Add PCS/ADP cookie support to fix iCloud login for Advanced Data Protection users#438
Conversation
…entication Agent-Logs-Url: https://github.com/mandarons/icloud-docker/sessions/f6f9d27b-e934-4df3-aa60-80a028b5178c Co-authored-by: mandarons <50469173+mandarons@users.noreply.github.com>
Agent-Logs-Url: https://github.com/mandarons/icloud-docker/sessions/f6f9d27b-e934-4df3-aa60-80a028b5178c Co-authored-by: mandarons <50469173+mandarons@users.noreply.github.com>
|
🐳 Docker Image Built Successfully! The Docker image for this PR has been built and pushed to GitHub Container Registry: Image Tag: Usage: docker pull ghcr.io/mandarons/icloud-docker:pr-438
docker run --name icloud-pr-test -v ${PWD}/icloud:/icloud -v ${PWD}/config:/config -e ENV_CONFIG_FILE_PATH=/config/config.yaml ghcr.io/mandarons/icloud-docker:pr-438Build Info:
|
There was a problem hiding this comment.
Pull request overview
This PR updates the iCloud authentication/sync orchestration to support Apple Advanced Data Protection (ADP) accounts by detecting PCS requirements, triggering device consent when needed, and requesting PCS cookies before proceeding with Drive/Photos sync.
Changes:
- Added PCS/ADP detection + consent/cookie acquisition helpers and integrated them into the main
sync()loop. - Extended the iCloudPy mock session to emulate PCS endpoints/states and fixed a mock JSON parsing edge case (
data=None). - Added unit tests covering PCS state handling and sync-loop integration scenarios.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/sync.py |
Adds PCS/ADP flow helpers and gates the sync cycle on successful PCS readiness for ADP accounts. |
tests/data/__init__.py |
Adds PCS mock payloads/users and routes new setup endpoints in ICloudPySessionMock; fixes json.loads(None) in mock request parsing. |
tests/test_sync.py |
Adds PCS-focused unit tests and new sync-loop integration tests for ADP/non-ADP scenarios. |
| @patch(target="keyring.get_password", return_value=data.VALID_PASSWORD) | ||
| @patch(target="src.config_parser.get_username", return_value=data.AUTHENTICATED_USER) | ||
| @patch("icloudpy.ICloudPyService") | ||
| @patch("src.sync.read_config") | ||
| @patch("requests.post", side_effect=tests.mocked_usage_post) |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
🐳 Docker Image Built Successfully! The Docker image for this PR has been built and pushed to GitHub Container Registry: Image Tag: Usage: docker pull ghcr.io/mandarons/icloud-docker:pr-438
docker run --name icloud-pr-test -v ${PWD}/icloud:/icloud -v ${PWD}/config:/config -e ENV_CONFIG_FILE_PATH=/config/config.yaml ghcr.io/mandarons/icloud-docker:pr-438Build Info:
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
@copilot apply changes based on the comments in this thread |
…tch SimpleNamespace api tests Agent-Logs-Url: https://github.com/mandarons/icloud-docker/sessions/7fd2fdf4-2eec-4aec-96d4-8a52c68ee31d Co-authored-by: mandarons <50469173+mandarons@users.noreply.github.com>
Applied all three review comments in commit
All 430 tests pass. |
|
🐳 Docker Image Built Successfully! The Docker image for this PR has been built and pushed to GitHub Container Registry: Image Tag: Usage: docker pull ghcr.io/mandarons/icloud-docker:pr-438
docker run --name icloud-pr-test -v ${PWD}/icloud:/icloud -v ${PWD}/config:/config -v ${PWD}/home-abc-local:/home/abc/.local -e ENV_CONFIG_FILE_PATH=/config/config.yaml ghcr.io/mandarons/icloud-docker:pr-438Build Info:
|
|
@mandarons just tested this version, but I still get no iCloud validation code popup on my Apple devices. |
Apple's Advanced Data Protection (ADP) now requires PCS (Private Cloud Storage) cookies in addition to the standard auth token. Accounts with ADP enabled fail to sync because the existing auth flow doesn't request these cookies, causing silent failures or stalls.
Changes
src/sync.py— Three new functions + sync loop integration_check_webaccess_state(api)— CallsrequestWebAccessStateto detect whether ADP is enabled and if device consent is granted_request_pcs_cookies(api)— Acquires PCS cookies viarequestPCSforiclouddriveafter consent is granted_handle_pcs_required(config, api, username, sync_state)— Orchestrates the full flow:True(zero behavior change for most users)enableDeviceConsentForPCS(triggers push notification to user's iPhone), fires configured notification channel (Discord/Telegram/etc.), returnsFalseto retry on next cycleIntegrated into the sync loop after 2FA check, using the existing fall-through-to-sleep pattern:
tests/data/__init__.py— Mock infrastructureREQUIRES_PCS_CONSENT_USER,AUTHENTICATED_WITH_ADP_USERNO_ADP,ADP_NO_CONSENT,ADP_CONSENTED) plusPCS_REQUEST_SUCCESS/PENDINGandPCS_CONSENT_NOTIFICATION_SENTrequestWebAccessState,enableDeviceConsentForPCS,requestPCSinICloudPySessionMock, routing byuser["accountName"]json.loads(None)bug in mock whenrequests.Session.post()passesdata=Noneexplicitlytests/test_sync.py— 13 new testsCovers: no-ADP passthrough, ADP with/without consent, cookies success/pending, exception handling in each PCS endpoint call, and full
sync()loop integration for both PCS user types.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
gitclassic.com/home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js(dns block)If you need me to access, download, or install something from one of these locations, you can either: