feat: support accounts with two-factor authentication on publish

Author: Fatme

lib/commands/appstore-list.ts

@@ -6,6 +6,7 @@ export class ListiOSApps implements ICommand {
 
 	constructor(private $injector: IInjector,
 		private $applePortalApplicationService: IApplePortalApplicationService,
+		private $applePortalSessionService: IApplePortalSessionService,
 		private $logger: ILogger,
 		private $projectData: IProjectData,
 		private $devicePlatformsConstants: Mobile.IDevicePlatformsConstants,
@@ -31,7 +32,12 @@ export class ListiOSApps implements ICommand {
 			password = await this.$prompter.getPassword("Apple ID password");
 		}
 
-		const applications = await this.$applePortalApplicationService.getApplications({ username, password });
+		const user = await this.$applePortalSessionService.createUserSession({ username, password });
+		if (!user.areCredentialsValid) {
+			this.$errors.failWithoutHelp(`Invalid username and password combination. Used '${username}' as the username.`);
+		}
+
+		const applications = await this.$applePortalApplicationService.getApplications(user);
 
 		if (!applications || !applications.length) {
 			this.$logger.info("Seems you don't have any applications yet.");

lib/commands/appstore-upload.ts

@@ -8,6 +8,7 @@ export class PublishIOS implements ICommand {
 	new StringCommandParameter(this.$injector), new StringCommandParameter(this.$injector)];
 
 	constructor(
+		private $applePortalSessionService: IApplePortalSessionService,
 		private $injector: IInjector,
 		private $itmsTransporterService: IITMSTransporterService,
 		private $logger: ILogger,
@@ -38,6 +39,15 @@ export class PublishIOS implements ICommand {
 			password = await this.$prompter.getPassword("Apple ID password");
 		}
 
+		const user = await this.$applePortalSessionService.createUserSession({ username, password }, {
+			applicationSpecificPassword:  this.$options.appleApplicationSpecificPassword,
+			sessionBase64: this.$options.appleSessionBase64,
+			ensureConsoleIsInteractive: true
+		});
+		if (!user.areCredentialsValid) {
+			this.$errors.failWithoutHelp(`Invalid username and password combination. Used '${username}' as the username.`);
+		}
+
 		if (!mobileProvisionIdentifier && !ipaFilePath) {
 			this.$logger.warn("No mobile provision identifier set. A default mobile provision will be used. You can set one in app/App_Resources/iOS/build.xcconfig");
 		}
@@ -69,8 +79,9 @@ export class PublishIOS implements ICommand {
 		}
 
 		await this.$itmsTransporterService.upload({
-			username,
-			password,
+			credentials: { username, password },
+			user,
+			applicationSpecificPassword: this.$options.appleApplicationSpecificPassword,
 			ipaFilePath,
 			shouldExtractIpa: !!this.$options.ipa,
 			verboseLogging: this.$logger.getLevel() === "TRACE"

lib/common/constants.ts

@@ -95,6 +95,7 @@ export class HttpStatusCodes {
 	static NOT_MODIFIED = 304;
 	static PAYMENT_REQUIRED = 402;
 	static PROXY_AUTHENTICATION_REQUIRED = 407;
+	static CONFLICTING_RESOURCE = 409;
 }
 
 export const HttpProtocolToPort: IDictionary<number> = {

lib/common/http-client.ts

@@ -255,7 +255,9 @@ private defaultUserAgent: string;
 			this.$logger.error(`You can run ${EOL}\t${clientNameLowerCase} proxy set <url> <username> <password>.${EOL}In order to supply ${clientNameLowerCase} with the credentials needed.`);
 			return "Your proxy requires authentication.";
 		} else if (statusCode === HttpStatusCodes.PAYMENT_REQUIRED) {
-			return util.format("Your subscription has expired.");
+			return "Your subscription has expired.";
+		} else if (statusCode === HttpStatusCodes.CONFLICTING_RESOURCE) {
+			return "The request conflicts with the current state of the server.";
 		} else {
 			this.$logger.trace("Request was unsuccessful. Server returned: ", body);
 			try {

lib/declarations.d.ts

@@ -568,6 +568,8 @@ interface IOptions extends IRelease, IDeviceIdentifier, IJustLaunch, IAvd, IAvai
 	analyticsLogFile: string;
 	performance: Object;
 	cleanupLogFile: string;
+	appleApplicationSpecificPassword: string;
+	appleSessionBase64: string;
 }
 
