Skip to content

feat: complete iCloud 2FA from Telegram (headless re-auth, no shell/web UI)#470

Open
epheterson wants to merge 2 commits into
mandarons:mainfrom
epheterson:feat/telegram-2fa-clean
Open

feat: complete iCloud 2FA from Telegram (headless re-auth, no shell/web UI)#470
epheterson wants to merge 2 commits into
mandarons:mainfrom
epheterson:feat/telegram-2fa-clean

Conversation

@epheterson

Copy link
Copy Markdown
Contributor

Summary

Headless deployments can't finish iCloud's 2FA without shelling into the container. This adds an opt-in Telegram reply flow: when re-authentication is needed, reply the auth keyword to have Apple push a code to your trusted devices, then reply the 6-digit code — the session validates and trusts, and sync resumes. No console, no web UI.

Root cause it also fixes: the headless path waited for a code it never requested — it never called trigger_2fa_push_notification, so no code was ever pushed. This wires up the trigger.

Config (opt-in, off by default)

app:
  telegram:
    bot_token: <your bot token>
    chat_id: <your chat id>
    listen: true          # poll Telegram for replies during a 2FA wait
    auth_keyword: auth     # reply word that triggers the push (default "auth")

Details

  • config_parser: app.telegram.listen + auth_keyword.
  • notify: poll_telegram_for_text; the reply prompt is routed through notify.send, so it inherits the existing 24h throttle and other channels (email/Discord/Pushover) still get the standard alert.
  • sync: threads the live api into the 2FA handler and polls for the keyword/code.
  • Codes tolerate spaces/dashes (123 456). Docs note 1:1 chat (group privacy mode) + a per-container bot token for multi-container setups.
  • Requires icloudpy==0.9.0 for trigger_2fa_push_notification. As a bonus, that bump also fixes the documented docker exec ... icloud --username CLI flow, which now pushes a code via icloudpy's cmdline.

Testing

New tests/test_telegram_2fa.py covers the poller, config getters, notify routing, and the wait loop. Verified end-to-end against real Apple + Telegram (push triggered, code validated, session trusted).


Happy to split the pure trigger bug-fix (the missing trigger_2fa_push_notification call + icloudpy bump) from the Telegram convenience layer into two PRs if you'd prefer — just say the word.

…eb UI)

Headless deployments can't finish iCloud's 2FA without shelling into the
container. This adds an opt-in Telegram reply flow: when re-authentication is
needed, reply the auth keyword to have Apple push a code to your trusted
devices, then reply the 6-digit code to validate and trust the session.

The headless path previously waited for a code it never requested -- it never
called trigger_2fa_push_notification, so no code was ever pushed. This wires up
the trigger plus a getUpdates poll gated on app.telegram.listen.

- config_parser: app.telegram.listen + auth_keyword
- notify: poll_telegram_for_text; reply prompt routed through notify.send so it
  inherits the 24h throttle and other channels still get the standard alert
- sync: thread the live api into the 2FA handler; poll for keyword/code
- requires icloudpy 0.9.0 (trigger_2fa_push_notification); this bump also fixes
  the documented `docker exec ... icloud --username` CLI flow, which now pushes
  a code via icloudpy cmdline
- codes tolerate spaces/dashes; docs note 1:1 chat + per-container bot token

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mandarons

Copy link
Copy Markdown
Owner

Happy to split the pure trigger bug-fix (the missing trigger_2fa_push_notification call + icloudpy bump) from the Telegram convenience layer into two PRs if you'd prefer — just say the word.

yes - @epheterson please split this PR as Telegram flow is optional.

@epheterson

Copy link
Copy Markdown
Contributor Author

No problem, put up a PR with just the bump needed to get 2FA working and will rebase the telegram PR on top. Glad this 2FA issue is finally unblocked!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants