Blocking the Apple Account because of new mandatory Apple header : X-APPLE-HC

[leverdeterre]

What happened?

First of all sorry, I have not tested this issue on my side but I feel that it's probably a real big problem. I discover this issue on Fastlane which is using a authentication flow using Apple Website and your tool might have the same issue.

More context? : Apple requires the X-APPLE-HC header when signing in to https://idmsa.apple.com/appleauth/auth/signin. Leaving out this header results in forbidden access and possible Apple ID account lockout.

X-APPLE-HC uses a customer implementation of http://www.hashcash.org/

GET to https://idmsa.apple.com/appleauth/auth/signin Use response headers x-apple-hc-bits and x-apple-hc-challenge to make hashcash Set hashcash to X-APPLE-HC header on login

How to fix that? Implements the header chalenge & implementation. No need to reverse engineering a lof of things because this is already shared on a PR on the fastlane

Version

All

Relevant log output

No response

[ViRb3]

This app uses the buy.itunes.apple.com endpoint, not the one described above. I haven't experienced any issue with logging in, and I don't think this will be a problem due to backwards compatibility which I believe this endpoint provides.

[majd]

The private API that ipatool uses is quite old and does not seem to support X-Apple-HC.