fix: ability to publish iOS applications for users with two-factor authentication enabled #4903

Fatme · 2019-07-26T07:46:29Z

Currently the users are not able to publish applications to AppStore if their accounts are with two-factor authentication enabled. The current PR introduces support for publishing iOS apps for accounts with two-factor authentication enabled and shouldn't affect how publish command works for accounts without two-factor authentication. To support it, we need 2 additional options:

appleApplicationSpecificPassword
appleSessionBase64

The --appleApplicationSpecificPassword option is a password for user's Apple ID that let the user sign in to his account and securely access the information he stores from iTunes Transporter application. This option is mandatory for all accounts with two-factor authentication enabled. To generate an application specific password, follow the steps below:

Go to https://appleid.apple.com/account/manage
Generate a new application specific password
Provide the generated application specific password using --appleApplicationSpecificPassword option.

The --appleSessionBase64 option is a base 64 string that actually is the session cookie. This session will be reused instead of triggering a new login each time NativeScript CLI communicates with Apple's APIs.

This PR introduces a new command tns apple-login as well.

The tns apple-login command uses the provided credentials to obtain Apple session, encode the received session in base64 format and print it on console.

How tns publish works?

NativeScript CLI tries to sign in the user with provided username and password. If the request fails with statusCode 409, NativeScript CLI consider this as an account with two-factor authentication enabled. If the account is with two-factor authentication, CLI prompts the user for the verification code.

Interactive console

If the account is with two-factor authentication and --appleApplicationSpecificPassword option is not provided, NativeScript CLI throws an error as iTunes Transporter will not be able to upload the application.
If the account is with two-factor authentication and --appleApplicationSpecificPassword option is provided:
- If --appleSessionBase64 is provided, CLI decodes it and tries to sign in the user with provided session.
- If --appleSessionBase64 is not provided, CLI will sign in the user with provided credentials.
If the account is without two-factor authentication, --appleApplicationSpecificPassword option is not respected.
If the account is without two-factor authentication, --appleSessionBase64 is respected and NativeScript CLI reuse the provided session instead of triggering a new login.

Non-interactive console (CI)

When the console is not interactive, NativeScript CLI doesn't prompt for verification code.

Execute tns apple-login and copy the printed session
Execute tns publish ios <username> <password> --appleApplicationSpecificPassword <app-specific-password> --appleSessionBase64 <session>

The session should be valid for about one month, meaning a new session should be generated every month. Usually the user will only know about it when the build starts failing.

NOTE: An Apple ID session is only valid for a certain region, meaning if the CI system is in a different region than the local machine, the user might run into issues.

Current behavior vs new behavior

	tns publish ios	tns appstore list
current behavior	build the application and fail if provided credentials are invalid	show `Invalid username and password combination. Used '${username}' as the username.`
new behavior	validate the credentials and build the application if credentials are valid	show { "serviceErrors" : [ { "code" : "-20101", "message" : "Your Apple ID or password was incorrect." } ]}

PR Checklist

The PR title follows our guidelines: https://github.com/NativeScript/NativeScript/blob/master/CONTRIBUTING.md#commit-messages.
There is an issue for the bug/feature this PR is for. To avoid wasting your time, it's best to open a suggestion issue first and wait for approval before working on it.
You have signed the CLA.
All existing tests are passing: https://github.com/NativeScript/nativescript-cli/blob/master/CONTRIBUTING.md#contribute-to-the-code-base
Tests for the changes are included.

What is the current behavior?

What is the new behavior?

Rel to: #4586

docs/man_pages/publishing/apple-login.md

docs/man_pages/publishing/appstore-upload.md

docs/man_pages/publishing/publish-ios.md

DimitarTachev · 2019-07-29T08:39:57Z

lib/services/apple-portal/apple-portal-session-service.ts

+				}
+
+				if (result.isTwoFactorAuthenticationEnabled && opts && opts.ensureConsoleIsInteractive && !isInteractive()) {
+					this.$errors.failWithoutHelp(`Your account has two-factor authentication enabled, but your console is not interactive.


We could mention the appleSessionBase64 option here.

I was wondering the same and decided that mention tns publish ios --help command and describing --appleSessionBase64 option in help, should be enough.

Fatme · 2019-07-30T06:26:52Z

test cli-publish

Fatme · 2019-07-30T07:21:52Z

test cli-publish

Fatme added 2 commits July 25, 2019 16:36

feat: support accounts with two-factor authentication on publish

0b1e750

feat: add apple-login command

802e8e6

Fatme added the bug label Jul 26, 2019

Fatme added this to the 6.0.3 milestone Jul 26, 2019

Fatme self-assigned this Jul 26, 2019

cla-bot bot added the cla: yes label Jul 26, 2019

test: fix unit tests

a6e17e5

Fatme force-pushed the fatme/2fa branch from fda10a8 to a6e17e5 Compare July 26, 2019 08:05

docs: add help for new options and command

9ca5ba5