fix MFA with SMS

Author: sebsto

Sources/xcodeinstall/API/Authentication+MFA.swift

@@ -193,7 +193,7 @@ extension AppleAuthenticator {
         let body = SMSRequest(phoneNumber: PhoneId(id: phoneId), mode: "sms")
         let (_, _) = try await apiCall(
             url: "https://idmsa.apple.com/appleauth/auth/verify/phone",
-            method: .POST,
+            method: .PUT,
             body: try JSONEncoder().encode(body),
             validResponse: .range(200..<300)
         )
@@ -240,6 +240,7 @@ extension AppleAuthenticator {
                 )
             }
         case 200, 204:
+            try await trustSession()
             try await self.saveSession(response: response, session: session)
         default:
             throw AuthenticationError.unexpectedHTTPReturnCode(code: response.statusCode)
@@ -289,6 +290,7 @@ extension AppleAuthenticator {
 
         case 200, 204:
             // success
+            try await trustSession()
             try await self.saveSession(response: response, session: session)
 
         default:
@@ -302,6 +304,23 @@ extension AppleAuthenticator {
 
     }
 
+    /// Ask Apple to trust this session, upgrading cookies from short-lived to long-lived.
+    /// This matches Spaceship's post-verification trust step.
+    func trustSession() async throws {
+        let (_, response) = try await apiCall(
+            url: "https://idmsa.apple.com/appleauth/auth/2sv/trust",
+            validResponse: .range(200..<300)
+        )
+
+        // Update session headers if the trust response provides new values
+        if let newSessionId = response.value(forHTTPHeaderField: "X-Apple-ID-Session-Id") {
+            session.xAppleIdSessionId = newSessionId
+        }
+        if let newScnt = response.value(forHTTPHeaderField: "scnt") {
+            session.scnt = newScnt
+        }
+    }
+
     func getMFAType() async throws -> MFAType {
 
         let (data, _) = try await apiCall(

Sources/xcodeinstall/API/Authentication.swift

@@ -303,13 +303,14 @@ class AppleAuthenticator: HTTPClient, AppleAuthenticatorProtocol {
     }
 
     func saveSession(response: HTTPURLResponse, session: AppleSession) async throws {
-        guard let cookies = response.value(forHTTPHeaderField: "Set-Cookie") else {
-            log.debug("No cookies set, just saving the session")
-            _ = try await self.secrets.saveSession(session)
-            return
+        // always persist the session object (contains xAppleIdSessionId, scnt, etc.)
+        _ = try await self.secrets.saveSession(session)
+
+        // also persist cookies when present
+        if let cookies = response.value(forHTTPHeaderField: "Set-Cookie") {
+            _ = try await self.secrets.saveCookies(cookies)
+        } else {
+            log.debug("No cookies in response, session saved without cookies")
         }
-
-        // save session data to reuse in future invocation
-        _ = try await self.secrets.saveCookies(cookies)
     }
 }

Sources/xcodeinstall/API/HTTPClient.swift

@@ -50,6 +50,7 @@ enum ExpectedResponseCode {
 enum HTTPVerb: String {
     case GET
     case POST
+    case PUT
 }
 
 // provide common code for all network clients