publish ios fails because of hsa2

[ycherniavskyi]

Environment

• CLI: 5.3.4
• Cross-platform modules: 5.3.2
• Android Runtime: 5.3.1
• iOS Runtime: 5.3.1
• Plugin(s): -

Describe the bug
During executing tns publish ios command does not execute and regular help output with the previous message:

Request was unsuccessful. Server returned:  {
  "authType" : "hsa2"
}

when executing the same command with --log trace option the real fails reason can be seen:

httpRequest: { url: 'https://idmsa.apple.com/appleauth/auth/signin',
  method: 'POST',
  headers:
   { 'Content-Type': 'application/json',
     'X-Requested-With': 'XMLHttpRequest',
     'X-Apple-Widget-Key':
      'e0b80c3bf78523bfe80974d320935bfa30add02e1bff88ec2166c6bd5a706c42',
     Accept: 'application/json, text/javascript',
     'User-Agent': 'tnsCLI/5.3.4 (Node.js 11.3.0; darwin; x64)',
     'Accept-Encoding': 'gzip,deflate' },
  proto: 'https',
  host: 'idmsa.apple.com',
  port: null,
  path: '/appleauth/auth/signin',
  encoding: null,
  followAllRedirects: true }
httpRequest: Sending:
{"accountName":"******************@gmail.com","password":"*******","rememberMe":true}
httpRequest: Done. code = 409
Request was unsuccessful. Server returned:  {
  "authType" : "hsa2"
}
Error: {
  "authType" : "hsa2"
}
    at Gunzip.responseStream.on (/Users/***/.nodenv/versions/11.3.0/lib/node_modules/nativescript/lib/common/http-client.js:180:45)
    at Gunzip.emit (events.js:187:15)
    at endReadableNT (_stream_readable.js:1098:12)
    at process.internalTickCallback (internal/process/next_tick.js:72:19)

And yes my Apple ID account has TWO-FACTOR AUTHENTICATION enabled.

To Reproduce
Enable TWO-FACTOR AUTHENTICATION in your Apple ID and try to execute tns publish ios for your NS project.

Expected behavior
tns publish ios must ask two-factor code in the same way as it asks to enter Apple ID account and password.

Additional context
I found implementation of this functionality in fastlane project on GitHub (409 error response handling and handle_two_step_or_factor implementation).

[erjdriver]

Try with CLI 5.3.1 - the latest one looks buggy.

[ycherniavskyi]

@erjdriver I am sure that issue reason not in CLI version - current source base does not have functionality which process Apple two-factor authentication.

[Fatme]

@ycherniavskyi,

You are totally right NativeScript CLI doesn't have the functionality to publish applications to AppStore for accounts with two-factor authentication.

I marked this as a bug and we'll investigate it for one of our next releases.

Meanwhile, you can use Sidekick to publish your apps. It has support for accounts with two-factor authentication and also has support for local and cloud builds. More info can be found here.

[ycherniavskyi]

@Fatme thank you for your clarification, I will try Sidekick for publishing.

[erjdriver]

fyi - if you use app-specific-password - that works in CLI 5.3.1

tns publish ios ACCOUNT-EMAIL APP-SPECIFIC-PASSWORD --ipa file.ipa

[waynerobinson]

But app-specific passwords don't work in CLI 5.4.0 though.

[erjdriver]

Yeah - roll it back to 5.3.1

[toddanglin]

Considering Apple required all developer accounts in the Account Holder role to enable 2FA earlier this year (https://developer.apple.com/news/?id=02202019a), I expect many {N} developers will start hitting this with the CLI. Happy to see this is high priority to address.

[maxorlovsky]

High priority, but tomorrow going to be 30 days since it's reported with no fix.

[rosen-vladimirov]

Hey @toddanglin , @maxorlovsky ,
Thank you for bringing the attention back to this issue. Indeed we would like to resolve it, but currently we are overloaded with the incoming 6.0.0 major release. The issue is not a trivial one and has several workarounds:

1. Use NativeScript Sidekick - 2FA is working in its publish.
2. Use Application Loader on your macOS to upload the application manually.
3. Use Xcode to publish the application.

I fully understand the mentioned workarounds are not ideal and we'll do our best to provide a fix, but at the moment I cannot give you an estimate for it.
Of course, PRs with potential fix are more than welcome and the team will review them. We were discussing how to resolve this issue and probably the best solution is to take a look at fastlane's implementation as its quite similar to what CLI's doing.

[toddanglin]

Thanks for the update, @rosen-vladimirov!

FWIW, I was able to use Sidekick to build and publish my iOS app with 2FA. Only challenge I had was getting Sidekick to use the expected certificate and provisioning profile for local builds. I eventually just used a cloud build and everything build and uploaded. 🤷‍♂

[miroslavaivanova]

Acceptance criteria:

• Ensure account without two-factor authentication can publish
• Ensure account with two-factor authentication can publish
• Set two-factor authentication on some device and check the publish is successful, disable two-factor authentication and check the publish is successful (After setting 2fa I could not find a way to disable it anymore, so I cannot verify that scenario)
• Ensure an error is thrown when --appleApplicationSpecificPassword is not provided for accounts with two-factor authentication
• Ensure CI workflow work correctly:

1. Execute tns apple-login on developer machine (from interactive console)
2. Copy the printed session
3. Execute tns publish ios <username> <password> --appleApplicationSpecificPassword <appSpecificPassword> --appleSessionBase64 <copied session from 2> on CI machine (from non-interactive console)

• Ensure tns appstore list command work correctly regardless if account is with two-factor authencation

[meparashar]

Is this functionality available in cli v6.4.0? With two factor auth enabled on my account, I'm trying to publish but getting error msg: Although response from Apple indicated activated Two-step Verification or Two-factor Authentication, NativeScript CLI don't know how to handle this response: [object Object]