[GH-ISSUE #567] Auth: add experimental Apple ID web-session mode for UI-only endpoints #159

New issue

Closed

opened 2026-02-26 21:33:50 +03:00 by kerem · 2 comments

kerem commented 2026-02-26 21:33:50 +03:00

Owner

Copy link

Originally created by @rudrankriyam on GitHub (Feb 16, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/567

Summary

Introduce an explicitly opt-in authentication mode that allows asc to call App Store Connect web-only endpoints that are not accessible via API key/JWT.

This is not intended to replace API-key auth. It is a narrowly scoped escape hatch for specific workflows that are otherwise blocked.

Why this matters

Some operational workflows are high value but not available via the public App Store Connect API.
To make those workflows AI/CI-drivable, the project needs a safe, explicit mechanism to provide web-session auth material.

Examples of workflows that may depend on this:

• Resolution Center messaging with App Review
• creation of new app records (if not supported by the public API)

Current state (verified)

• asc is API-key/JWT based.
• There is no support for Apple ID web session cookies, CSRF headers, or provider/team selection state.
• The offline OpenAPI snapshot does not include several web-only capabilities.

Security constraints

Web-session material is extremely sensitive (effectively “act as the account”).
Any implementation must:

• never print session material
• redact it in debug logs
• avoid storing it by default
• make opt-in explicit and hard to enable accidentally

Proposed UX

Opt-in flag

Add a global flag (name bikeshed):

• --experimental-web-session

Session input

Accept session material via environment variables only:

• ASC_WEB_SESSION (opaque string)

Optional supporting env vars (if required by the server behavior):

• ASC_WEB_SESSION_CSRF (opaque)
• ASC_WEB_SESSION_PROVIDER (team/provider selection)

Scope limitation

Web-session mode should only be used for commands that explicitly declare support for it.
All other commands should continue using API key auth exclusively.

Behavior requirements

• If --experimental-web-session is not set, commands must not attempt web-session calls.
• If --experimental-web-session is set but required env vars are missing, return a usage-style error (exit code 2).
• Add aggressive redaction in --api-debug output.
• Provide clear warnings in help text about security + 2FA.

Implementation notes

• Implement as a separate HTTP client path (cookie jar + required headers).
• Avoid any attempt to automate login/2FA.
  • The model should be “user supplies a session”, not “CLI logs in”.

Test plan

• cmdtests: usage validation + redaction behavior (ensure session values never appear in stderr/stdout)
• unit tests for:
  • header injection
  • cookie jar wiring
  • opt-in gating

Acceptance criteria

• Web-session mode is opt-in and clearly marked experimental.
• Session material is never printed.
• Commands that don’t support web-session mode are unaffected.
• make test passes.

Originally created by @rudrankriyam on GitHub (Feb 16, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/567 ## Summary Introduce an **explicitly opt-in** authentication mode that allows `asc` to call App Store Connect **web-only** endpoints that are not accessible via API key/JWT. This is not intended to replace API-key auth. It is a narrowly scoped escape hatch for specific workflows that are otherwise blocked. ## Why this matters Some operational workflows are high value but not available via the public App Store Connect API. To make those workflows AI/CI-drivable, the project needs a safe, explicit mechanism to provide web-session auth material. Examples of workflows that may depend on this: - Resolution Center messaging with App Review - creation of new app records (if not supported by the public API) ## Current state (verified) - `asc` is API-key/JWT based. - There is no support for Apple ID web session cookies, CSRF headers, or provider/team selection state. - The offline OpenAPI snapshot does not include several web-only capabilities. ## Security constraints Web-session material is extremely sensitive (effectively “act as the account”). Any implementation must: - never print session material - redact it in debug logs - avoid storing it by default - make opt-in explicit and hard to enable accidentally ## Proposed UX ### Opt-in flag Add a global flag (name bikeshed): - `--experimental-web-session` ### Session input Accept session material via environment variables only: - `ASC_WEB_SESSION` (opaque string) Optional supporting env vars (if required by the server behavior): - `ASC_WEB_SESSION_CSRF` (opaque) - `ASC_WEB_SESSION_PROVIDER` (team/provider selection) ### Scope limitation Web-session mode should only be used for commands that explicitly declare support for it. All other commands should continue using API key auth exclusively. ## Behavior requirements - If `--experimental-web-session` is not set, commands must not attempt web-session calls. - If `--experimental-web-session` is set but required env vars are missing, return a usage-style error (exit code 2). - Add aggressive redaction in `--api-debug` output. - Provide clear warnings in help text about security + 2FA. ## Implementation notes - Implement as a separate HTTP client path (cookie jar + required headers). - Avoid any attempt to automate login/2FA. - The model should be “user supplies a session”, not “CLI logs in”. ## Test plan - [ ] cmdtests: usage validation + redaction behavior (ensure session values never appear in stderr/stdout) - [ ] unit tests for: - header injection - cookie jar wiring - opt-in gating ## Acceptance criteria - [ ] Web-session mode is opt-in and clearly marked experimental. - [ ] Session material is never printed. - [ ] Commands that don’t support web-session mode are unaffected. - [ ] `make test` passes.

