Nativescript-cli: publish ios fails because of hsa2

Created on 6 May 2019  路  13Comments  路  Source: NativeScript/nativescript-cli

Environment

  • CLI: 5.3.4
  • Cross-platform modules: 5.3.2
  • Android Runtime: 5.3.1
  • iOS Runtime: 5.3.1
  • Plugin(s): -

Describe the bug
During executing tns publish ios command does not execute and regular help output with the previous message:

Request was unsuccessful. Server returned:  {
  "authType" : "hsa2"
}

when executing the same command with --log trace option the real fails reason can be seen:

httpRequest: { url: 'https://idmsa.apple.com/appleauth/auth/signin',
  method: 'POST',
  headers:
   { 'Content-Type': 'application/json',
     'X-Requested-With': 'XMLHttpRequest',
     'X-Apple-Widget-Key':
      'e0b80c3bf78523bfe80974d320935bfa30add02e1bff88ec2166c6bd5a706c42',
     Accept: 'application/json, text/javascript',
     'User-Agent': 'tnsCLI/5.3.4 (Node.js 11.3.0; darwin; x64)',
     'Accept-Encoding': 'gzip,deflate' },
  proto: 'https',
  host: 'idmsa.apple.com',
  port: null,
  path: '/appleauth/auth/signin',
  encoding: null,
  followAllRedirects: true }
httpRequest: Sending:
{"accountName":"******************@gmail.com","password":"*******","rememberMe":true}
httpRequest: Done. code = 409
Request was unsuccessful. Server returned:  {
  "authType" : "hsa2"
}
Error: {
  "authType" : "hsa2"
}
    at Gunzip.responseStream.on (/Users/***/.nodenv/versions/11.3.0/lib/node_modules/nativescript/lib/common/http-client.js:180:45)
    at Gunzip.emit (events.js:187:15)
    at endReadableNT (_stream_readable.js:1098:12)
    at process.internalTickCallback (internal/process/next_tick.js:72:19)

And yes my Apple ID account has TWO-FACTOR AUTHENTICATION enabled.

To Reproduce
Enable TWO-FACTOR AUTHENTICATION in your Apple ID and try to execute tns publish ios for your NS project.

Expected behavior
tns publish ios must ask two-factor code in the same way as it asks to enter Apple ID account and password.

Additional context
I found implementation of this functionality in fastlane project on GitHub (409 error response handling and handle_two_step_or_factor implementation).

bug ios high
Source
picture ycherniavskyi
👍5

Most helpful comment

Acceptance criteria:

  • [x] Ensure account without two-factor authentication can publish
  • [x] Ensure account with two-factor authentication can publish
  • [x] Set two-factor authentication on some device and check the publish is successful, disable two-factor authentication and check the publish is successful (After setting 2fa I could not find a way to disable it anymore, so I cannot verify that scenario)
  • [x] Ensure an error is thrown when --appleApplicationSpecificPassword is not provided for accounts with two-factor authentication
  • [x] Ensure CI workflow work correctly:
  • Execute tns apple-login on developer machine (from interactive console)
  • Copy the printed session
  • Execute tns publish ios <username> <password> --appleApplicationSpecificPassword <appSpecificPassword> --appleSessionBase64 <copied session from 2> on CI machine (from non-interactive console)
  • [x] Ensure tns appstore list command work correctly regardless if account is with two-factor authencation
picture miroslavaivanova on 29 Jul 2019
👍2

All 13 comments

Try with CLI 5.3.1 - the latest one looks buggy.

erjdriver picture erjdriver on 7 May 2019

@erjdriver I am sure that issue reason not in CLI version - current source base does not have functionality which process Apple two-factor authentication.

ycherniavskyi picture ycherniavskyi on 7 May 2019

@ycherniavskyi,

You are totally right NativeScript CLI doesn't have the functionality to publish applications to AppStore for accounts with two-factor authentication.

I marked this as a bug and we'll investigate it for one of our next releases.

