feat: complete iCloud 2FA from Telegram (headless re-auth, no shell/web UI)#470
feat: complete iCloud 2FA from Telegram (headless re-auth, no shell/web UI)#470epheterson wants to merge 2 commits into
Conversation
…eb UI) Headless deployments can't finish iCloud's 2FA without shelling into the container. This adds an opt-in Telegram reply flow: when re-authentication is needed, reply the auth keyword to have Apple push a code to your trusted devices, then reply the 6-digit code to validate and trust the session. The headless path previously waited for a code it never requested -- it never called trigger_2fa_push_notification, so no code was ever pushed. This wires up the trigger plus a getUpdates poll gated on app.telegram.listen. - config_parser: app.telegram.listen + auth_keyword - notify: poll_telegram_for_text; reply prompt routed through notify.send so it inherits the 24h throttle and other channels still get the standard alert - sync: thread the live api into the 2FA handler; poll for keyword/code - requires icloudpy 0.9.0 (trigger_2fa_push_notification); this bump also fixes the documented `docker exec ... icloud --username` CLI flow, which now pushes a code via icloudpy cmdline - codes tolerate spaces/dashes; docs note 1:1 chat + per-container bot token Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
yes - @epheterson please split this PR as Telegram flow is optional. |
|
No problem, put up a PR with just the bump needed to get 2FA working and will rebase the telegram PR on top. Glad this 2FA issue is finally unblocked! |
|
Split delivered in #486 — the mechanism-agnostic core fix ( Once #486 lands I'll rebase this PR on top so the diff here narrows to just the Telegram convenience layer (the reply-driven re-auth). Holding the rebase until then so it reconciles against the final shape of #486 rather than a moving target. |
Summary
Headless deployments can't finish iCloud's 2FA without shelling into the container. This adds an opt-in Telegram reply flow: when re-authentication is needed, reply the auth keyword to have Apple push a code to your trusted devices, then reply the 6-digit code — the session validates and trusts, and sync resumes. No console, no web UI.
Root cause it also fixes: the headless path waited for a code it never requested — it never called
trigger_2fa_push_notification, so no code was ever pushed. This wires up the trigger.Config (opt-in, off by default)
Details
config_parser:app.telegram.listen+auth_keyword.notify:poll_telegram_for_text; the reply prompt is routed throughnotify.send, so it inherits the existing 24h throttle and other channels (email/Discord/Pushover) still get the standard alert.sync: threads the liveapiinto the 2FA handler and polls for the keyword/code.123 456). Docs note 1:1 chat (group privacy mode) + a per-container bot token for multi-container setups.icloudpy==0.9.0fortrigger_2fa_push_notification. As a bonus, that bump also fixes the documenteddocker exec ... icloud --usernameCLI flow, which now pushes a code via icloudpy'scmdline.Testing
New
tests/test_telegram_2fa.pycovers the poller, config getters, notify routing, and the wait loop. Verified end-to-end against real Apple + Telegram (push triggered, code validated, session trusted).Happy to split the pure trigger bug-fix (the missing
trigger_2fa_push_notificationcall + icloudpy bump) from the Telegram convenience layer into two PRs if you'd prefer — just say the word.