Support using non-2FA accounts

[thii]

A recent change in Apple's 2FA a few days ago breaks xcodes' authentication.

$ xcodes update
You must sign in to https://appstoreconnect.apple.com and acknowledge the Apple ID & Privacy agreement.

fastlane works around it by allowing to opt-in to skipping 2FA upgrade by setting SPACESHIP_SKIP_2FA_UPGRADE=1: https://github.com/fastlane/fastlane/pull/18116.

[interstateone]

Hey @thii! Thanks for opening this issue. As I understand it this change will only affect non-2FA accounts, and so one workaround would be to use an account that uses 2FA. This might not be an option for some fastlane use cases, which is understandable. This also might not be an option for xcodes when it's being automated, but I'm not sure how many people are in this situation. To be clear, is this a hypothetical situation for you right now, or is this blocking your use of xcodes in a way that you can't work around? Please share as much detail as you can so that I can better understand.

I'd like xcodes to be as easy to use for as many people as possible, but I'm hesitant to add a workaround for this if it'll be obsolete very soon or if there's a reasonable workaround. Given this might just be delaying the inevitable, perhaps there's a better solution that we should look into?

[Kesin11]

I'm facing same situation too. I'm using xcodes for installing Xcode in macOS build agent that use for build iOS app with Jenkins. I used xcodes via Ansible to install Xcode completely automatically, and I was using an old Apple account with no 2FA set up. This worked fine, but it broke a few days ago.

https://github.com/fastlane/fastlane/pull/18116 is great work, but it is work around. I gave up the automatic installation of Xcode and decided to install it manually on all build agents.

I hope xcodes developers will add the same feature as the Fastlane's work around. But if they decide not to implement that workaround, I will respect them.

[thii]

@interstateone Thanks for the explanation. I totally understand the hesitation. Our use-case is being able to unattended install Xcode on our build workers, which wouldn't be possible if we use a 2FA account.

[interstateone]

Thanks for elaborating @Kesin11 and @thii. At this point I'm not sure that we (mostly meaning me, but also Robots and Pencils) will have time to implement this workaround, but we'd be open to merging a PR that implemented it.

It might also be worth considering how you would handle this if Apple does actually enforce 2FA. For example, using xcodes download $VERSION once with a 2FA account and xcodes install $VERSION --path $SOME_INTERNALLY_HOSTED_XIP_PATH on each of your build agents/workers might be an option both now and in the future after enforcement came into effect? If there were issues preventing that approach from working (I'm not sure that I've tested it), or another option that didn't work around Apple's auth decisions, then I'd be more inclined to make changes to support them.

[Kesin11]

@interstateone It seems good. However in my case, the number of macOS build agent is not so much. And Xcode xip file size is very large, time and network bandwidth cost of copy from host machine to each agents maybe quite painful.

I considered other options yesterday, finally I decided to install Xcode manually with 2FA to each build agent using xcodes 😃

[thii]

Since this is actually a feature request now, I rephrased the issue title.

[thispsj]

Well guys I got a quick workaround for this. Note : Only for non-2FA Accounts. Login and getting ADCDownloadAuth in 3 steps :

Step 1 : Get widget key GET https://appstoreconnect.apple.com/olympus/v1/app/config with the query param hostname having value itunesconnect.apple.com

This thing is already used by you guys in the 2FA auth so nothing new. But mentioning here to be systematic.

Step 2 : Login POST https://idmsa.apple.com/IDMSWebAuth/authenticate The request body should have the following 3 parameters in form data format.

 appIdKey="Generated AppID" //The Auth Service Key/Widget Key returned by Olympus in Step 1
 appleId="myapple@test.app" //Your Apple ID
 accountPassword="PasswordIs1234" //Your Account Password 

Here you need to keep the cookies returned in response . The most important ones are myacinfo , acsso & acn01

Step 3 : Done with Login ! Request ADCDownloadAuth

POST https://developer.apple.com/services-account/QH65B2/downloadws/listDownloads.action

Request body should be empty and all the cookies (at least those 3 mentioned in previous step) should be sent using the Cookie header .

Also the header Content-Length should be sent with a value of 0 .

The response will contain the ADCDownloadAuth Cookie in one of its Set-Cookie header. I guess even this step has been implemented in your code.

P.S. : This may stop to work in future when Apple enforces 2FA on everyone.

I've tested this on five different accounts.

[thispsj]

@interstateone tagging you so that you look at it.

[thispsj]

Command line cURL version of my comment .

/bin/bash read -p "Enter your Apple ID username : " ASID && read -sp "Enter your Apple ID Password : " PASS && curl --location --data "appIdKey=e0b80c3bf78523bfe80974d320935bfa30add02e1bff88ec2166c6bd5a706c42&appleId=$ASID&accountPassword=$PASS" "https://idmsa.apple.com/IDMSWebAuth/authenticate" --cookie-jar ./login.txt --output /dev/null && curl --location --cookie-jar ./adc.txt --cookie login.txt https://developer.apple.com/services-account/QH65B2/downloadws/listDownloads.action -X POST -H "Content-Length: 0" --output /dev/null && rm login.txt && cat adc.txt 

adc.txt will contain all cookies including ADCDownloadAuth Cookie.

[MattKiazyk]

Xcodes 1.0 can now download Xcode without having a username and password 🥳 Closing as now support non-2FA accounts 😝

[thispsj]

Xcodes 1.0 can now download Xcode without having a username and password 🥳 Closing as now support non-2FA accounts 😝

@MattKiazyk ~Without a username and password ? How ? 😲~

EDIT: Got my answer

[MattKiazyk]

If you install Xcodes 1.0 it won't prompt you for your Apple username and password. It will just download Xcode.

[Pranav-19]

@MattKiazyk @thispsj Hi, I am running Xcodes 1.2.0, but it's still prompting me for a username and password. Can you let me know how do we download xcode without having to give these as input?