 interface IEnvOptions {
@@ -609,7 +611,13 @@ interface IAndroidResourcesMigrationService {
 /**
  * Describes properties needed for uploading a package to iTunes Connect
  */
-interface IITMSData extends ICredentials {
+interface IITMSData {
+	credentials: ICredentials;
+
+	user: IApplePortalUserDetail;
+
+	applicationSpecificPassword: string;
+		
 	/**
 	 * Path to a .ipa file which will be uploaded.
 	 * @type {string}

lib/options.ts

@@ -145,7 +145,9 @@ export class Options {
 			hooks: { type: OptionType.Boolean, default: true, hasSensitiveValue: false },
 			link: { type: OptionType.Boolean, default: false, hasSensitiveValue: false },
 			aab: { type: OptionType.Boolean, hasSensitiveValue: false },
-			performance: { type: OptionType.Object, hasSensitiveValue: true }
+			performance: { type: OptionType.Object, hasSensitiveValue: true },
+			appleApplicationSpecificPassword: { type: OptionType.String, hasSensitiveValue: true },
+			appleSessionBase64: { type: OptionType.String, hasSensitiveValue: true },
 		};
 	}
 

lib/services/apple-portal/apple-portal-application-service.ts

@@ -5,10 +5,9 @@ export class ApplePortalApplicationService implements IApplePortalApplicationSer
 		private $httpClient: Server.IHttpClient
 	) { }
 
-	public async getApplications(credentials: ICredentials): Promise<IApplePortalApplicationSummary[]> {
+	public async getApplications(user: IApplePortalUserDetail): Promise<IApplePortalApplicationSummary[]> {
 		let result: IApplePortalApplicationSummary[] = [];
 
-		const user = await this.$applePortalSessionService.createUserSession(credentials);
 		for (const account of user.associatedAccounts) {
 			const contentProviderId = account.contentProvider.contentProviderId;
 			const dsId = user.sessionToken.dsId;
@@ -36,10 +35,10 @@ export class ApplePortalApplicationService implements IApplePortalApplicationSer
 		return JSON.parse(response.body).data;
 	}
 
-	public async getApplicationByBundleId(credentials: ICredentials, bundleId: string): Promise<IApplePortalApplicationSummary> {
-		const applications = await this.getApplications(credentials);
+	public async getApplicationByBundleId(user: IApplePortalUserDetail, bundleId: string): Promise<IApplePortalApplicationSummary> {
+		const applications = await this.getApplications(user);
 		if (!applications || !applications.length) {
-			this.$errors.failWithoutHelp(`Cannot find any registered applications for Apple ID ${credentials.username} in iTunes Connect.`);
+			this.$errors.failWithoutHelp(`Cannot find any registered applications for Apple ID ${user.userName} in iTunes Connect.`);
 		}
 
 		const application = _.find(applications, app => app.bundleId === bundleId);

lib/services/apple-portal/apple-portal-cookie-service.ts

@@ -1,6 +1,6 @@
 export class ApplePortalCookieService implements IApplePortalCookieService {
 	private userSessionCookies: IStringDictionary = {};
-	private validUserSessionCookieNames = ["myacinfo", "dqsid", "itctx", "itcdq", "acn01"];
+	private validUserSessionCookieNames = ["myacinfo", "dqsid", "itctx", "itcdq", "acn01", "DES"];
 	private validWebSessionCookieNames = ["wosid", "woinst", "itctx"];
 
 	public getWebSessionCookie(cookiesData: string[]): string {
@@ -29,7 +29,7 @@ export class ApplePortalCookieService implements IApplePortalCookieService {
 			for (const cookie of parts) {
 				const trimmedCookie = cookie.trim();
 				const [cookieKey, cookieValue] = trimmedCookie.split("=");
-				if (_.includes(validCookieNames, cookieKey)) {
+				if (_.includes(validCookieNames, cookieKey) || _.some(validCookieNames, validCookieName => cookieKey.startsWith(validCookieName))) {
 					result[cookieKey] = { key: cookieKey, value: cookieValue, cookie: trimmedCookie };
 				}
 			}

lib/services/apple-portal/apple-portal-session-service.ts

@@ -1,3 +1,5 @@
+import { isInteractive } from "../../common/helpers";
+
 export class ApplePortalSessionService implements IApplePortalSessionService {
 	private loginConfigEndpoint = "https://appstoreconnect.apple.com/olympus/v1/app/config?hostname=itunesconnect.apple.com";
 	private defaultLoginConfig = {
@@ -7,42 +9,33 @@ export class ApplePortalSessionService implements IApplePortalSessionService {
 
 	constructor(
 		private $applePortalCookieService: IApplePortalCookieService,
+		private $errors: IErrors,
 		private $httpClient: Server.IHttpClient,
-		private $logger: ILogger
+		private $logger: ILogger,
+		private $prompter: IPrompter
 	) { }
 
