You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stop serializing/deserializing the raw Apple ID password in stored account credentials.
Sanitize account JSON output so auth info --format json and login JSON output no longer expose stored secrets.
Narrow verbose logging to ipatool crates and remove App Store response body previews from debug logs.
Save the ipatool data directory and cookie file with private Unix permissions.
Update README guidance to prefer interactive login over command-line password flags.
Validate IPA download HTTP status/content type before writing data, fail stalled downloads, fix ignored range-resume corruption, and add ranged parallel CLI downloads via --connections.
Why
The CLI handles Apple ID credentials and App Store session data. The previous behavior could persist the raw Apple ID password, expose it in JSON output, and enable dependency debug logs that include cookie details.
The download path also accepted any HTTP response as IPA bytes, so CDN errors or HTML responses could be written to .ipa.tmp and only fail later during patching. Single-connection downloads can also be very slow on some Apple CDN paths, so the CLI now supports modest parallel ranged downloads.
Finding 1 — Orphaned tasks in download_file_parallel (correctness)
crates/ipatool-core/src/api/download.rs
Each range worker is launched with tokio::spawn. When any worker fails the function runs cleanup_parts (which deletes the .ipa.partN files) and returns Err. Dropping the FuturesUnordered at that point detaches — not cancels — the remaining spawned tasks. Those tasks keep issuing HTTP range requests and writing to the now-deleted part files; the resulting OS errors are silently lost via the detached JoinHandle.
On a slow CDN with the default of 4 connections and a large IPA, three background tasks can hold TCP sessions open and consume bandwidth until they time out independently.
Fix: collect each JoinHandle in a Vec and call .abort() on every unfinished handle before returning in both error arms:
The PR introduces a private looks_like_error_body function in download.rs and inlines the same three-way text/ / html / json check as a local block inside stream_download in tui/mod.rs. These two copies can drift silently — for example if application/xml Apple error envelopes are later added to the heuristic, only one site would be updated.
Fix: promote looks_like_error_body to pub(crate) (or move it to a small shared http_util module) and call it from stream_download instead of re-implementing inline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
auth info --format jsonand login JSON output no longer expose stored secrets.--connections.Why
The CLI handles Apple ID credentials and App Store session data. The previous behavior could persist the raw Apple ID password, expose it in JSON output, and enable dependency debug logs that include cookie details.
The download path also accepted any HTTP response as IPA bytes, so CDN errors or HTML responses could be written to
.ipa.tmpand only fail later during patching. Single-connection downloads can also be very slow on some Apple CDN paths, so the CLI now supports modest parallel ranged downloads.Validation
cargo fmt --all --checkcargo test --workspace --lockedcargo check --workspace --lockedcargo clippy --all-targets --all-features --locked -- -D warningscargo build --release --lockedgit diff --check