search

XcodesOrg / xcodes

The best command-line tool to install and switch between multiple versions of Xcode.
MIT License
3.59k stars 119 forks source link

How to authenticate xcodes non-interactively? (without hitting 2FA prompt) #311

Open hach-que opened 11 months ago

hach-que commented 11 months ago

I've created an "app-specific password" for an account that has developer access to the App Center, set XCODES_USERNAME to the email address and XCODES_PASSWORD to the app-specific password, but I get either of these messages from xcodes install ...:

Two-factor authentication is enabled for this account.
Enter the 6 digit code sent to +xx xxxx xxx xxx: Invalid HTTP response (400) for https://idmsa.apple.com/appleauth/auth/verify/phone/securitycode.
Invalid HTTP response (400) for https://idmsa.apple.com/appleauth/auth/verify/phone/securitycode.

or

Apple ID: Missing username or a password. Please try again.

I also tried to create a new Apple account that didn't have 2FA on, but it turns out these days you can't create an Apple account without a phone number, and they automatically enroll and force 2FA on all new accounts, so you can never turn it off.

Is there any way to get this working non-interactively out of the box? Or do I have to go down the path of something like Plivo and a whole virtual phone number solution just so I can programmatically grab the 2FA SMS messages that Apple is sending?

hach-que commented 11 months ago

From the looks of things, if I needed to wire up a virtual phone number solution to receive the SMS messages and pass them back through to the authentication, this is the place to do it:

    func promptForSMSSecurityCode(length: Int, for trustedPhoneNumber: AuthOptionsResponse.TrustedPhoneNumber) -> SecurityCode {
        let code = Current.shell.readLine("Enter the \(length) digit code sent to \(trustedPhoneNumber.numberWithDialCode): ") ?? ""
        return .sms(code: code, phoneNumberId: trustedPhoneNumber.id)
    }

(though also maybe just interpreting the xcodes output and piping in the SMS code when the caller program sees "Enter the 6 digit code sent to" might be enough)

hach-que commented 11 months ago

Looks like for some reason .NET tooling on macOS can't respond to the prompt properly. If there was a way to invoke a command, maybe via XCODES_GET_2FA_SMS_COMMAND to get the SMS code, that would probably work for me.

alowther-hrc commented 11 months ago

what about using an app specific password? it didn't work for me but that seems like an easier solution than building a SMS tool

hach-que commented 10 months ago

App specific passwords don't work for this kind of authentication.