-	public async createUserSession(credentials: ICredentials): Promise<IApplePortalUserDetail> {
-		const loginConfig = await this.getLoginConfig();
-		const loginUrl = `${loginConfig.authServiceUrl}/auth/signin`;
-		const loginResponse = await this.$httpClient.httpRequest({
-			url: loginUrl,
-			method: "POST",
-			body: JSON.stringify({
-				accountName: credentials.username,
-				password: credentials.password,
-				rememberMe: true
-			}),
-			headers: {
-				'Content-Type': 'application/json',
-				'X-Requested-With': 'XMLHttpRequest',
-				'X-Apple-Widget-Key': loginConfig.authServiceKey,
-				'Accept': 'application/json, text/javascript'
-			}
-		});
-
-		this.$applePortalCookieService.updateUserSessionCookie(loginResponse.headers["set-cookie"]);
+	public async createUserSession(credentials: ICredentials, opts?: IAppleCreateUserSessionOptions): Promise<IApplePortalUserDetail> {
+		const loginResult = await this.login(credentials, opts);
 
-		const sessionResponse = await this.$httpClient.httpRequest({
-			url: "https://appstoreconnect.apple.com/olympus/v1/session",
-			method: "GET",
-			headers: {
-				'Cookie': this.$applePortalCookieService.getUserSessionCookie()
+		if (!opts || !opts.sessionBase64) {
+			if (loginResult.isTwoFactorAuthenticationEnabled) {
+				const authServiceKey = (await this.getLoginConfig()).authServiceKey;
+				await this.handleTwoFactorAuthentication(loginResult.scnt, loginResult.xAppleIdSessionId, authServiceKey);
 			}
-		});
 
-		this.$applePortalCookieService.updateUserSessionCookie(sessionResponse.headers["set-cookie"]);
+			const sessionResponse = await this.$httpClient.httpRequest({
+				url: "https://appstoreconnect.apple.com/olympus/v1/session",
+				method: "GET",
+				headers: {
+					'Cookie': this.$applePortalCookieService.getUserSessionCookie()
+				}
+			});
+
+			this.$applePortalCookieService.updateUserSessionCookie(sessionResponse.headers["set-cookie"]);
+		}
 
-		const userDetailResponse = await this.$httpClient.httpRequest({
+		const userDetailsResponse = await this.$httpClient.httpRequest({
 			url: "https://appstoreconnect.apple.com/WebObjects/iTunesConnect.woa/ra/user/detail",
 			method: "GET",
 			headers: {
@@ -51,9 +44,12 @@ export class ApplePortalSessionService implements IApplePortalSessionService {
 			}
 		});
 
-		this.$applePortalCookieService.updateUserSessionCookie(userDetailResponse.headers["set-cookie"]);
+		this.$applePortalCookieService.updateUserSessionCookie(userDetailsResponse.headers["set-cookie"]);
 
-		return JSON.parse(userDetailResponse.body).data;
+		const userdDetails = JSON.parse(userDetailsResponse.body).data;
+		const result = { ...userdDetails, ...loginResult, userSessionCookie: this.$applePortalCookieService.getUserSessionCookie() };
+
+		return result;
 	}
 
 	public async createWebSession(contentProviderId: number, dsId: string): Promise<string> {
@@ -79,6 +75,72 @@ export class ApplePortalSessionService implements IApplePortalSessionService {
 		return webSessionCookie;
 	}
 
+	private async login(credentials: ICredentials, opts?: IAppleCreateUserSessionOptions): Promise<IAppleLoginResult> {
+		const result = {
+			scnt: <string>null,
+			xAppleIdSessionId: <string>null,
+			isTwoFactorAuthenticationEnabled: false,
+			areCredentialsValid: true
+		};
+
+		if (opts && opts.sessionBase64) {
+			const decodedSession = Buffer.from(opts.sessionBase64, "base64").toString("utf8");
+
+			this.$applePortalCookieService.updateUserSessionCookie([decodedSession]);
+
+			result.isTwoFactorAuthenticationEnabled = decodedSession.indexOf("DES") > -1;
+		} else {
+			try {
+				await this.loginCore(credentials);
+			} catch (err) {
+				const statusCode = err && err.response && err.response.statusCode;
+				result.areCredentialsValid = statusCode !== 401 && statusCode !== 403;
+				result.isTwoFactorAuthenticationEnabled = statusCode === 409;
+				if (result.isTwoFactorAuthenticationEnabled && opts && !opts.applicationSpecificPassword) {
+					this.$errors.failWithoutHelp(`Your account has two-factor authentication enabled but --appleApplicationSpecificPassword option is not provided.
+To generate an application-specific password, please go to https://appleid.apple.com/account/manage.
+This password will be used for the iTunes Transporter, which is used to upload your application.`);
+				}
+
+				if (result.isTwoFactorAuthenticationEnabled && opts && opts.ensureConsoleIsInteractive && !isInteractive()) {
+					this.$errors.failWithoutHelp(`Your account has two-factor authentication enabled, but your console is not interactive.
+For more details how to set up your environment, please execute "tns publish ios --help".`);
+				}
+
+				const headers = (err && err.response && err.response.headers) || {};
+				result.scnt = headers.scnt;
+				result.xAppleIdSessionId = headers['x-apple-id-session-id'];
+			}
+		}
+
+		return result;
+	}
+
+	private async loginCore(credentials: ICredentials): Promise<void> {
+		const loginConfig = await this.getLoginConfig();
+		const loginUrl = `${loginConfig.authServiceUrl}/auth/signin`;
+		const headers = {
+			'Content-Type': 'application/json',
+			'X-Requested-With': 'XMLHttpRequest',
+			'X-Apple-Widget-Key': loginConfig.authServiceKey,
+			'Accept': 'application/json, text/javascript'
+		};
+		const body = JSON.stringify({
+			accountName: credentials.username,
+			password: credentials.password,
+			rememberMe: true
+		});
+
+		const loginResponse = await this.$httpClient.httpRequest({
+			url: loginUrl,
+			method: "POST",
+			body,
+			headers
+		});
+
+		this.$applePortalCookieService.updateUserSessionCookie(loginResponse.headers["set-cookie"]);
+	}
+
 	private async getLoginConfig(): Promise<{authServiceUrl: string, authServiceKey: string}> {
 		let config = null;
 
@@ -91,5 +153,46 @@ export class ApplePortalSessionService implements IApplePortalSessionService {
 
 		return config || this.defaultLoginConfig;
 	}
+
+	private async handleTwoFactorAuthentication(scnt: string, xAppleIdSessionId: string, authServiceKey: string): Promise<void> {
+		const headers = {
+			'scnt': scnt,
+			'X-Apple-Id-Session-Id': xAppleIdSessionId,
+			'X-Apple-Widget-Key': authServiceKey,
+			'Accept': 'application/json'
+		};
+		const authResponse = await this.$httpClient.httpRequest({
+			url: "https://idmsa.apple.com/appleauth/auth",
+			method: "GET",
+			headers
+		});
+
+		const data = JSON.parse(authResponse.body);
+		if (data.trustedPhoneNumbers && data.trustedPhoneNumbers.length) {
+			const parsedAuthResponse = JSON.parse(authResponse.body);
+			const token = await this.$prompter.getString(`Please enter the ${parsedAuthResponse.securityCode.length} digit code`, { allowEmpty: false });
+
+			await this.$httpClient.httpRequest({
+				url: `https://idmsa.apple.com/appleauth/auth/verify/trusteddevice/securitycode`,
+				method: "POST",
+				body: JSON.stringify({
+					securityCode: {
+						code: token.toString()
+					}
+				}),
+				headers: { ...headers, 'Content-Type': "application/json" }
+			});
+
+			const authTrustResponse = await this.$httpClient.httpRequest({
+				url: "https://idmsa.apple.com/appleauth/auth/2sv/trust",
+				method: "GET",
+				headers
+			});
+
+			this.$applePortalCookieService.updateUserSessionCookie(authTrustResponse.headers["set-cookie"]);
+		} else {
+			this.$errors.failWithoutHelp(`Although response from Apple indicated activated Two-step Verification or Two-factor Authentication, NativeScript CLI don't know how to handle this response: ${data}`);
+		}
+	}
 }
 $injector.register("applePortalSessionService", ApplePortalSessionService);