search

icloud-photos-downloader / icloud_photos_downloader

A command-line tool to download photos from iCloud
MIT License
7.06k stars 562 forks source link

Authentication persistence (bug?) #1005

Closed sdebruyn closed 5 days ago

sdebruyn commented 5 days ago

It would be very useful if icloudpd could persist authentication tokens and sessions. I would like to be able to restart the process without having to provide password and/or MFA authentication every time.

I am using Docker and I can persist the password by mounting /root/.local/share/python_keyring/keyring_pass.cfg into a volume. For others reading this, it should be noted that this is not more secure than just putting your Apple ID password in plain text in your Docker config as this contains a base64 encoded string with your password.

But then after persisting my password, I still have to enter my MFA code every time, even though the one I entered previously is probably still valid.

Ideally I would like to persist neither of those 2 (persisting the MFA isn't useful anyway since it's only valid for 30 seconds) but instead just persist a token/session somewhere which can be used to communicate to iCloud without asking me for my credentials.

I thought this is what --cookie-directory would do, but that doesn't work. My cookies are properly stored in that folder, but icloudpd is still asking me to re-authenticate every time I start up a container with that folder mounted.

boredazfcuk commented 5 days ago

This is exactly what --cookie-directory does. Must be a permissions/config error somewhere.

sdebruyn commented 5 days ago

After mounting both the keyring dir and the cookies to a volume, it seems to work. Without the mounted keyring, it asks for a password. This is my Docker setup now:

version: "3.8"
services:
  icloudpd-sam:
    image: icloudpd/icloudpd:latest
    container_name: icloudpd_sam
    network_mode: bridge
    environment:
      - TZ=Europe/Brussels
    volumes:
      - /volume1/icloudpd/sam:/data
      - cookies:/cookies
      - keyring:/root/.local/share/python_keyring
    command:
      - icloudpd
      - --cookie-directory
      - /cookies
      - --directory
      - /data
      - --username
      - REDACTED
      - --watch-with-interval
      - "600"
      - --set-exif-datetime
      - --delete-after-download
      - --no-progress-bar
      - --password-provider
      - keyring
      - --password-provider
      - webui
      - --mfa-provider
      - webui
    ports:
      - 38080:8080
    restart: on-failure
  icloudpd-sam-notifier:
    image: icloudpd/icloudpd:latest
    container_name: icloudpd_sam_notifier
    network_mode: bridge
    environment:
      - TZ=Europe/Brussels
    volumes:
      - cookies:/cookies
      - keyring:/root/.local/share/python_keyring
    command:
      - icloudpd
      - --cookie-directory
      - /cookies
      - --username
      - REDACTED
      - --auth-only
      - --smtp-username
      - REDACTED
      - --smtp-password
      - REDACTED
      - --smtp-host
      - REDACTED
      - --notification-email
      - REDACTED
      - --notification-email-from
      - REDACTED
      - --no-progress-bar
      - --password-provider
      - keyring
networks: {}
volumes:
  keyring: null
  cookies: null

The second container shuts down right away but I have a cronjob that does docker-compose -f path-to-compose.yaml up -d icloudpd-sam-notifier every day so that I get an email when the tokens expire.