Meanwhile, you can use Sidekick to publish your apps. It has support for accounts with two-factor authentication and also has support for local and cloud builds. More info can be found here.

Fatme picture Fatme on 7 May 2019
👍1

@Fatme thank you for your clarification, I will try Sidekick for publishing.

ycherniavskyi picture ycherniavskyi on 7 May 2019

fyi - if you use app-specific-password - that works in CLI 5.3.1

tns publish ios ACCOUNT-EMAIL APP-SPECIFIC-PASSWORD --ipa file.ipa

erjdriver picture erjdriver on 7 May 2019

But app-specific passwords don't work in CLI 5.4.0 though.

waynerobinson picture waynerobinson on 23 May 2019

Yeah - roll it back to 5.3.1

erjdriver picture erjdriver on 23 May 2019

Considering Apple required all developer accounts in the Account Holder role to enable 2FA earlier this year (https://developer.apple.com/news/?id=02202019a), I expect many {N} developers will start hitting this with the CLI. Happy to see this is high priority to address.

toddanglin picture toddanglin on 4 Jun 2019

High priority, but tomorrow going to be 30 days since it's reported with no fix.

maxorlovsky picture maxorlovsky on 4 Jun 2019

Hey @toddanglin , @maxorlovsky ,
Thank you for bringing the attention back to this issue. Indeed we would like to resolve it, but currently we are overloaded with the incoming 6.0.0 major release. The issue is not a trivial one and has several workarounds:

  1. Use NativeScript Sidekick - 2FA is working in its publish.
  2. Use Application Loader on your macOS to upload the application manually.
  3. Use Xcode to publish the application.

I fully understand the mentioned workarounds are not ideal and we'll do our best to provide a fix, but at the moment I cannot give you an estimate for it.
Of course, PRs with potential fix are more than welcome and the team will review them. We were discussing how to resolve this issue and probably the best solution is to take a look at fastlane's implementation as its quite similar to what CLI's doing.

rosen-vladimirov picture rosen-vladimirov on 5 Jun 2019

Thanks for the update, @rosen-vladimirov!

FWIW, I was able to use Sidekick to build and publish my iOS app with 2FA. Only challenge I had was getting Sidekick to use the expected certificate and provisioning profile for _local_ builds. I eventually just used a cloud build and everything build and uploaded. 馃し鈥嶁檪

toddanglin picture toddanglin on 6 Jun 2019
👍1

Acceptance criteria:

  • [x] Ensure account without two-factor authentication can publish
  • [x] Ensure account with two-factor authentication can publish
  • [x] Set two-factor authentication on some device and check the publish is successful, disable two-factor authentication and check the publish is successful (After setting 2fa I could not find a way to disable it anymore, so I cannot verify that scenario)
  • [x] Ensure an error is thrown when --appleApplicationSpecificPassword is not provided for accounts with two-factor authentication
  • [x] Ensure CI workflow work correctly:
  • Execute tns apple-login on developer machine (from interactive console)
  • Copy the printed session
  • Execute tns publish ios <username> <password> --appleApplicationSpecificPassword <appSpecificPassword> --appleSessionBase64 <copied session from 2> on CI machine (from non-interactive console)
  • [x] Ensure tns appstore list command work correctly regardless if account is with two-factor authencation
miroslavaivanova picture miroslavaivanova on 29 Jul 2019
👍2

Is this functionality available in cli v6.4.0? With two factor auth enabled on my account, I'm trying to publish but getting error msg: Although response from Apple indicated activated Two-step Verification or Two-factor Authentication, NativeScript CLI don't know how to handle this response: [object Object]

meparashar picture meparashar on 28 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Fatme picture Fatme  路  3Comments
trodellez picture trodellez  路  3Comments
charsleysa picture charsleysa  路  3Comments
NickIliev picture NickIliev  路  3Comments
Anilinfo2015 picture Anilinfo2015  路  3Comments