What happened?
auth login succeeds but download immediately fails with password token is expired
Environment
- OS: macOS
- ipatool: locally built from recent auth-fix PR branches
- Tested PR branches:
Summary
After Apple's recent App Store auth changes, I tested several auth-fix PR branches. Some branches can make auth login succeed, but download immediately fails with:
error="password token is expired"
This happens immediately after a clean login, even after removing local cookies.
Reproduction
rm -f ~/.ipatool/cookies ~/.ipatool/cookies.lock
ipatool auth revoke
ipatool auth login -e "<APPLE_ID>" -p "<PASSWORD>" --verbose
ipatool download --app-id 951937596 --non-interactive --verbose
Observed Result
auth login reports success:
INF email=<redacted> name="<redacted>" success=true
But download immediately fails:
DBG error="password token is expired"
ERR error="password token is expired" success=false
Additional Tests
I also tested splitting the flow into purchase then download:
ipatool purchase -b com.microsoft.Office.Outlook --non-interactive --verbose
ipatool download --app-id 951937596 --non-interactive --verbose
The script reaches the download step, but download still fails with:
error="password token is expired"
I also tried clearing cookies before each login:
rm -f ~/.ipatool/cookies ~/.ipatool/cookies.lock
No change.
Branch-Specific Observations
Expected Result
After auth login succeeds, download should be able to use the issued token and download the IPA, or the login command should fail if the returned token is not valid for downloads/purchase.
Questions
Is the token returned by the new auth endpoint only valid for login/account info but not for App Store download/purchase?
Is there an additional step needed after auth login to obtain a commerce-grade token usable by download / purchase?
Version
release 2.3.0
Relevant log output
What happened?
auth loginsucceeds butdownloadimmediately fails withpassword token is expiredEnvironment
Summary
After Apple's recent App Store auth changes, I tested several auth-fix PR branches. Some branches can make
auth loginsucceed, butdownloadimmediately fails with:This happens immediately after a clean login, even after removing local cookies.
Reproduction
Observed Result
auth loginreports success:But
downloadimmediately fails:Additional Tests
I also tested splitting the flow into
purchasethendownload:The script reaches the download step, but
downloadstill fails with:I also tried clearing cookies before each login:
No change.
Branch-Specific Observations
Older/main released version:
auth loginfails withsomething went wrongStatusCode: 200but emptyPasswordTokenFix App Store auth endpoint handling #490 / Fix dynamic App Store auth endpoint discovery #493:
auth loginsucceedsdownloadimmediately fails withpassword token is expiredfix: update auth endpoint + stale lock file cleanup #486:
Fix App Store auth #494:
It enters a 2FA flow:
However, no 2FA prompt/code is received on my Apple devices during this CLI flow.
Web login at
account.apple.comtriggers 2FA normally.Expected Result
After
auth loginsucceeds,downloadshould be able to use the issued token and download the IPA, or the login command should fail if the returned token is not valid for downloads/purchase.Questions
Is the token returned by the new auth endpoint only valid for login/account info but not for App Store download/purchase?
Is there an additional step needed after
auth loginto obtain a commerce-grade token usable bydownload/purchase?Version
release 2.3.0
Relevant log output