :)
If you're looking for pointers on where to start, I think that, moving forward, the best use of your time would be if you played around with the new authentication system already. You can find more info about spaceship here: https://github.com/fastlane/fastlane/tree/master/spaceship/ (pardon the out-of-date documentation), and you'll want to focus on https://github.com/fastlane/fastlane/tree/master/spaceship/lib/spaceship/connect_api (note the connect_api) which's different than portal or tunes directories (which contain the old, cookie-based, authentication system).

From an authenticated spaceship client, perhaps you can poke around to see if any of the APIs we hit in this repo will work with the JWT-based auth 🤞

Best of luck!

[daemedeor]

Yup! I've been playing around and at least got it to the point where I understand the new auth system. Just trying to figure out the header view and hope everything pulls out.

Edit:
Because I don't want people to feel frustrated that I never updated:

So this is the landscape as I see it currently. I tried accessing this url (https://developer.apple.com/services-account/download?path=%2FDeveloper_Tools%2FXcode_13.2.1%2FXcode_13.2.1.xip) by generating a token, utilizing spaceship connect API by supplying a new API client. then hitting the url by trying a simple get command. However, even with all the rest authenticated correctly, the client kept still redirecting me to https://idmsa.apple.com/IDMSWebAuth/signin which would mainly mean that i am not able to auth with the token header as far as i can tell. The authorization and the bearer token should be set correctly. My ruby skills are absolute trash right now, so maybe there's something I'm missing but so far to me, it looks like that apple still only allows the old login method w/ 2fa still

[rogerluan]

Ah, that makes sense 😞 Yeah, unfortunately everything leads us to think that it's still not available (not even as a undocumented official API) 😬

Thanks for digging into this @daemedeor ! That was super helpful! Hopefully they release an API for this soon enough 🤞

[martinimartinimartini]

Guys, is there a way to generate a SESSION cookie with the JWT auth token?
I'm trying to use "fastlane run xcversion" command but it doesnt support api_key like pilot or deliver.
HELP