-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Observations on the Fastlane/Spaceship session length #14301
Comments
Some official information from Apple on how long logins with 2FA should be valid:
via https://developer.apple.com/support/account/authentication/ |
This comment has been minimized.
This comment has been minimized.
2FA session is still alive after launch on Friday with login every 600 seconds |
Awesome, so updating the session cookie might be something to look into. Can you share your setup so we can reproduce this? |
How can i share it, what exactly do you need? |
I was referring to:
What exactly does this do and how? |
We just set this script to run every 600 seconds in a loop - that's it, it always gave us "OK" after first entering of 2FA code on Friday. |
Thanks. That leaves the question: How is fastlane's session/cookie system different than the website, where you do not need to re-login after x hours/days and not have to keep polling the login method to keep it alive? (Although this seems to work, it shouldn't be our plan to tell everyone to start pestering Apple with login requests every 600 seconds 🙊 ) |
OK i have an answer:) I've tested if further - in fact you only need cookie with name "myacinfo", it can be grabbed from browser session and placed into fastlane cookie file (or otherwise, from fastlane to browser), (ofc if you have same country/IP/subnet) as your CI system (i've tested with ssh -D and proxy in browser). Technically they should update last access time of this session and keep it valid after 30 days of last access time, otherwise workflow may be broken when session becomes invalid. But, we need to wait for 30 days with active usage of this session to check it out. |
LOL and you can just keep your myacinfo, change IP to another country - and still be authorised. It's... okay. |
I will have to go deep into the code again to be able to verify this, but I thought this was already how it worked. (But maybe not if |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I've ran into similar issues recently. I've noticed that If I use this Then I looked into So what I tried is take contents of The question is why does |
Nice observation @mgrebenets. I actually don't really understand what is happening with the cookies, I can just link you to the code that select/keeps them: fastlane/spaceship/lib/spaceship/spaceauth_runner.rb Lines 30 to 48 in 2d81244
If including the idmsa.apple.com cookie helps, we can of course adapt that code. |
The Nice catch @mgrebenets |
If that is the case, a PR for |
So I'd just have to figure out what's the "needed" cookie. The code is this: # We remove all the un-needed cookies
cookies.select! do |cookie|
cookie.name.start_with?("myacinfo") || cookie.name == 'dqsid'
end The cookie that has 30 days expiration day doesn't have a clean name:
It starts with "DES" so it probably has something to do with [DES] (https://en.wikipedia.org/wiki/Data_Encryption_Standard) 🤷♂️ . Could anyone else confirm that they also have a cookie names like "DES...." in their |
I can confirm that adding just that one extra "DES" cookie for The question I still got is how to pick that one cookie from all cookies. Of course, there's always of option of just using all cookies, which increases the size of env variable but is more future proof. |
Oh, and the comment in the same file: # The only value we actually need is the "DES5c148586daa451e55afb017aa62418f91" cookie
# We're not sure if the key changes so we do need that one and it gets filtered out :) |
Yeah, that comment confused me as well - but the blame/history of the file might tell you a bit if that was just forgotten when something else was changed or if it is something else. Pretty confusing. |
Looks like they have limited session to one day. https://apple.stackexchange.com/questions/336842/get-two-factor-authentication-code-from-terminal
|
After the topic how long the
FASTLANE_SESSION
is valid came up in #14239, @ZonD80 asked:This led to me answering:
Fortunately he took the "bait" and replied:
and later
As this discussion and further observations might not be of interest for all the people in that issue, I created this one where we can continue.
The text was updated successfully, but these errors were encountered: