From 87040b8bce9449c6d2ecf4b87cb9bcd42f22dcb3 Mon Sep 17 00:00:00 2001 From: Jan Piotrowski Date: Wed, 20 Mar 2019 19:38:02 +0100 Subject: [PATCH 1/4] initial structure --- docs/best-practices/authentication.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/best-practices/authentication.md diff --git a/docs/best-practices/authentication.md b/docs/best-practices/authentication.md new file mode 100644 index 0000000000..97f9af034b --- /dev/null +++ b/docs/best-practices/authentication.md @@ -0,0 +1,20 @@ +# Authentication + +## General + +- Use separate accounts for fastlane +- On CI it might be helpful to use accounts that have no 2 Factor Authentication enabled, see CI + +## Apple + +### 2FA + +#### App Specific Password via `FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD` + +#### Set `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automatically select a phone number for the security code to be sent to + +If your Apple ID has 2FA enabled you can usually enter `sms` to escape from the normal "enter your pushed security code" flow and manually choose one of your trusted phone numbers to receive the security code. If you know beforehand that you always want to do this and select the same phone number, set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to the phone number. + +#### Use `FASTLANE_SESSION` to reuse a 2FA session on CI + +See ... From 89e887274870b33256ebbf4d41e0b74285aa3a07 Mon Sep 17 00:00:00 2001 From: Jan Piotrowski Date: Wed, 20 Mar 2019 19:42:30 +0100 Subject: [PATCH 2/4] thoughts on session in CI --- docs/best-practices/continuous-integration.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/best-practices/continuous-integration.md b/docs/best-practices/continuous-integration.md index 7f5bcd3532..9a8ffd6151 100644 --- a/docs/best-practices/continuous-integration.md +++ b/docs/best-practices/continuous-integration.md @@ -64,6 +64,11 @@ Note: The application specific password will _not_ work if your action usage doe ##### `spaceauth` +CI system is built from scratch for each build, so no way to run an action once to create a "session" manually and then just reuse that for future non itneractive runs. That is why fastlane includes a way to create the session on an interactive command line, and then transfer it to the CI environment where it can be "consumed" via an environment variable. + + + + All other actions interacting with Apple's APIs do not accept application specific passwords. As your CI machine will not be able to prompt you for your two-factor authentication or two-step verification information, you need to generate a login session for Apple ID in advance. You can get on your local machine this by running: From 4aa76617dc777312c0cd11834c9a1ec38abbfcbe Mon Sep 17 00:00:00 2001 From: Jan Piotrowski Date: Thu, 4 Apr 2019 22:36:06 +0200 Subject: [PATCH 3/4] add some docs about SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER, rewrite the rest a bit --- docs/best-practices/authentication.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/best-practices/authentication.md b/docs/best-practices/authentication.md index 97f9af034b..66847b1b1b 100644 --- a/docs/best-practices/authentication.md +++ b/docs/best-practices/authentication.md @@ -9,11 +9,27 @@ ### 2FA -#### App Specific Password via `FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD` -#### Set `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automatically select a phone number for the security code to be sent to +#### Avoid 2FA via separate account -If your Apple ID has 2FA enabled you can usually enter `sms` to escape from the normal "enter your pushed security code" flow and manually choose one of your trusted phone numbers to receive the security code. If you know beforehand that you always want to do this and select the same phone number, set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to the phone number. +#### Avoid 2FA via App Specific Password + +`FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD` + +This only works for some actions in specific configurations where only iTMSTransporter or avgtool (TODO check name) are used. As soon as the normal API is used, the app specific password will not be enough. + +#### Pushed security Token + + + +#### Trusted Phone Numbers + +If you have trusted phone numbers added to your Apple ID you can exit the normal input of the pushed security code by typing `sms`. This will let you manually choose one of your trusted phone numbers to receive the security code. + + +##### Set `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automatically select a phone number for the security code to be sent to + +If you know beforehand that you always want to do this and select the same phone number, set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to your phone number. The phone number should be specified in the same format as it is display in your [Apple ID console](https://appleid.apple.com/), e.g. `+49 162 2850123`, `+1-123-456-7866` or similar. Do not leave off the country code or add or remove any numbers, otherwise fastlane will not be able to match the masked value from Apple's API and select the correct number. #### Use `FASTLANE_SESSION` to reuse a 2FA session on CI From ea0ebcfabdec39949496a0bef536a5e3beb4d8ce Mon Sep 17 00:00:00 2001 From: Jan Piotrowski Date: Thu, 4 Apr 2019 22:41:07 +0200 Subject: [PATCH 4/4] Update authentication.md --- docs/best-practices/authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/best-practices/authentication.md b/docs/best-practices/authentication.md index 66847b1b1b..2871a8b72e 100644 --- a/docs/best-practices/authentication.md +++ b/docs/best-practices/authentication.md @@ -26,10 +26,9 @@ This only works for some actions in specific configurations where only iTMSTrans If you have trusted phone numbers added to your Apple ID you can exit the normal input of the pushed security code by typing `sms`. This will let you manually choose one of your trusted phone numbers to receive the security code. - ##### Set `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to automatically select a phone number for the security code to be sent to -If you know beforehand that you always want to do this and select the same phone number, set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to your phone number. The phone number should be specified in the same format as it is display in your [Apple ID console](https://appleid.apple.com/), e.g. `+49 162 2850123`, `+1-123-456-7866` or similar. Do not leave off the country code or add or remove any numbers, otherwise fastlane will not be able to match the masked value from Apple's API and select the correct number. +If you know beforehand that you always want to do this and select the same phone number, set the environment variable `SPACESHIP_2FA_SMS_DEFAULT_PHONE_NUMBER` to your phone number. The phone number should be specified in the same format as it is displayed in your [Apple ID console](https://appleid.apple.com/) under `TRUSTED PHONE NUMBERS`, e.g. `+49 162 2850123`, `+1-123-456-7866` or similar. Do not leave off the country code or add or remove any numbers, otherwise fastlane will not be able to match the masked value from Apple's API and select the correct number. #### Use `FASTLANE_SESSION` to reuse a 2FA session on CI