New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advanced Data Protection Support #202
Comments
@gsong are you using iCloud Shared Photo Library? |
No, I'm not. |
I'm in a similar position with advanced data protection and a yubikey on my Apple ID. With this combination of security settings, the sign in prompts I receive on other devices don't have MFA codes, but rather just "ok" or "that wasn't me". Edit; this feels like something that might have a soft dependency on #120 to do yubikey auth via a webUI. |
@gsong Any of those things enabled with you as well?
|
I just realise I was skipping over this part @gsong
You will need to make sure that access through the iCloud WebUI is enabled. See Apple's support document on this. The tool is re-using those APIs (and I hope the APIs are the same when this is enabled, since I cannot test this). Please report back - in case it does not work, I would need to ask the same of you as above. |
Hiya, I'm trying to set this tool up and I have Advanced Data Protection enabled on my iCloud account. I'm currently getting the following error when I try running the
I've made sure that I have the "Access iCloud Data on the Web` option enabled in my account settings. Let me know if I could provide you with more information to help troubleshoot this as I do not want to disable ADP. |
@noah-guillory which 2FA method are you using. Does the WebUI access work (have you ever accessed the UI from a non Safari browser, where you provided password instead of Touch ID) |
I am using the normal 2FA method, not using any hardware security keys or anything. I was able to get through the process of providing my 2FA code by And I am able to access Photos from the WebUI using Edge as well. Though whenever I do, I do get a push notification on my Mac saying that my device is providing access to the iCloud web interface. |
Do you need to confirm this notification before being able to continue? |
I need to understand how the API behaves differently from the current process, when ADP is enabled. Best way for me to debug is by being able to see the iCloud API's behaviour here. For that I'd need a HAR file of your login on the browser. For that do the following:
Example of how to do this: create-har-h265.mp4 |
Makes sense! Whenever I get a chance I'll get you that file. Thanks for being responsive 😄 |
Hi @steilerDev, is there any hope of ADP support landing soon? Did you get the input you needed? |
@Tomfox91 unfortunately I have not received any feedback on my previous request - so I have not had the chance to implement this. |
Thanks @Tomfox91 for sending over an HAR file - I just had a quick look - some things look different, but the good news is that the API is very close to what I am expecting :) Unfortunately I'm not sure when I'll get around working on this as private and professional life are currently taking a lot of time :/ Anyone who wants to support on this, I'm happy to point you into directions :) |
Sadly I think the resolution to this issue is to buy a used / refurb m1 Mac mini. |
I tried a sync using
I can also confirm that "Access iCloud Data on the Web" option is enabled in my account settings. |
See foxt/icloud.js#4 for some research done on this topic |
With ADP enabled (and yes, I would like to run this manually once every, so this workflow of one time authentication suites me fine), I get the following error: User authenticated |
So side note from me a couple of months later, I found out rather quickly that the Windows iCloud client has no issues whatsoever with ADP when I switched back to it for work a while ago, so I do sort of wonder what Apple is doing differently over there. If it's something that would require reverse engineering the iCloud binaries, I... can't really recommend that because depending on jurisdiction and how litigious they're feeling that's a bit precarious, though I still wonder if there is a way to somehow acquire a more... permanent form of trust |
That is a very interesting consideration @MaxNeedsSnacks - unfortunately I don't have much experience in reverse engineering windows binaries, but maybe we can capture network traffic through a proxy to understand what's going on. I'm currently in the process of creating a new Apple ID that has ADP enabled so I can dig into this capability. |
If anyone is having this setup, you could setup https://proxyman.io to capture the traffic and collaborate on what you are seeing! |
Great news on this: After getting a fresh SIM and setting up a fresh account on an old iPhone that has ADP enabled, I've got a sync execution completed with this tool 🥳 This means it generally works and the changes I need to do to have this "production ready" are only minimal. Will have something shortly :) |
Interestingly enough, the UI says it provides access "as long as the user is logged in". This is probably why the Windows Desktop client does not require extensive re-authentications. I might see if there is an API I can hit continuously in the background to stay logged in longer than the current limit of 60 minutes, otherwise one would need to attend the sync and re-authorize every hour |
That's probably not why Windows doesn't have to reauth though, since otherwise you'd have to log in again after having your PC shut down for more than an hour ^^; |
Looking good - need to create tests and will then be able to release. Currently the sync of large libraries might be a little bit painful (because I expect re-authorization every 60mins). For the release after next, I will focus on reworking the API interactions (see issue 364), which should also make using ADP more pleasant :) |
1.4.0-nightly.1 should contain ADP support! |
This issue should be resolved with version v1.4.0-beta.1, please confirm. |
I tested nightly (v.1.4.0-nightly.4!), was able to authenticate, got half a dozen "Your Apple ID was used to sign in to iCloud via a web browser" emails from apple, but sync command fails:
|
Some additional information. I waited some time and tried again. Now works fine. Maybe since it tried a couple of times so fast and I hadn't had enough time to authorize on the phone, then it was banned for a while. So maybe you ought to not try in a busy loop..
|
Yeah - it seems Apple is quite quickly at limiting authentication requests when ADP is enabled - I've ran into the 500 issue as well when testing. I might adjust the retry timeout - that's good feedback |
Hmm... I just tried both the nightly and the beta, but I always get:
and then it stops. On my iPhone, I get a notification that my icloud account is being logged in, but without asking me to allow it. When accessing iCloud on the web, I get a similar notification, but with an "allow" button, and then it works fine. |
Before ADP kicks in, you will need to provide your MFA code - this is a 6-digit code either pushed to your iDevice or phone number. See in the docs on how to submit the code to the app: https://icps.steiler.dev/get-started/#submit-mfa-code |
Thanks for the quick answer. I never got a code like that on my iPhone or Mac. Maybe because i have two yubikeys as 2FA, which I usually need for login? (Although I have two trusted phone numbers defined as well...) |
Ahh - Yubikey authentication is currently out of scope (since I don't have an account setup with this and I don't own one) - if you've got trusted phone numbers you can have the MFA code resent to them: https://icps.steiler.dev/get-started/#re-send-mfa-code - just provide method 'sms' and a phone number id (those start at 0 and go up - it depends on how many you've got, but they should provide an error if the id is invalid) |
Oh, thanks! So I tried running "docker exec photos-sync resend_mfa sms 0", but I get:
Do you think it's possible that SMS 2FA is disabled by Apple when security keys are used? |
Can you try with id 1/2/3...? I know that deleting and re-adding a phone number will increase this id (my demo account always needs id '3' for some reason :D ) |
I tried up to 6, no luck. Looking at https://discussions.apple.com/thread/254617891?sortBy=best it seems weaker options (like SMS) are disabled when security keys are added. Too bad... seems I have to make a choice between backups and strong security 😅 |
Could be - to double check, you could use the PostMan collection (https://github.com/steilerDev/icloud-photos-sync/tree/main/docs/postman). You could add your cred. and then run 01-Enter Password followed by 01--- Get list of devices (this will give you all options available for MFA) |
Just tried this, and I get:
|
I guess that means no SMS? |
I'm afraid so :/ I'm getting something like this:
Unfortunately I have no idea how much work it would be to implemented - but based on a previous provided capture of a yubi key flow, it did not seem straight forward :/ Nevertheless, I'd welcome you taking a shot |
OK, in any case, thanks a lot for your help! |
Describe the bug
Note that I do have Advanced Data Protection turned on.
Logs
Please paste the log file (preferably with
LOG_LEVEL=debug
), located in.icloud-photos-sync.log
, stored in the DATA_DIR.Operating environmnent
The text was updated successfully, but these errors were encountered: