How to authenticate xcodes non-interactively? (without hitting 2FA prompt)

Question

How to authenticate xcodes non-interactively? (without hitting 2FA prompt)

hach-que opened this issue a year ago · comments

I've created an "app-specific password" for an account that has developer access to the App Center, set XCODES_USERNAME to the email address and XCODES_PASSWORD to the app-specific password, but I get either of these messages from xcodes install ...:

Two-factor authentication is enabled for this account.
Enter the 6 digit code sent to +xx xxxx xxx xxx: Invalid HTTP response (400) for https://idmsa.apple.com/appleauth/auth/verify/phone/securitycode.
Invalid HTTP response (400) for https://idmsa.apple.com/appleauth/auth/verify/phone/securitycode.

or

Apple ID: Missing username or a password. Please try again.

I also tried to create a new Apple account that didn't have 2FA on, but it turns out these days you can't create an Apple account without a phone number, and they automatically enroll and force 2FA on all new accounts, so you can never turn it off.

Is there any way to get this working non-interactively out of the box? Or do I have to go down the path of something like Plivo and a whole virtual phone number solution just so I can programmatically grab the 2FA SMS messages that Apple is sending?

June Rhodes · Answer 1 · Sun Jul 23 2023 05:56:49 GMT+0800 (China Standard Time)

From the looks of things, if I needed to wire up a virtual phone number solution to receive the SMS messages and pass them back through to the authentication, this is the place to do it:

    func promptForSMSSecurityCode(length: Int, for trustedPhoneNumber: AuthOptionsResponse.TrustedPhoneNumber) -> SecurityCode {
        let code = Current.shell.readLine("Enter the \(length) digit code sent to \(trustedPhoneNumber.numberWithDialCode): ") ?? ""
        return .sms(code: code, phoneNumberId: trustedPhoneNumber.id)
    }

(though also maybe just interpreting the xcodes output and piping in the SMS code when the caller program sees "Enter the 6 digit code sent to" might be enough)

June Rhodes · Answer 2 · Tue Jul 25 2023 16:30:44 GMT+0800 (China Standard Time)

Looks like for some reason .NET tooling on macOS can't respond to the prompt properly. If there was a way to invoke a command, maybe via XCODES_GET_2FA_SMS_COMMAND to get the SMS code, that would probably work for me.

Adam Lowther · Answer 3 · Fri Aug 11 2023 21:08:49 GMT+0800 (China Standard Time)

what about using an app specific password? it didn't work for me but that seems like an easier solution than building a SMS tool

June Rhodes · Answer 4 · Sun Aug 13 2023 18:36:39 GMT+0800 (China Standard Time)

App specific passwords don't work for this kind of authentication.