kerem closed this issue 2026-02-26 21:33:50 +03:00

kerem commented 2026-02-26 21:33:50 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 26, 2026):

Closing as resolved by #758, which introduced the detached experimental Apple web-session auth flow () and web-session-backed unofficial commands.

<!-- gh-comment-id:3964480424 --> @rudrankriyam commented on GitHub (Feb 26, 2026): Closing as resolved by #758, which introduced the detached experimental Apple web-session auth flow () and web-session-backed unofficial commands.

kerem commented 2026-02-26 21:33:50 +03:00

Author

Owner

Copy link

@rudrankriyam commented on GitHub (Feb 26, 2026):

Clarification: resolved by #758, including the detached experimental Apple web-session auth flow via asc web auth and related web-session-backed unofficial commands.

<!-- gh-comment-id:3964481301 --> @rudrankriyam commented on GitHub (Feb 26, 2026): Clarification: resolved by #758, including the detached experimental Apple web-session auth flow via asc web auth and related web-session-backed unofficial commands.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.1

1.1.0

1.0.1

1.0.0

0.49.1

0.49.0

0.48.1

0.48.0

0.47.1

0.47.0

0.46.2

0.46.1

0.46.0

0.45.4

0.45.3

0.45.2

0.45.1

0.45.0

0.44.2

0.44.1

0.44.0

0.43.0

0.42.0

0.41.4

0.41.3

0.41.2

0.41.1

0.41.0

0.40.1

0.40.0

0.39.1

0.39.0

0.38.3

0.38.2

0.38.1

0.38.0

0.37.3

0.37.2

0.37.1

0.37.0

0.36.3

0.36.2

0.36.1

0.36.0

0.35.3

0.35.2

0.35.1

0.35.0

0.34.1

0.34.0

0.33.2

0.33.1

0.33.0

0.32.0

0.31.3

0.31.2

0.31.1

0.31.0

0.30.0

0.29.3

0.29.2

0.29.1

0.29.0

0.28.14

0.28.13

0.28.12

0.28.11

0.28.10

0.28.9

0.28.8

0.28.7

0.28.6

0.28.5

0.28.4

0.28.3

0.28.2

0.28.1

0.28.0

0.27.0

0.26.4

0.26.3

0.26.2

0.26.1

0.26.0

0.25.4

0.25.3

0.25.1

0.25.0

0.24.3

0.24.2

0.24.1

0.24.0

0.23.5

0.23.4

0.23.3

0.23.2

0.23.1

0.23.0

0.22.1

0.22.0

0.21.0

0.20.2

0.20.1

0.20.0

0.19.3

0.19.2

0.19.1

0.19.0

0.18.2

0.18.1

0.18.0

0.17.0

0.16.0

0.15.0

0.14.0

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.0

0.10.2

0.10.1

0.10.0

0.9.0

0.8.1

0.8.0

0.7.0

0.6.0

0.5.0

0.3.1

0.3.0

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Labels

Clear labels   

bug

  

bug

  

documentation

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

bug

documentation

enhancement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/App-Store-Connect-CLI#159

No description provided.